+1TP3 is key
go memcmp and profit easy |
==> |
I got to the "password is not set" status, but I couldn't go any further. The function I gave as input had to both return the "load_pw" value and run the reward function given as an argument. I was able to do the first one, but I couldn't do the second one. I would be happy if someone writes and shares how to solve it. Problem in crackme? |
==> |
RSTUVWXY I guess that's the username,
I found that the password should have 16 digits, but somehow when I run the program with these combinations I get an error that the printf function is targeting the wrong memory block. |
==> |
Of course, this is not exactly a 'problem'. We have learned that IDA shows the escape characters in the comment lines thus. |
==> |
The most major hint of this crackme is that it uses symmetric encryption, so when we give the complex expression checked in memcmp back to crackme, it easily gives us the actual password. But I had the same problem as 0xZER0 and I have a theory about it. To 0xZER0: I used IDA just like you and saw that when IDA put the memory value in the assembly code as a comment line, it duplicated the backslash. When I went directly to the address where the data was, I encountered only one blackslash, which means the original state of the asymmetric encrypted data. When I used this, I found exactly the password you guessed correctly in the memory :D So as I understand it, it seems like IDA has a 'problem' rather than an author's error as you said in your writeup. |
==> |
lol crackmes.one doesn't let me show you the whole key, I guess it's related to anti xss measures :P But if you look a bit more I'm sure you can find it. |
==> |
I just looked and yes, the key is 0x53 and it encrpyts our input with xor. For those who can't find it, this is the string checked with our xored input:
822n
But I still don't know where I should detect this xor process. If anyone knows, I hope you can enlighten me as well. |
==> |
I put all the suppressable ascii characters into the program and created a table by writing them all decrpyt. Then I prepared the encrypted version of the checked password by looking at this table. I guess there was xor involved :D If so, how did you find out about it? I used a primitive method. |
==> |
Guys, why can't I see anything in the strings section of the object oriented crackmes written with c++ libraries (for example, the strings used for cout) |
==> |
If it's not really random, I'd like to learn about it because I've seriously studied the index-generating function. looks like random func.
|
==> |
The current second is placed in a random index of the user name. For example, if the time is 16:30:12, the second will be compressed into a random index of your username, for example, this time index 2 will be. Like this: us12ername |
==> |
malmısın amınakoyıyım böyle crackme mi olur |
==> |
I can't understand why the big endian equivalent of the value compared to [ebp-4] in cmp is the answer. Shouldn't the answer come out as little endian? I'm very confused about this issue, if you can enlighten me, I would appreciate it. |
==> |