| CrackmesForBeginners (CFB) #4 |
Encryption Logic (3-Rotor Enigma Algorithm)By examining the decompiled C code, we discovered a "Dynamic Feedback Loop" inspired by the Enigma machine. The system's logic works as follows:The program processes each of the 13 characters entered by the user one by one.Each letter is passed through a complex mathematical meat grinder consisting of XOR (^), addition, and subtraction operations.The Mathematical Formula:$$\text{Target} = (((((P_i + \text{Rotor}_1) \oplus \text{0x3A}) + \text{0x13}) \oplus \text{0x7F}) - \text{Rotor}_2 \oplus \text{0x5C}) + \text{Offset} \oplus \text{0xA5}$$The Crucial Point: Two variables named bVar26 and cVar27 act as "rotors". Their values change based on the encryption result of the previous letter. This means even if you enter the same letter consecutively, it produces different outputs.3. Structural Flaw & DecryptionThe biggest mathematical weakness of this complex structure is that all internal operations are reversible (the reverse of XOR is XOR, the reverse of addition is subtraction).The encrypted byte array (our target) we needed to reach was clearly visible inside the if block at the bottom of the code:0xc6, 0xb7, 0x2b, 0x6e, 0x9e, 0xb7, 0xfa, 0x54, 0x52, 0x3f, 0x35, 0x98, 0x7fHow We Found the First Letter ('r'):We took the first target byte (0xc6) and ran the algorithm backwards step-by-step:Reverse the final XOR: 0xC6 ^ 0xA5 = 0x63Reverse the Addition (Subtract the offset): 0x63 - 0x15 = 0x4EReverse the XOR: 0x4E ^ 0x5C = 0x12Reverse the Subtraction (Add initial Rotor 2): 0x12 + 0x0D = 0x1FReverse the XOR: 0x1F ^ 0x7F = 0x60Reverse the Addition: 0x60 - 0x13 = 0x4DReverse the XOR: 0x4D ^ 0x3A = 0x77Reverse the initial Addition: 0x77 - 5 = 0x72The hex value 0x72 corresponds exactly to the letter 'r' in the ASCII table!Once we solved the first letter, we learned how the algorithm would update the rotors for the next letter. By chaining this reverse-engineering process for all 13 bytes, the targeted original text emerged perfectly.Activation Password: rotors_spin_9 |
2026-05-27 21:13 |