PL45M4 on 2025-10-08 04:16:
Did you mean to upload a debug build?
ultrazvukoff on 2025-10-12 12:47:
000000014001A0CB | 74 74 | je ezcrackme.14001A141 | patch login
000000014001A18E | 0F84 81000000 | je ezcrackme.14001A215 | patch password
Enter your name: 123123
Enter the password: 123
Access granted. Welcome, 123123!
madzohan.ytb on 2025-10-15 12:49:
Steps I've done:
- open downloaded binary in Ghidra debugger.
- search "User_not_recognized." All fields
- pressed Ctrl+E (show decompliler) and analyzed FUN_140019fa0
- noticed two if/else for user/password ... thats where patches should be applied
Full solution here:
https://gist.github.com/madzohan/e2ded5e8c912782df21dbe8bc3dba287
Bilbobaggins0934 on 2025-11-09 02:30:
Just used my debugger to find the je/jz instruction that jumps to "Enter the password: " and changed that to a jmp instead of a conditional jump, that way no matter what i put for name it always jumps to the password check. Did same thing pretty much for the password, I found the je/jz jump to the "Access granted." and changed that to an unconditional jump (jmp)
You must be logged in to submit a writeup
Solution by madzohan.ytb on 2025-10-15 12:48: 2x replace JZ with JMP
Steps I've done:
1) open downloaded binary in Ghidra debugger.
2) search "User_not_recognized." All fields
3) pressed Ctrl+E (show decompliler) and analyzed FUN_140019fa0
4) noticed two if/else for user/password ... thats where patches should be applied
user bypass
replace CTRL+SHIFT+G (Patch intstruction)
14001a0cb 74 74 JZ LAB_14001a141
with
14001a0cb eb 74 JMP LAB_14001a141
password bypass
replace CTRL+SHIFT+G (Patch intstruction)
14001a18e 0f 84 81 JZ LAB_14001a215
00 00 00
with
14001a18e 48 e9 81 JMP LAB_14001a215
00 00 00
Done
Export modified exe and run =)
gist version here https://gist.github.com/madzohan/e2ded5e8c912782df21dbe8bc3dba287
Solution by Cyberseal on 2025-10-15 18:13: Was fun to solve this one! took me 3hours Download: https://github.com/SellMeFish/vprwv-s-Random-user-and-pw-protected-console-app-crackme