| Ok, got cut off again at the exact same place. Here is my full comment:
https://pastebin.com/raw/nX7pNH58 |
==> |
| @Ben_Lolo: You're welcome. I will make more simple crackmes like this in the future. Actually, I just noticed that my previous comment probably exceeded the maximum length, so parts of it got cut off. The lines that got cut off:
v5[0] = v2;
v5[41] = dword_41F004 - (dword_41F010 |
==> |
| @ali0gamer: Correct. How long did it take you to crack this?
@Ben_Lolo: This is a very simple crackme, as you only need to know simple arithmetic operations (easier than primary school math).
Using Hex-Rays Decompiler, we first find decompile the main function:
int __cdecl main(int argc, const char **argv, const char **envp)
{
printf("Password: ");
scanf("%s", &input);
sub_401490();
if ( !strcmp("qwerty", &input) )
printf("Correct");
else
printf("Incorrect\nHint: decompile this executable with Hex-Rays Decompiler...\n");
return 0;
}
As you can see, it compares the user input with "qwerty", but "qwerty" isn't the correct password. This means the function sub_401490 is responsible for checking the user input, and the string comparison in the main function simply acts as a distractor.
We then decompile sub_401490 to obtain this:
int sub_401490()
{
char v1[280]; // [esp-118h] [ebp-46Ch] BYREF
char v2[280]; // [esp+8h] [ebp-34Ch] BYREF
char v3[280]; // [esp+120h] [ebp-234h] BYREF
int v4[70]; // [esp+238h] [ebp-11Ch] BYREF
dword_4203A8 = 0;
qmemcpy(v1, v3, sizeof(v1));
qmemcpy(v4, sub_401040((int *)v2), sizeof(v4));
if ( sub_4015A0(v4[41], dword_4203A8)
&& sub_4015A0(v4[0], dword_4203A8)
&& sub_4015A0(v4[55], dword_4203A8)
&& sub_4015A0(v4[40], dword_4203A8)
&& sub_4015A0(v4[69], dword_4203A8)
&& sub_4015A0(v4[1], dword_4203A8) )
{
sub_4012D0();
}
sub_401440();
return sub_401460();
}
We can see some very long char arrays, which are most likely custom structures (they are all 280 characters long, so most likely the same structure), and sub_401040 takes that structure. That structure might be something used for containing the decrypted password. If that is the case, then sub_401040 is the function responsible for the decryption. We decompile that:
int *__cdecl sub_401040(int *a1)
{
int v2; // [esp+14h] [ebp-12Ch]
char v3; // [esp+1Ch] [ebp-124h]
char v4; // [esp+20h] [ebp-120h]
int v5[70]; // [esp+24h] [ebp-11Ch] BYREF
int v6; // [esp+150h] [ebp+10h]
v6 = dword_41F010 * (dword_41F000 / (dword_41F004 + (dword_41F008 dword_41F020) / (dword_41F02C dword_41F034);
STACK[0x260] = dword_41F01C
/ (dword_41F028 + dword_41F020)
* ((dword_41F000 dword_41F014)
/ (dword_41F010 (dword_41F00C + dword_41F008))
* (dword_41F018 v4);
v5[55] = dword_41F02C + v5[40];
v5[0] = v2;
v5[41] = dword_41F004 - (dword_41F010 |
==> |