Profile

Crackme	Date	Infos
int overflow	2025-10-07 12:52	this write up is in assembly , and commented out (so you can learn some assembly )
Very easy disassembly execise	2025-10-06 20:56	Detailed write-up , helpful for assembly trace

Crackme	Comment	Date
Get Flag	sajd2908jdklajdklaj9012u90askldjas90213sadasdasd90i2 ,is this the flag?	2026-03-13 19:10
Get Flag	sajd2908jdklajdklaj9012u90askldjas90213sadasdasd90i2 ,is this the flag?	2026-03-13 19:10
Crackmes.one RE CTF 2026 - moment	Any hint please	2026-03-13 16:19
ics's crackme	That was a really fun challenge tbh ,i theorized that its full of opaque predicates ,as well as inlining (the code that decodes the prompt Follows the same pattern ) ,the virtual machine implementaion was straight forward ( first bytes which are constants control the CFF (control flow flattening ) part of the question. The encoding algo is as follows: (inputbyte+0xbb)^0xbb	2026-03-05 10:38
ics's crackme	That was a really fun challenge tbh ,i theorized that its full of opaque predicates ,as well as inlining (the code that decodes the prompt Follows the same pattern ) ,the virtual machine implementaion was straight forward ( first bytes which are constants control the CFF (control flow flattening ) part of the question. The encoding algo is as follows: (inputbyte+0xbb)^0xbb	2026-03-05 10:38
ics's crackme	crackmes_one{NiceJob}	2026-03-05 10:35
niko's crack me	Hello Man , i have been waiting for this since the previous version ,This is much obfuscated ,and was harder to do manually .But if we use pisieve ,it can extract intact executables that was reflectively loaded to the victim process(it essentially dumps the memory ,and fixes sections and relocations) . Script to solve ( hint :this is used after extracting the exe) #include<iostream> #include<vector> #include<thread> #include<cmath> #include<math.h> using namespace std; int target=0xc5163b82; unsigned char charset[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'}; int calc(char* buff){ char* key=buff; unsigned int v7=0; int targetResult = 0x45D9F3B; do{ char current=key; v7=0x1000193(targetResult ^current); current=(++key); targetResult=v7 ^(v7 >>16); }while(key); return targetResult; } void combinations(long long start,long long end){ for(long long i=start;i<=end;i++){ long long copy=i; char buff[9]; int u=7; while(u>=0){ buff[u]=charset[(int)(copy%26)]; copy/=26; u--; } buff[8]=0; if(calc(buff)==target){ printf("Found the password \n %s\n",buff); } } } int main(){ vector<thread>threads; long long possibilites=(long long)pow(26,8); long long chunk = possibilites / 20; //placing threds in the vector: for(int i=0,u=0;i<20;i++){ long long start = i * chunk; long long end = (i == 19 ? : (i+1) * chunk - 1); threads.emplace_back(combinations,start,end); } for(auto &a:threads){ a.join(); } }	2026-03-04 19:01
WhoKnocks ?	from binascii import * key= [0x20, 0x1B, 0x8, 0x4C, 0x5F, 0x7F, 0x32, 0x6, 0x58, 0x1A, 0x58, 0x45, 0x59, 0x52, 0x52,0x0] def decodeUsername(username:'str')->'str': global key result="" print(len(username)) u=0 for i in range(0,16): if u==len(username): c=key[i] print(hex(c)) result+=chr(c) u=0 continue c=((ord(username[u])^(key[i]))) print(hex(c)) result +=chr(c) u+=1 result +=chr(key[15]) return result def passwordGeneration(UBDK :'str'): result="" for i in range(0,len(UBDK)): print((((ord(UBDK[i])0xab)>>8 >>1)2 )) print((((ord(UBDK[i])0xab)>>8 >>1) )) if ord(UBDK[i])&1!=0: result+='K' elif UBDK[i] ==chr(3 (ord(UBDK[i]) // 3)): if ord(UBDK[i])&0x3 !=0: result+='f' else: result+='V' else: result+='b' return result username=input("Enter username\n") decoded=decodeUsername(username) print(hexlify(bytes(username,"utf-8"))) print(passwordGeneration(decoded)[:-1])	2026-03-04 14:57
Continental	I have just solved it ,I was supposed to bypass anti debug by a jump , so ,now initial hash starts at 0 ,which makes the problem way easier to solve (It says it is a VM based , but i dont know what was that ,so i thought it is control flow flattening ,with the control bytes being from the array of constants isself (i declared it as a part of the whole struct ,which also contains the input ,3 flags )	2026-02-26 12:26
Continental	Hi ,Mr , Good evening ,first thanks for this wonderfull crackme If you dont mind giving me a hint about how to solve this ( i understood the whole algorithm , and how the value that is generated from the tick count is being converted further as we handle next input chars , but the thing im stuck on is ,if the final output was derived on your computer ,on the tick count that was present ,how could i , from a different tick count obviously ,find it ( if i try to brute force ,i will have to variables ,first is the generated tick value ,second is the input itself) ,and thanks	2026-02-26 09:51
razkom_v1	Enter key: RAR-AAA-ZAZ-KAK-OAO-MAM [+] Key accepted! Decrypting... Congratulations! You solved my first crackme. Please let me know what you thought of it in the comments. Secret word: 'BAZOOKA	2026-02-24 14:11
piskaj	i have bypassed all anti debug in 10 minuets, does this problem have a solution with brute force so ill try (because for a 10 characters long , it seems that it will take a very very long time)	2026-01-27 13:58
Determinism	@CorpCons it is not that the random returns the same every time ,it is the matter of fact that when you initialize a PRNG with the same seed ,the same seed will produce the same series of "Random numbers" , every time the program is ran.Thats why you need to seed with something that changes every second ,wich is time ,or other source of randomness. The challenge is good ,i thought that there was a hard part ,when i saw that a function which i called ConsumeRand(constant) , just loops ,and generates randoms ,which changes the random numbers , so if you expected it to be x , it will be after lets say , y places	2026-01-25 19:20
Time Rift 2026	n5381=5381 v7=0 for char in "hussam": v7 = 33 * n5381; n5381 =( 33 * n5381 + ord(char))&0xffffffff print((n5381^0x2026)*132)	2026-01-18 16:06
StaticAuth	goodjob123 Verification successful. Secure data accessed: ---------------------- Location: Grid 47-C Access code: 8891-3324 Status: Active Timestamp: Verified	2025-12-23 20:20
Patch protect	Nice one ,I think i found a creative but simple solution ,I changed the suspend count of the thread , so , it wont launch when you create it , until suspend count =0;	2025-11-25 16:29
easy but a little tricky	I know this is not the intended solution ,I have patched the binary to jump into corona function ,and then store the return in the rbp-0x4, with noping the input storage , now the cmp compares the return with itself .	2025-11-22 20:16

Get Flag

sajd2908jdklajdklaj9012u90askldjas90213sadasdasd90i2 ,is this the flag?

2026-03-13 19:10

Get Flag

sajd2908jdklajdklaj9012u90askldjas90213sadasdasd90i2 ,is this the flag?

2026-03-13 19:10

Crackmes.one RE CTF 2026 - moment

Any hint please

2026-03-13 16:19

ics's crackme

That was a really fun challenge tbh ,i theorized that its full of opaque predicates ,as well as inlining (the code that decodes the prompt Follows the same pattern ) ,the virtual machine implementaion was straight forward ( first bytes which are constants control the CFF (control flow flattening ) part of the question. The encoding algo is as follows: (inputbyte+0xbb)^0xbb

2026-03-05 10:38

ics's crackme

That was a really fun challenge tbh ,i theorized that its full of opaque predicates ,as well as inlining (the code that decodes the prompt Follows the same pattern ) ,the virtual machine implementaion was straight forward ( first bytes which are constants control the CFF (control flow flattening ) part of the question. The encoding algo is as follows: (inputbyte+0xbb)^0xbb

2026-03-05 10:38

ics's crackme

crackmes_one{NiceJob}

2026-03-05 10:35

niko's crack me

Hello Man , i have been waiting for this since the previous version ,This is much obfuscated ,and was harder to do manually .But if we use pisieve ,it can extract intact executables that was reflectively loaded to the victim process(it essentially dumps the memory ,and fixes sections and relocations) . Script to solve ( hint :this is used after extracting the exe) #include<iostream> #include<vector> #include<thread> #include<cmath> #include<math.h> using namespace std; int target=0xc5163b82; unsigned char charset[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'}; int calc(char* buff){ char* key=buff; unsigned int v7=0; int targetResult = 0x45D9F3B; do{ char current=*key; v7=0x1000193*(targetResult ^current); current=*(++key); targetResult=v7 ^(v7 >>16); }while(*key); return targetResult; } void combinations(long long start,long long end){ for(long long i=start;i<=end;i++){ long long copy=i; char buff[9]; int u=7; while(u>=0){ buff[u]=charset[(int)(copy%26)]; copy/=26; u--; } buff[8]=0; if(calc(buff)==target){ printf("Found the password \n %s\n",buff); } } } int main(){ vector<thread>threads; long long possibilites=(long long)pow(26,8); long long chunk = possibilites / 20; //placing threds in the vector: for(int i=0,u=0;i<20;i++){ long long start = i * chunk; long long end = (i == 19 ? : (i+1) * chunk - 1); threads.emplace_back(combinations,start,end); } for(auto &a:threads){ a.join(); } }

2026-03-04 19:01

WhoKnocks ?

from binascii import * key= [0x20, 0x1B, 0x8, 0x4C, 0x5F, 0x7F, 0x32, 0x6, 0x58, 0x1A, 0x58, 0x45, 0x59, 0x52, 0x52,0x0] def decodeUsername(username:'str')->'str': global key result="" print(len(username)) u=0 for i in range(0,16): if u==len(username): c=key[i] print(hex(c)) result+=chr(c) u=0 continue c=((ord(username[u])^(key[i]))) print(hex(c)) result +=chr(c) u+=1 result +=chr(key[15]) return result def passwordGeneration(UBDK :'str'): result="" for i in range(0,len(UBDK)): print((((ord(UBDK[i])*0xab)>>8 >>1)*2 )) print((((ord(UBDK[i])*0xab)>>8 >>1) )) if ord(UBDK[i])&1!=0: result+='K' elif UBDK[i] ==chr(3 * (ord(UBDK[i]) // 3)): if ord(UBDK[i])&0x3 !=0: result+='f' else: result+='V' else: result+='b' return result username=input("Enter username\n") decoded=decodeUsername(username) print(hexlify(bytes(username,"utf-8"))) print(passwordGeneration(decoded)[:-1])

2026-03-04 14:57

Continental

I have just solved it ,I was supposed to bypass anti debug by a jump , so ,now initial hash starts at 0 ,which makes the problem way easier to solve (It says it is a VM based , but i dont know what was that ,so i thought it is control flow flattening ,with the control bytes being from the array of constants isself (i declared it as a part of the whole struct ,which also contains the input ,3 flags )

2026-02-26 12:26

Continental

Hi ,Mr , Good evening ,first thanks for this wonderfull crackme If you dont mind giving me a hint about how to solve this ( i understood the whole algorithm , and how the value that is generated from the tick count is being converted further as we handle next input chars , but the thing im stuck on is ,if the final output was derived on your computer ,on the tick count that was present ,how could i , from a different tick count obviously ,find it ( if i try to brute force ,i will have to variables ,first is the generated tick value ,second is the input itself) ,and thanks

2026-02-26 09:51

razkom_v1

Enter key: RAR-AAA-ZAZ-KAK-OAO-MAM [+] Key accepted! Decrypting... Congratulations! You solved my first crackme. Please let me know what you thought of it in the comments. Secret word: 'BAZOOKA

2026-02-24 14:11

piskaj

i have bypassed all anti debug in 10 minuets, does this problem have a solution with brute force so ill try (because for a 10 characters long , it seems that it will take a very very long time)

2026-01-27 13:58

Determinism

@CorpCons it is not that the random returns the same every time ,it is the matter of fact that when you initialize a PRNG with the same seed ,the same seed will produce the same series of "Random numbers" , every time the program is ran.Thats why you need to seed with something that changes every second ,wich is time ,or other source of randomness. The challenge is good ,i thought that there was a hard part ,when i saw that a function which i called ConsumeRand(constant) , just loops ,and generates randoms ,which changes the random numbers , so if you expected it to be x , it will be after lets say , y places

2026-01-25 19:20

Time Rift 2026

n5381=5381 v7=0 for char in "hussam": v7 = 33 * n5381; n5381 =( 33 * n5381 + ord(char))&0xffffffff print((n5381^0x2026)*132)

2026-01-18 16:06

StaticAuth

goodjob123 Verification successful. Secure data accessed: ---------------------- Location: Grid 47-C Access code: 8891-3324 Status: Active Timestamp: Verified

2025-12-23 20:20

Patch protect

Nice one ,I think i found a creative but simple solution ,I changed the suspend count of the thread , so , it wont launch when you create it , until suspend count =0;

2025-11-25 16:29

easy but a little tricky

I know this is not the intended solution ,I have patched the binary to jump into corona function ,and then store the return in the rbp-0x4, with noping the input storage , now the cmp compares the return with itself .

2025-11-22 20:16

crackmes.one

crackmes.one

Hussam's profile

0

2

17

Crackmes

Writeups

Comments