Crackmes

Name	Author	Language	Arch	Difficulty	Quality	Platform	Date	Solution	Comments
Two Numbers Game	WhatsUp	C/C++	x86	3.0	4.8	Windows	8:56 PM 09/27/2022	0	13

Comment	Link
@billbob There are some maths behind this stuff. You don't have to run a bruteforce algorithm to find out the numbers, and they should work no matter what time seed you get at run time. Here are some hints which one can search for: "linear congruential generator", "Euler's totient function", "Fermat–Euler theorem".	==>
Thanks for solving! When I have time, I'll create some more puzzles of this type.	==>
You are actually very close! Instead of using the negative number -8192, you can & it with 0x7FFF (note that only the last 15 bits are useful). It then becomes 24576.	==>
Here are two hints: hint 1: a pseudo random number generator is not really random, it is a deterministic procedure. hint 2: the only true randomness comes from a call to time(), but with a clever choice of the two numbers, one can pass the test regardless of the return value of time().	==>
Username: nope Password: nope	==>
mstik13, thanks for trying! As you have pointed out, there are some randomness based on time. However, that is exactly the puzzling point. It is possible to win the game every time without knowing the runtime context.	==>
I looked at the first part (first 10 letters) which breaks down to the following task. Enter 10 letters a0..a9 and calculate b0 = 0.5 * a0 + 0.111 b1 = 0.5 * a1 + 0.111 b2 = 0.5 * a2 b3 = 0.5 * a3 b4 = 0.5 * a4 b5 = 0.5 * a5 b6 = 0.5 * a6 b7 = 0.5 * a7 + 0.128 b8 = 0.5 * a8 + 0.111 b9 = 0.5 * a9 X = b1 * b6 + b0 * b5 + b2 * b7 + b3 * b8 + b4 * b9 Y = b1 * b1 * b6 + b0 * b0 * b5 + b2 * b2 * b7 + b3 * b3 * b8 + b4 * b4 * b9 The aim is to get X - Y * Y == -463428064699.207458 I don't know how to solve this in a clever way. It seems that the solution is probably not unique, by exchanging b0, b1 and b5, b6. The second part deals with the remaining letters, but is of the same flavor, adding some log functions at some point.	==>
The program loads code from a resource, then creates a shadow dll and jumps into it. After that, it does some anti-debugging check and asks for a flag. It finally starts to encode the input at address ~1B51 (relative to the shadow dll) and at address 1BF0 calls `memcmp` to compare it with preset answer. However the encoding procedure is complicated and I lost motivation here. Maybe come back later. I think it's still a good puzzle but could be made less complicated.	==>

@billbob There are some maths behind this stuff. You don't have to run a bruteforce algorithm to find out the numbers, and they should work no matter what time seed you get at run time. Here are some hints which one can search for: "linear congruential generator", "Euler's totient function", "Fermat–Euler theorem".

==>

Thanks for solving! When I have time, I'll create some more puzzles of this type.

==>

You are actually very close! Instead of using the negative number -8192, you can & it with 0x7FFF (note that only the last 15 bits are useful). It then becomes 24576.

==>

Here are two hints: hint 1: a pseudo random number generator is not really random, it is a deterministic procedure. hint 2: the only true randomness comes from a call to time(), but with a clever choice of the two numbers, one can pass the test regardless of the return value of time().

==>

Username: nope Password: nope

==>

mstik13, thanks for trying! As you have pointed out, there are some randomness based on time. However, that is exactly the puzzling point. It is possible to win the game every time without knowing the runtime context.

==>

I looked at the first part (first 10 letters) which breaks down to the following task. Enter 10 letters a0..a9 and calculate b0 = 0.5 * a0 + 0.111 b1 = 0.5 * a1 + 0.111 b2 = 0.5 * a2 b3 = 0.5 * a3 b4 = 0.5 * a4 b5 = 0.5 * a5 b6 = 0.5 * a6 b7 = 0.5 * a7 + 0.128 b8 = 0.5 * a8 + 0.111 b9 = 0.5 * a9 X = b1 * b6 + b0 * b5 + b2 * b7 + b3 * b8 + b4 * b9 Y = b1 * b1 * b6 + b0 * b0 * b5 + b2 * b2 * b7 + b3 * b3 * b8 + b4 * b4 * b9 The aim is to get X - Y * Y == -463428064699.207458 I don't know how to solve this in a clever way. It seems that the solution is probably not unique, by exchanging b0, b1 and b5, b6. The second part deals with the remaining letters, but is of the same flavor, adding some log functions at some point.

==>

The program loads code from a resource, then creates a shadow dll and jumps into it. After that, it does some anti-debugging check and asks for a flag. It finally starts to encode the input at address ~1B51 (relative to the shadow dll) and at address 1BF0 calls `memcmp` to compare it with preset answer. However the encoding procedure is complicated and I lost motivation here. Maybe come back later. I think it's still a good puzzle but could be made less complicated.

==>

crackmes.one

crackmes.one

WhatsUp's profile

1

0

8

Crackmes

Latest solutions

Latest comments