I feel like I'm so close to writing a keygen. All that's left now is some nitty-gritty reverse engineering to figure out how the name/serial pair is checked.
I've been able to "unpack" it in the sense that I can debug the code after it's been unpacked and that I can extract the memory that contains the unpacked code. I think that's as far as I'll take the unpacking, since the method used seems like a royal pain to write an unpacker or loader for.
MAJOR SPOILERS:
So far I've found these things:
- The name must be 4-8 alphanumeric characters.
- The serial is 8 hexadecimal characters.
- The conditional jump at +0x12F2 in the unpacked section is what chooses the "good" or "bad" sound.
Now I need to figure out how the calls at +0x1B5B and +0x1B69 determine the input as correct. I've found calls to memcpy and memcmp that seem interesting, but we'll see. |
==> |
I love to see a crackme that's as polished as this.
MINOR SPOILERS: I'm taking this slowly as a learning experience on how to handle more difficult crackmes. I've followed the control flow up to the function at 0x404C00 and I have a feeling I know where it's going with the debugging and unpacking. If I'm correct and it's not a red herring, then it's a very interesting technique that I've not considered before now. Also challenging! |
==> |
Another very enjoyable crackme from timotei_! Thanks! |
==> |
@Piggy63 Thank you for the extremely detailed walkthrough! Ghidra doesn't seem to decompile the functions quite as well as Hex-Rays does (I opted to use Ghidra because it's free). It's too bad someone spoiled the answer outright in the comments, because I would have liked to been able to figure it out with the functions you gave |
==> |
For only being a 1.0 difficulty, I am absolutely stumped! Somewhat spoiler-y comment...
I found a function call just before strcmp(input, "qwerty"). In that function there is a second function being called multiple times. No matter what I enter, the values passed to that function second are always the same, resulting in the "bad" message being printed. I can only get a "good" message with patching. Any tips on finding the right password? |
==> |