| DebugMe |
@liboxin I recommend you read the first write up for the intended solution. |
2026-05-09 22:18 |
| DebugMe |
@liboxin that is PART of the solution, but different stages have different requirements. I suggest you try running it under a debugger. How does the behavior change? What causes that change? Most importantly, how can you satisfy the different stages automatically *without* patching or injecting register values? |
2026-05-04 21:17 |
| DebugMe |
Oh, I see now that you patched it. That is generally not a valid solution for this website. |
2026-05-04 11:55 |
| DebugMe |
@liboxin That solution will not work for all systems (including my own). Can you find a solution using a number other than 0? |
2026-05-04 11:54 |
| WeeperVM -- Level 2 |
The correct answer will print a positive message; the answer provided by trendcrusher is incorrect. |
2025-09-08 17:32 |
| FormatVuln |
A great introduction to format string vulnerabilities! |
2025-02-13 15:37 |
| Fatmike's Crackme #4 |
I feel like I'm so close to writing a keygen. All that's left now is some nitty-gritty reverse engineering to figure out how the name/serial pair is checked.
I've been able to "unpack" it in the sense that I can debug the code after it's been unpacked and that I can extract the memory that contains the unpacked code. I think that's as far as I'll take the unpacking, since the method used seems like a royal pain to write an unpacker or loader for.
MAJOR SPOILERS:
So far I've found these things:
- The name must be 4-8 alphanumeric characters.
- The serial is 8 hexadecimal characters.
- The conditional jump at +0x12F2 in the unpacked section is what chooses the "good" or "bad" sound.
Now I need to figure out how the calls at +0x1B5B and +0x1B69 determine the input as correct. I've found calls to memcpy and memcmp that seem interesting, but we'll see. |
2023-06-23 00:48 |
| Fatmike's Crackme #4 |
I love to see a crackme that's as polished as this.
MINOR SPOILERS: I'm taking this slowly as a learning experience on how to handle more difficult crackmes. I've followed the control flow up to the function at 0x404C00 and I have a feeling I know where it's going with the debugging and unpacking. If I'm correct and it's not a red herring, then it's a very interesting technique that I've not considered before now. Also challenging! |
2023-06-09 02:41 |
| timotei crackme#7 |
Another very enjoyable crackme from timotei_! Thanks! |
2023-06-06 02:41 |
| Crackme Speedrun |
@Piggy63 Thank you for the extremely detailed walkthrough! Ghidra doesn't seem to decompile the functions quite as well as Hex-Rays does (I opted to use Ghidra because it's free). It's too bad someone spoiled the answer outright in the comments, because I would have liked to been able to figure it out with the functions you gave |
2021-08-20 22:08 |
| Crackme Speedrun |
For only being a 1.0 difficulty, I am absolutely stumped! Somewhat spoiler-y comment...
I found a function call just before strcmp(input, "qwerty"). In that function there is a second function being called multiple times. No matter what I enter, the values passed to that function second are always the same, resulting in the "bad" message being printed. I can only get a "good" message with patching. Any tips on finding the right password? |
2021-08-18 22:14 |