| Very nice CrackMe.
1) No Patching: DONE
2) Keygen: DONE (in python)
Tutorial:
1.It asks the user to enter a username.
2.The program 'uppercases' each character of the username
3.It takes each character of the uppercased-username and converts it to its specific morse code(hard-coded string)
3)Keygen: https://pastebin.com/eED2MzYv
IMPORTANT:
1. I found an error in the program. When I enter a username: "abcdefghijklmnopqrstuvwxyz1234567890", the serial should be: ".- -... -.-. -.. . ..-. --. .... .. .--- -.- .-.. -- -. --- .--. --.- .-. ... - ..- ...- .-- -..- -.-- --.. .---- ..--- ...-- ....- ..... -.... --... ---.. ----. -----" but while debugging it, the program compares it with ".- -... -.-. -.. . ..-. --. .... .. .--- -.- .-.. -- -. --- .--. --.- .-. ... - ..- ...- .-- -..- -.-- --.. .---- ..--- ...-- ....- ..... -.... --... ---.. ----. -----" which is: "abcdefghijrlmnopqrstuvwxyz1234567890". the 'k' has been swapped with 'r'. I gave more details in my python script
2. I noticed that for any username less than 36, the serial is calculated at a certain length of words, That is, For username: OnyxPl01t, serial: ONYXPL01TUW2U(morse code converted into plain text).
I am not understanding this part. It is adding additional characters to the username of length less than 36. Could you explain the logic behing this as i have been struggling +15 hours to understand this part. I am a beginner so, any hint would welcomed :).
I am waiting for your next CrackMe sir! |
==> |
| pretty nice CrackMe. i noticed that the check_three of your serial accepts character of length greater than 4
for example, 0123-2468-R1234567
for the case of your serial XXXX-XXXX-XXXX
i made a bruteforce python script that give a serial in the desired format and input it automatically in the program.
https://pastebin.com/h54DVPHy |
==> |
| Solution 2:
----------------------------------------------------------------------------------
Method 1:
line "0000000000401575" replace: "je parkour.401607" with "jmp parkour.401607"
line "00000000004015D7" replace: "je parkour.401607" with "jmp parkour.4015D9"
----------------------------------------------------------------------------------
Method 2:
line "000000000040156E" replace: "test eax,eax" to "xor eax,eax"
- why XOR? XOR is used to clear a register/flag so EAX will be cleaned as well as RAX since RAX is EAX in 32-bit register. so, ZF(zero-flag) will be set if the result of the previous operation is 0 (XOR eax, eax)and the JE also known as JZ(jump if zero) will jump to the specified address(second stage).
line "0000000000401570" replace: "setne al" to "sete al"
- setne set al to 1 if ZF is clear otherwise it sets it to 0. so, Set if Equal (sete)/ Set if Zero (setz) set the operand to 1 if ZF is set otherwise it sets it to 0.
line "0000000000401573" replace: "test al,al" to "xor al,al"
- When RIP is at line 40156E, ZF is 1 (that is, ZF is set). When it is at line 401570, AL = 1, ZF = 1. When it is at line 401575, ZF is 0. Boom, debugger verification has been bypassed. Anti-debug has been achieved.
line "00000000004015D3" replace: "cmp byte ptr ss:[rbp-41],0" to "cmp byte ptr ss:[rbp-41],1"
- Why to 1 ? as CMP affects CF, ZF, SF, OF, PF, AF thus, if the compare (CMP) is true, CF, ZF, SF, OF, PF or AF is set to 1 otherwise it set these to 0. so, in this case, ZF is set to 0 and we successfully bypassed second stage.
----------------------------------------------------------------------------------
At THIRD STAGE, the flag is already visible so use any debugger and you will get the flag.
|
==> |
| i'm pretty sure i am close to the answer but i am not getting the right answer. As i have understood, there is a data been called at 0x400418. I do not know what is it storing.
I know the length of the password is 13 and it involves the use of these letters namely B,G,O,T,H,X,I,Y.
The only thing i am not understanding is that 'decrypting' process. it is referring to the address of the unknown_var at 0x400418 which is of type BYTE and it is adding it to loop's counter.Then, it goes through a Bitwise AND with 7. The result is then used for indexing in the buffer ,holding "BGOTHYIX", so as to retrieve a specific letter from it and it compares it with the first letter of our password input and so on until reaching the 13th letter.
For example,
if *((_BYTE)&data_0x400418 + loop_counter) & 7) = 0 Then, the first letter of our input should be buffer[0] which is "B" and it goes on till finision.
i would like to know how you decrypt the buffer since i am not understanding it well. |
==> |
| i am getting this number "557746729" but it seems that, it may be hard-coded in some ways. anyway to decrypt that?
|
==> |
| even if i did not learn C++/C, it was pretty cool to solve it.
it is very entertaining.
|
==> |