Bobx's BobxReal You Can't do it V2 ;)

Author:
Bobx

Language:
C/C++

Upload:
2026-02-21 02:39

Download

Platform:
Windows

Difficulty:
4.0

Quality:
3.8

Arch:
x86-64

Downloads:
122

Size:
195.00 KB

Writeups:
2

Comments:
14

Description

This time I had more time and I tried a little harder than in my last crackme, good luck. A little antidebug, some security, and even more fun

Comments (14)
Writeups (2)

You must be logged in to post a comment

Biglsim04 on 2026-02-21 18:17: [Click to reveal]

msym on 2026-02-21 18:21: I saw the hint that the password is 16 characters, but on my computer it seems that if entered fast enough many 16 character long strings (e.g. DEADBEEFCAFEBABE) will return correct, which I'm quite sure is unintended.

Biglsim04 on 2026-02-21 18:22: [Click to reveal]

Biglsim04 on 2026-02-21 18:24: [Click to reveal]

Bobx on 2026-02-21 18:40: Thanks for the feedback! Patching isn't solving - anyone can patch, but the actual password hasn't been found yet. You're right about the VM bug, multiple strings work because the VM generates rounds but doesn't apply them to input. Good catch! Anti-debug is too simple indeed. v3.0 coming soon with proper VM transformation and state-based anti-debug. Thanks for helping me improve!

Biglsim04 on 2026-02-21 18:53: [Click to reveal]

Bobx on 2026-02-21 22:41: @Biglsim04 Yes, there is an actual password The algorithm does real transformations (or at least it was supposed to - the VM bug broke it). The math operations aren't just for show they're meant to modify your input in specific ways. If you go deeper you'll see the expected values are derived from fixed constants XORed with a runtime key. The challenge is to reverse those operations Thanks for giving it another look

vbu on 2026-02-22 00:31: [Click to reveal]

vbu on 2026-02-22 00:37: [Click to reveal]

Bobx on 2026-02-22 17:02: [Click to reveal]

Bobx on 2026-02-22 17:07: @vbu You're right, my bad! I owe you an apology - after checking the code again, I realized the VM has a serious bug that causes it to accept multiple passwords instead of just one. The fake flag "BOBXFRCRACKXD" was just a decoy, and "FLAG{BOBXCRACK00" coincidentally works because of the VM flaw, but it's not the actual intended password. The real password should be derived from EXPECTED_FIXED XOR g_vm_key, but thanks to the VM bug, pretty much any 16-char string works. So technically the crackme is broken, not solved. I'll release a fixed version soon. Thanks for exposing the issue!

vbu on 2026-02-22 22:12: @Bobx Very interesting bug haha! I appreciate the apology and hope to see more hard puzzles like this to crack and practice. Also yes! I kept wondering to myself if it could have 5 different passwords each time the crackme was ran but later finding out that its just a VM bug sadly :C but again great puzzle if weren't for that little bug. These are the passwords I concluded with during the time I found the bug: FLAG{BOBXCRACK00 FLAG{BOBXcrack0 Flag{BOBXFRCRACK flagbobxcrackme! BOBX_CRACKME_001 If the program is cycled enough time the PW is correct!

OB_BUFF on 2026-02-23 01:24: # bobxREAL.exe Reverse Engineering Report ## 1) Scope and target - Target: `C:\Users\Felix\Desktop\bobxREAL.exe` (x64 PE) - Goal: find password validation logic and build a practical keygen/solver. - Tools used: - IDA Pro (+ ida-pro-mcp) for static RE. - x64dbg (+ x64dbg-mcp) for runtime checks. - PowerShell for repeated execution/statistics. ## 2) High-level behavior - Program prints `Password:` and reads up to 64 bytes (`fgets`), then strips CR/LF. - It hard-gates input length: - `len != 16` -> immediate wrong path. - `len == 16` -> enters randomized state-machine verification. - Final success condition is not a classic direct `strcmp` with a fixed key. ## 3) Core logic (IDA) Main function: - `main` at `0x140005620`. - Loop starts with `v33 = 0x11` and repeatedly dispatches: - function index = `(v33 ^ dword_140030B58) % 10` - target function from shuffled table `qword_140030E10[...]` - `v33 = callee(Str, &state)` - Stops when: - `v33 == 0x99` -> success path (`Correct!`) - `v33 == 0xFF` or null function pointer -> fail path (`Wrong.`) Important handlers in the state table: - `sub_140004220` -> returns `0x22` - `sub_140004230` -> anti-debug/anti-VM checks, returns `0x33` or `0xFF` - `sub_1400044A0` -> `sub_140001810` gate, returns `0x44` or `0xFF` - `sub_1400044D0` -> `sub_1400015E0` gate, returns `0x55` or `0xFF` - `sub_140004500` -> hash consistency gate, returns `0x66` or `0xFF` - `sub_140004520` -> VM-like transform over input, returns `0x77` or `0xFF` - `sub_140004770` -> arithmetic check, usually leads to `0x88` - `sub_140004790` -> CRC/anti-check stage, returns `0x99` or `0xFF` - `sub_140004A60` -> returns `0x99` directly - `sub_140004A70` -> returns `0xFF` directly ## 4) Why there is no fixed deterministic password - The dispatch key `dword_140030B58` is continuously perturbed by multiple background threads (`sub_1400052E0`, `sub_1400053B0`, `sub_140005470`, `sub_140004A80`) and timing/exception side effects. - State transition order therefore changes between runs. - Some transitions immediately fail (`0xFF`) regardless of input; some eventually reach `0x99`. - Empirical evidence shows near input-independence for 16-char strings. ## 5) Dynamic validation (x64dbg + repeated runs) Observed behavior from repeated runs: - Any 16-char input can produce `Correct!` on some runs. - Non-16 lengths always fail. Measured sample (PowerShell, 40 runs each): - `AAAAAAAAAAAAAAAA` -> 18/40 success - `BBBBBBBBBBBBBBBB` -> 17/40 success - `0123456789abcdef` -> 14/40 success - `!!!!!!!!!!!!!!!!` -> 19/40 success - `short` (len 5) -> 0/40 - len 17 sample -> 0/40 Conclusion: - This crackme is a race/randomized validator. - "Key" condition is effectively: **exactly 16 chars**, then retry until favorable scheduling/state. ## 6) Practical keygen strategy - Generate any 16-char key. - Optionally auto-run the target in a loop until `Correct!` appears. Delivered tools: - `bobxreal_keygen.ps1` (Windows-native, tested) - `bobxreal_keygen.py` (same logic, requires Python) Features: - generate random key (`len=16` default) - run once (`--run`/`-Run`) - auto-win mode (`--autowin`/`-AutoWin`, retries until success) ## 7) Notes and decoys - Hardcoded strings like `FLAG{BOBXFRCRACKXD}` and `_the_real_flag_12345}` exist in code/data paths but are decoys and not a normal fixed password check. - Environment variables (`BOBX_ENABLE_*`) toggle anti-analysis features but do not convert this into a single static valid key. ## 8) Reproduction commands Generate key only: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 ``` Try once: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -Run ``` Auto-pass: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -AutoWin -MaxAttempts 300 ``` Use your own key: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -Key AAAAAAAAAAAAAAAA -AutoWin ```

vbu on 2026-02-23 01:31: @OB_BUFF Nice AI report

Show all spoilers

You must be logged in to submit a writeup

Solution by djd320 on 2026-02-21 12:28:

Download

Solution by OB_BUFF on 2026-02-23 01:26:
# bobxREAL.exe Reverse Engineering Report ## 1) Scope and target - Target: `bobxREAL.exe` (x64 PE) - Goal: find password validation logic and build a practical keygen/solver. - Tools used: - IDA Pro (+ ida-pro-mcp) for static RE. - x64dbg (+ x64dbg-mcp) for runtime checks. - PowerShell for repeated execution/statistics. ## 2) High-level behavior - Program prints `Password:` and reads up to 64 bytes (`fgets`), then strips CR/LF. - It hard-gates input length: - `len != 16` -> immediate wrong path. - `len == 16` -> enters randomized state-machine verification. - Final success condition is not a classic direct `strcmp` with a fixed key. ## 3) Core logic (IDA) Main function: - `main` at `0x140005620`. - Loop starts with `v33 = 0x11` and repeatedly dispatches: - function index = `(v33 ^ dword_140030B58) % 10` - target function from shuffled table `qword_140030E10[...]` - `v33 = callee(Str, &state)` - Stops when: - `v33 == 0x99` -> success path (`Correct!`) - `v33 == 0xFF` or null function pointer -> fail path (`Wrong.`) Important handlers in the state table: - `sub_140004220` -> returns `0x22` - `sub_140004230` -> anti-debug/anti-VM checks, returns `0x33` or `0xFF` - `sub_1400044A0` -> `sub_140001810` gate, returns `0x44` or `0xFF` - `sub_1400044D0` -> `sub_1400015E0` gate, returns `0x55` or `0xFF` - `sub_140004500` -> hash consistency gate, returns `0x66` or `0xFF` - `sub_140004520` -> VM-like transform over input, returns `0x77` or `0xFF` - `sub_140004770` -> arithmetic check, usually leads to `0x88` - `sub_140004790` -> CRC/anti-check stage, returns `0x99` or `0xFF` - `sub_140004A60` -> returns `0x99` directly - `sub_140004A70` -> returns `0xFF` directly ## 4) Why there is no fixed deterministic password - The dispatch key `dword_140030B58` is continuously perturbed by multiple background threads (`sub_1400052E0`, `sub_1400053B0`, `sub_140005470`, `sub_140004A80`) and timing/exception side effects. - State transition order therefore changes between runs. - Some transitions immediately fail (`0xFF`) regardless of input; some eventually reach `0x99`. - Empirical evidence shows near input-independence for 16-char strings. ## 5) Dynamic validation (x64dbg + repeated runs) Observed behavior from repeated runs: - Any 16-char input can produce `Correct!` on some runs. - Non-16 lengths always fail. Measured sample (PowerShell, 40 runs each): - `AAAAAAAAAAAAAAAA` -> 18/40 success - `BBBBBBBBBBBBBBBB` -> 17/40 success - `0123456789abcdef` -> 14/40 success - `!!!!!!!!!!!!!!!!` -> 19/40 success - `short` (len 5) -> 0/40 - len 17 sample -> 0/40 Conclusion: - This crackme is a race/randomized validator. - "Key" condition is effectively: **exactly 16 chars**, then retry until favorable scheduling/state. ## 6) Practical keygen strategy - Generate any 16-char key. - Optionally auto-run the target in a loop until `Correct!` appears. Delivered tools: - `bobxreal_keygen.ps1` (Windows-native, tested) - `bobxreal_keygen.py` (same logic, requires Python) Features: - generate random key (`len=16` default) - run once (`--run`/`-Run`) - auto-win mode (`--autowin`/`-AutoWin`, retries until success) ## 7) Notes and decoys - Hardcoded strings like `FLAG{BOBXFRCRACKXD}` and `_the_real_flag_12345}` exist in code/data paths but are decoys and not a normal fixed password check. - Environment variables (`BOBX_ENABLE_*`) toggle anti-analysis features but do not convert this into a single static valid key. ## 8) Reproduction commands Generate key only: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 ``` Try once: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -Run ``` Auto-pass: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -AutoWin -MaxAttempts 300 ``` Use your own key: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -Key AAAAAAAAAAAAAAAA -AutoWin ```

Download

crackmes.one

crackmes.one

Bobx's BobxReal You Can't do it V2 ;)