Number of crackmes:
Number of writeups:
Comments:
| Name | Author | Language | Arch | Difficulty | Quality | Platform | Date | Downloads | Writeups | Comments |
|---|
| Crackme | Date | Infos |
|---|---|---|
| BobxReal You Can't do it V2 ;) | 2026-02-23 01:26 | # bobxREAL.exe Reverse Engineering Report ## 1) Scope and target - Target: `bobxREAL.exe` (x64 PE) - Goal: find password validation logic and build a practical keygen/solver. - Tools used: - IDA Pro (+ ida-pro-mcp) for static RE. - x64dbg (+ x64dbg-mcp) for runtime checks. - PowerShell for repeated execution/statistics. ## 2) High-level behavior - Program prints `Password:` and reads up to 64 bytes (`fgets`), then strips CR/LF. - It hard-gates input length: - `len != 16` -> immediate wrong path. - `len == 16` -> enters randomized state-machine verification. - Final success condition is not a classic direct `strcmp` with a fixed key. ## 3) Core logic (IDA) Main function: - `main` at `0x140005620`. - Loop starts with `v33 = 0x11` and repeatedly dispatches: - function index = `(v33 ^ dword_140030B58) % 10` - target function from shuffled table `qword_140030E10[...]` - `v33 = callee(Str, &state)` - Stops when: - `v33 == 0x99` -> success path (`Correct!`) - `v33 == 0xFF` or null function pointer -> fail path (`Wrong.`) Important handlers in the state table: - `sub_140004220` -> returns `0x22` - `sub_140004230` -> anti-debug/anti-VM checks, returns `0x33` or `0xFF` - `sub_1400044A0` -> `sub_140001810` gate, returns `0x44` or `0xFF` - `sub_1400044D0` -> `sub_1400015E0` gate, returns `0x55` or `0xFF` - `sub_140004500` -> hash consistency gate, returns `0x66` or `0xFF` - `sub_140004520` -> VM-like transform over input, returns `0x77` or `0xFF` - `sub_140004770` -> arithmetic check, usually leads to `0x88` - `sub_140004790` -> CRC/anti-check stage, returns `0x99` or `0xFF` - `sub_140004A60` -> returns `0x99` directly - `sub_140004A70` -> returns `0xFF` directly ## 4) Why there is no fixed deterministic password - The dispatch key `dword_140030B58` is continuously perturbed by multiple background threads (`sub_1400052E0`, `sub_1400053B0`, `sub_140005470`, `sub_140004A80`) and timing/exception side effects. - State transition order therefore changes between runs. - Some transitions immediately fail (`0xFF`) regardless of input; some eventually reach `0x99`. - Empirical evidence shows near input-independence for 16-char strings. ## 5) Dynamic validation (x64dbg + repeated runs) Observed behavior from repeated runs: - Any 16-char input can produce `Correct!` on some runs. - Non-16 lengths always fail. Measured sample (PowerShell, 40 runs each): - `AAAAAAAAAAAAAAAA` -> 18/40 success - `BBBBBBBBBBBBBBBB` -> 17/40 success - `0123456789abcdef` -> 14/40 success - `!!!!!!!!!!!!!!!!` -> 19/40 success - `short` (len 5) -> 0/40 - len 17 sample -> 0/40 Conclusion: - This crackme is a race/randomized validator. - "Key" condition is effectively: **exactly 16 chars**, then retry until favorable scheduling/state. ## 6) Practical keygen strategy - Generate any 16-char key. - Optionally auto-run the target in a loop until `Correct!` appears. Delivered tools: - `bobxreal_keygen.ps1` (Windows-native, tested) - `bobxreal_keygen.py` (same logic, requires Python) Features: - generate random key (`len=16` default) - run once (`--run`/`-Run`) - auto-win mode (`--autowin`/`-AutoWin`, retries until success) ## 7) Notes and decoys - Hardcoded strings like `FLAG{BOBXFRCRACKXD}` and `_the_real_flag_12345}` exist in code/data paths but are decoys and not a normal fixed password check. - Environment variables (`BOBX_ENABLE_*`) toggle anti-analysis features but do not convert this into a single static valid key. ## 8) Reproduction commands Generate key only: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 ``` Try once: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -Run ``` Auto-pass: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -AutoWin -MaxAttempts 300 ``` Use your own key: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -Key AAAAAAAAAAAAAAAA -AutoWin ``` |
| Crackme | Comment | Date |
|---|---|---|
| BobxReal You Can't do it V2 ;) | # bobxREAL.exe Reverse Engineering Report ## 1) Scope and target - Target: `C:\Users\Felix\Desktop\bobxREAL.exe` (x64 PE) - Goal: find password validation logic and build a practical keygen/solver. - Tools used: - IDA Pro (+ ida-pro-mcp) for static RE. - x64dbg (+ x64dbg-mcp) for runtime checks. - PowerShell for repeated execution/statistics. ## 2) High-level behavior - Program prints `Password:` and reads up to 64 bytes (`fgets`), then strips CR/LF. - It hard-gates input length: - `len != 16` -> immediate wrong path. - `len == 16` -> enters randomized state-machine verification. - Final success condition is not a classic direct `strcmp` with a fixed key. ## 3) Core logic (IDA) Main function: - `main` at `0x140005620`. - Loop starts with `v33 = 0x11` and repeatedly dispatches: - function index = `(v33 ^ dword_140030B58) % 10` - target function from shuffled table `qword_140030E10[...]` - `v33 = callee(Str, &state)` - Stops when: - `v33 == 0x99` -> success path (`Correct!`) - `v33 == 0xFF` or null function pointer -> fail path (`Wrong.`) Important handlers in the state table: - `sub_140004220` -> returns `0x22` - `sub_140004230` -> anti-debug/anti-VM checks, returns `0x33` or `0xFF` - `sub_1400044A0` -> `sub_140001810` gate, returns `0x44` or `0xFF` - `sub_1400044D0` -> `sub_1400015E0` gate, returns `0x55` or `0xFF` - `sub_140004500` -> hash consistency gate, returns `0x66` or `0xFF` - `sub_140004520` -> VM-like transform over input, returns `0x77` or `0xFF` - `sub_140004770` -> arithmetic check, usually leads to `0x88` - `sub_140004790` -> CRC/anti-check stage, returns `0x99` or `0xFF` - `sub_140004A60` -> returns `0x99` directly - `sub_140004A70` -> returns `0xFF` directly ## 4) Why there is no fixed deterministic password - The dispatch key `dword_140030B58` is continuously perturbed by multiple background threads (`sub_1400052E0`, `sub_1400053B0`, `sub_140005470`, `sub_140004A80`) and timing/exception side effects. - State transition order therefore changes between runs. - Some transitions immediately fail (`0xFF`) regardless of input; some eventually reach `0x99`. - Empirical evidence shows near input-independence for 16-char strings. ## 5) Dynamic validation (x64dbg + repeated runs) Observed behavior from repeated runs: - Any 16-char input can produce `Correct!` on some runs. - Non-16 lengths always fail. Measured sample (PowerShell, 40 runs each): - `AAAAAAAAAAAAAAAA` -> 18/40 success - `BBBBBBBBBBBBBBBB` -> 17/40 success - `0123456789abcdef` -> 14/40 success - `!!!!!!!!!!!!!!!!` -> 19/40 success - `short` (len 5) -> 0/40 - len 17 sample -> 0/40 Conclusion: - This crackme is a race/randomized validator. - "Key" condition is effectively: **exactly 16 chars**, then retry until favorable scheduling/state. ## 6) Practical keygen strategy - Generate any 16-char key. - Optionally auto-run the target in a loop until `Correct!` appears. Delivered tools: - `bobxreal_keygen.ps1` (Windows-native, tested) - `bobxreal_keygen.py` (same logic, requires Python) Features: - generate random key (`len=16` default) - run once (`--run`/`-Run`) - auto-win mode (`--autowin`/`-AutoWin`, retries until success) ## 7) Notes and decoys - Hardcoded strings like `FLAG{BOBXFRCRACKXD}` and `_the_real_flag_12345}` exist in code/data paths but are decoys and not a normal fixed password check. - Environment variables (`BOBX_ENABLE_*`) toggle anti-analysis features but do not convert this into a single static valid key. ## 8) Reproduction commands Generate key only: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 ``` Try once: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -Run ``` Auto-pass: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -AutoWin -MaxAttempts 300 ``` Use your own key: ```powershell powershell -ExecutionPolicy Bypass -File .\bobxreal_keygen.ps1 -Key AAAAAAAAAAAAAAAA -AutoWin ``` | 2026-02-23 01:24 |