Crackmes

Crackme	Infos
timotei crackme#7	One key, explained logic, commented disassembly.
timotei crackme#6	Text file of constraints, commented disassembly, and one valid key file.
Easiest crackme	A step-by-step walkthrough that looks at the decompiled code.

Comment	Link
A great introduction to format string vulnerabilities!	==>
I feel like I'm so close to writing a keygen. All that's left now is some nitty-gritty reverse engineering to figure out how the name/serial pair is checked. I've been able to "unpack" it in the sense that I can debug the code after it's been unpacked and that I can extract the memory that contains the unpacked code. I think that's as far as I'll take the unpacking, since the method used seems like a royal pain to write an unpacker or loader for. MAJOR SPOILERS: So far I've found these things: - The name must be 4-8 alphanumeric characters. - The serial is 8 hexadecimal characters. - The conditional jump at +0x12F2 in the unpacked section is what chooses the "good" or "bad" sound. Now I need to figure out how the calls at +0x1B5B and +0x1B69 determine the input as correct. I've found calls to memcpy and memcmp that seem interesting, but we'll see.	==>
I love to see a crackme that's as polished as this. MINOR SPOILERS: I'm taking this slowly as a learning experience on how to handle more difficult crackmes. I've followed the control flow up to the function at 0x404C00 and I have a feeling I know where it's going with the debugging and unpacking. If I'm correct and it's not a red herring, then it's a very interesting technique that I've not considered before now. Also challenging!	==>
Another very enjoyable crackme from timotei_! Thanks!	==>
@Piggy63 Thank you for the extremely detailed walkthrough! Ghidra doesn't seem to decompile the functions quite as well as Hex-Rays does (I opted to use Ghidra because it's free). It's too bad someone spoiled the answer outright in the comments, because I would have liked to been able to figure it out with the functions you gave	==>
For only being a 1.0 difficulty, I am absolutely stumped! Somewhat spoiler-y comment... I found a function call just before strcmp(input, "qwerty"). In that function there is a second function being called multiple times. No matter what I enter, the values passed to that function second are always the same, resulting in the "bad" message being printed. I can only get a "good" message with patching. Any tips on finding the right password?	==>

A great introduction to format string vulnerabilities!

I feel like I'm so close to writing a keygen. All that's left now is some nitty-gritty reverse engineering to figure out how the name/serial pair is checked. I've been able to "unpack" it in the sense that I can debug the code after it's been unpacked and that I can extract the memory that contains the unpacked code. I think that's as far as I'll take the unpacking, since the method used seems like a royal pain to write an unpacker or loader for. MAJOR SPOILERS: So far I've found these things: - The name must be 4-8 alphanumeric characters. - The serial is 8 hexadecimal characters. - The conditional jump at +0x12F2 in the unpacked section is what chooses the "good" or "bad" sound. Now I need to figure out how the calls at +0x1B5B and +0x1B69 determine the input as correct. I've found calls to memcpy and memcmp that seem interesting, but we'll see.

==>

I love to see a crackme that's as polished as this. MINOR SPOILERS: I'm taking this slowly as a learning experience on how to handle more difficult crackmes. I've followed the control flow up to the function at 0x404C00 and I have a feeling I know where it's going with the debugging and unpacking. If I'm correct and it's not a red herring, then it's a very interesting technique that I've not considered before now. Also challenging!

==>

Another very enjoyable crackme from timotei_! Thanks!

==>

@Piggy63 Thank you for the extremely detailed walkthrough! Ghidra doesn't seem to decompile the functions quite as well as Hex-Rays does (I opted to use Ghidra because it's free). It's too bad someone spoiled the answer outright in the comments, because I would have liked to been able to figure it out with the functions you gave

==>

For only being a 1.0 difficulty, I am absolutely stumped! Somewhat spoiler-y comment... I found a function call just before strcmp(input, "qwerty"). In that function there is a second function being called multiple times. No matter what I enter, the values passed to that function second are always the same, resulting in the "bad" message being printed. I can only get a "good" message with patching. Any tips on finding the right password?

==>

crackmes.one

crackmes.one

Ben_Lolo's profile

0

3

6

Crackmes

Latest solutions

Latest comments