Crackmes

Crackme	Infos
KeyMe

Comment	Link
876188VXT@BTTSDO 655572YNY@ZZHDDR 262890YWV@ZQTAIX 460986ZWO@BQWTZO 953911YQY@WEQPHQ Reasonably simple, yet still fun!	==>
Password: BXXGYYYBGIBXX Interesting approach to obfuscate indexing of the key BGOTHXIY with direct bytecode from the compiled binary	==>
This one was a LOT of fun. I'm not great at patching so learning how to make non destructive patches really upped my game. I suggest using ResourceHacker for any resource related changes.	==>
This was was neat. The packer was a trivial fix but I learned something about floating point representation lol. Only required a 2 byte patch.	==>
License: ? "Congrats! This license is valid!" string easily found and xrefd only at 0xbf26c8 Analyzing the decomp for this function I see that: len(license) % 0x3c must equal 3 license must be larger than 0x2a license must be smaller than 0x48 This can be easily found with the following python: for n in range(0x2a + 1, 0x48): if n % 0x3c == 3: print(chr(n))	==>
U: pikachu P: 16-790 First thing I noticed was that "\nGood Job. You have cracked OldSoft's" xrefd in 0x402cc0 The function 0x401560 generates the serial In that function we see that the format of the serial is %d-%d The function iterates through each letter in the user input However I wasn't really able to follow the logic well even though it's pretty simple	==>
U: iwonderhowitfeelstobeatimetraveler P: heyamyspaceboardisbrokencanyouhelpmefindit size() compare of username input at 0x46EEFA requires a 0x22 (34) byte string Shortly after successful 0x22 byte username input we find a string compare located at 0x1C1908 This string happens to be "iwonderhowitfeelstobeatimetraveler", this must be the username We then find a password input compare of "heyamyspaceboardisbrokencanyouhelpmefindit?" We can verify that this is the correct username and password Additionally we could have just checked strings to find them in plaintext and fuzzed the binary for a solution	==>
flag{M3x1c4nMl4lw4r3_pl3rro} Break somewhere during normal execution then set eip to 0x401500 Then break directly after printf	==>

876188VXT@BTTSDO 655572YNY@ZZHDDR 262890YWV@ZQTAIX 460986ZWO@BQWTZO 953911YQY@WEQPHQ Reasonably simple, yet still fun!

Password: BXXGYYYBGIBXX Interesting approach to obfuscate indexing of the key BGOTHXIY with direct bytecode from the compiled binary

==>

This one was a LOT of fun. I'm not great at patching so learning how to make non destructive patches really upped my game. I suggest using ResourceHacker for any resource related changes.

==>

This was was neat. The packer was a trivial fix but I learned something about floating point representation lol. Only required a 2 byte patch.

==>

License: ? "Congrats! This license is valid!" string easily found and xrefd only at 0xbf26c8 Analyzing the decomp for this function I see that: len(license) % 0x3c must equal 3 license must be larger than 0x2a license must be smaller than 0x48 This can be easily found with the following python: for n in range(0x2a + 1, 0x48): if n % 0x3c == 3: print(chr(n))

==>

U: pikachu P: 16-790 First thing I noticed was that "\nGood Job. You have cracked OldSoft's" xrefd in 0x402cc0 The function 0x401560 generates the serial In that function we see that the format of the serial is %d-%d The function iterates through each letter in the user input However I wasn't really able to follow the logic well even though it's pretty simple

==>

U: iwonderhowitfeelstobeatimetraveler P: heyamyspaceboardisbrokencanyouhelpmefindit size() compare of username input at 0x46EEFA requires a 0x22 (34) byte string Shortly after successful 0x22 byte username input we find a string compare located at 0x1C1908 This string happens to be "iwonderhowitfeelstobeatimetraveler", this must be the username We then find a password input compare of "heyamyspaceboardisbrokencanyouhelpmefindit?" We can verify that this is the correct username and password Additionally we could have just checked strings to find them in plaintext and fuzzed the binary for a solution

==>

flag{M3x1c4nMl4lw4r3_pl3rro} Break somewhere during normal execution then set eip to 0x401500 Then break directly after printf

==>

crackmes.one

crackmes.one

Parad0x13's profile

0

1

8

Crackmes

Latest writeups

Latest comments