Profile

Crackme	Comment	Date
Memory Me	Alright i post it in github , https://github.com/Xkr0t0s/stefa9-s-Memory-Me	2025-12-27 23:08
Memory Me	Hey TbI_HOBN4OK7, I’ve just submitted the full writeup for this challenge under the name Xkr0t0s. It’s currently in the moderation queue, so it might take some time before the admins approve and publish it. Keep an eye on the 'Writeups' section! Good luck with your learning.	2025-12-27 22:55
Mind the Stack	Hi,zaq3m1hjx@mozmail.com After analyzing the AuthenticateUser function, my strategy is clear. Since v23 is located at a lower address (rbp-20h) than the input buffers, a traditional buffer overflow is ruled out due to the stack growth direction and the Stack Canary at rbp-8h. However, I spotted a Format String Vulnerability in the second _printf call where v25 is passed as the format argument. Interestingly, v23 is also passed as the 7th argument to that same printf call. My idea is to input a specific format string into v25 (like %1c%7$n) to trigger an Arbitrary Write. This will allow me to overwrite the value of v23 on the stack and set it to 1, effectively bypassing the checkPassword logic and triggering grantAccess(). What do u think ? is my ideas is true ?	2025-12-26 10:55
crack the points	like 15-20 sec , just edit the line xor edx, edx {0x0} to mov edx, 0x280d or any num u want (use binaryninja)	2025-12-25 21:10
Mind the Stack	@zaq3m1hjx@mozmail.com,Thank you so much for the quick response and for confirming my thoughts on the stack order and the Canary! It’s a very clever challenge. I’ve been trying to solve it using Format Strings as you suggested, but I'm hit with a bit of a roadblock. Since I couldn't find any writeups or similar solutions online for this specific scenario, I’m really eager to learn the correct methodology. If possible, could you please post the writeup a bit sooner? I’m very excited to see the "intended" way to exploit this. Thanks again for the great challenge!	2025-12-25 20:08
Mind the Stack	I think we should use Format String ?	2025-12-23 21:27
Mind the Stack	We cannot use Buffer Overflow here because of the Stack order. The target variable v23 is at a lower memory address (rbp-20h) than our input buffers v24 and v25. Since an overflow always writes forward (to higher addresses), it will only hit the Stack Canary and crash the program. It can never go backward to reach v23.	2025-12-23 21:26
Mind the Stack	"Ohhhhhhhh fuck! Zaq3m1hjx@mozmail.com, can you please write a guide to show us how we should solve this challenge?"	2025-12-23 21:19
Hacker's Edge Book CrackMe v3	Can someone teach me how to solve this CrackMe step-by-step, and share with us a GitHub page that explains exactly how to solve this?	2025-11-27 12:20

Alright i post it in github , https://github.com/Xkr0t0s/stefa9-s-Memory-Me

2025-12-27 23:08

Hey TbI_HOBN4OK7, I’ve just submitted the full writeup for this challenge under the name Xkr0t0s. It’s currently in the moderation queue, so it might take some time before the admins approve and publish it. Keep an eye on the 'Writeups' section! Good luck with your learning.

2025-12-27 22:55

Mind the Stack

Hi,zaq3m1hjx@mozmail.com After analyzing the AuthenticateUser function, my strategy is clear. Since v23 is located at a lower address (rbp-20h) than the input buffers, a traditional buffer overflow is ruled out due to the stack growth direction and the Stack Canary at rbp-8h. However, I spotted a Format String Vulnerability in the second _printf call where v25 is passed as the format argument. Interestingly, v23 is also passed as the 7th argument to that same printf call. My idea is to input a specific format string into v25 (like %1c%7$n) to trigger an Arbitrary Write. This will allow me to overwrite the value of v23 on the stack and set it to 1, effectively bypassing the checkPassword logic and triggering grantAccess(). What do u think ? is my ideas is true ?

2025-12-26 10:55

crack the points

like 15-20 sec , just edit the line xor edx, edx {0x0} to mov edx, 0x280d or any num u want (use binaryninja)

2025-12-25 21:10

Mind the Stack

@zaq3m1hjx@mozmail.com,Thank you so much for the quick response and for confirming my thoughts on the stack order and the Canary! It’s a very clever challenge. I’ve been trying to solve it using Format Strings as you suggested, but I'm hit with a bit of a roadblock. Since I couldn't find any writeups or similar solutions online for this specific scenario, I’m really eager to learn the correct methodology. If possible, could you please post the writeup a bit sooner? I’m very excited to see the "intended" way to exploit this. Thanks again for the great challenge!

2025-12-25 20:08

Mind the Stack

I think we should use Format String ?

2025-12-23 21:27

Mind the Stack

We cannot use Buffer Overflow here because of the Stack order. The target variable v23 is at a lower memory address (rbp-20h) than our input buffers v24 and v25. Since an overflow always writes forward (to higher addresses), it will only hit the Stack Canary and crash the program. It can never go backward to reach v23.

2025-12-23 21:26

Mind the Stack

"Ohhhhhhhh fuck! Zaq3m1hjx@mozmail.com, can you please write a guide to show us how we should solve this challenge?"

2025-12-23 21:19

Hacker's Edge Book CrackMe v3

Can someone teach me how to solve this CrackMe step-by-step, and share with us a GitHub page that explains exactly how to solve this?

2025-11-27 12:20

crackmes.one

crackmes.one

Xkr0t0s's profile

0

0

9

Crackmes

Writeups

Comments