Number of crackmes:
Number of writeups:
Comments:
Name | Author | Language | Arch | Difficulty | Quality | Platform | Date | Writeups | Comments |
---|
Crackme | Infos |
---|
Comment | Link |
---|---|
# Password Validation Flow Diagram ``` ┌─────────────────────────────────────────────────────────────────────┐ │ CRACKME LITE ANALYSIS │ └─────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 1: INITIALIZATION │ ├─────────────────────────────────────────────────────────────────────┤ │ • Initialize encrypted strings (XOR 0x27) │ │ • Calculate PE CRC32 for anti-tampering │ │ • Create monitoring thread │ │ • Display: "PatchCRC initialized" │ └─────────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 2: GET USER INPUT │ ├─────────────────────────────────────────────────────────────────────┤ │ • Prompt user for password │ │ • Read input with fgets() (max 256 chars) │ └─────────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 3: EXECUTE CPUID │ ├─────────────────────────────────────────────────────────────────────┤ │ Execute: CPUID with EAX=1 │ │ │ │ Extract from result: │ │ cpu_model = (EAX 4) & 0xF │ │ cpu_family = (EAX 8) & 0xF │ │ │ │ Adjust for extended values: │ │ if (family == 15): │ │ family += (EAX 20) & 0xFF │ │ if (family == 6 or family == 15): │ │ model += 16 * ((EAX 16) & 0xF) │ │ │ │ Calculate XOR key: │ │ family_model = cpu_family + cpu_model │ │ │ │ Example (your CPU): │ │ family_model = 26 (0x1A) │ └─────────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 4: CALCULATE CHECKSUM │ ├─────────────────────────────────────────────────────────────────────┤ │ checksum = 0 │ │ xor_key = family_model │ │ │ │ For each character at index i: │ │ temp = index XOR character_value │ │ checksum += xor_key XOR temp │ │ │ │ Example with password "AAAAAAAAAAAAAAAAA3": │ │ Index 0: temp = 0 XOR 65 = 65 │ │ checksum += 26 XOR 65 = 91 │ │ Index 1: temp = 1 XOR 65 = 64 │ │ checksum += 26 XOR 64 = 90 │ │ ... │ │ Index 17: temp = 17 XOR 51 = 34 │ │ checksum += 26 XOR 34 = 56 │ │ │ │ Final checksum = 1531 (0x5FB) │ └─────────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ STEP 5: VALIDATE PASSWORD │ ├─────────────────────────────────────────────────────────────────────┤ │ target_checksum = family_model + 1505 │ │ │ │ if (checksum == target_checksum): │ │ ✓ PASSWORD CORRECT │ │ Display: "Great job" │ │ Display: "Welcome to the program" │ │ Display: "Application finished" │ │ Exit │ │ else: │ │ ✗ PASSWORD INCORRECT │ │ Display: "Try better" │ │ Display: "Exiting the program" │ │ Loop back to input │ │ │ │ Example (your CPU): │ │ target = 26 + 1505 = 1531 │ └─────────────────────────────────────────────────────────────────────┘ ═══════════════════════════════════════════════════════════════════════ SOLUTION ═══════════════════════════════════════════════════════════════════════ For CPU with family_model = 26: Password: AAAAAAAAAAAAAAAAA3 ├─ 17 × 'A' (ASCII 65) └─ 1 × '3' (ASCII 51) Verification: ✓ Checksum calculated: 1531 ✓ Expected checksum: 26 + 1505 = 1531 ✓ VALID! ═══════════════════════════════════════════════════════════════════════ KEY ALGORITHM INSIGHTS: 1. Hardware-Dependent: Password is specific to the CPU it runs on - Different CPUs require different passwords - Uses CPUID instruction for CPU identification 2. Checksum Formula: Σ(family_model XOR (index XOR char)) = family_model + 1505 3. String Obfuscation: - All strings encrypted with XOR 0x27 - Spaces remain unchanged - Decrypted at runtime 4. Anti-Tampering: - CRC32 checksum of PE sections - Background monitoring thread - Critical section protection ═══════════════════════════════════════════════════════════════════════ ``` | ==> |
The key comparison is here: void __fastcall KeygenMeForm::OnLogin The user and password are visible at runtime. Use a debugger like gdb or IDA. | ==> |