Number of crackmes:
Number of solutions:
Comments:
| Name | Author | Language | Arch | Difficulty | Quality | Platform | Date | Solution | Comments |
|---|
| Crackme | Infos |
|---|---|
| AsTinyAsHard (2.5 kb crackme) | Relatively straightforward walkthrough that requires extracting a lot of constants |
| Simple but not simple | Solution via simple manual analysis and some python practice |
| ObfuscatedPasswordCrackme | Simple walk-through |
| UltraSec | Walk-through for solving the virtual-machine protected version. It's fairly straight-forward with the right tooling, which is included |
| Bobby | Walk-through developing a solver with angr |
| KeygenMe(Second)_SWD | Straightforward walkthrough that takes advantage of pattern recognition to develop a keygen |
| simple password crack me (not simple) | Simple walk-through with unpacking info |
| dance | Long write-up for a complex challenge. Includes copies of binaries that implement the patches explained throughout the write-up needed to eventually recover the original flag |
| crack the key | Simple walk-through for an interesting type of ctf |
| nano | Walk-through to find the flag for a clever challenge |
| Easy | Simple walk-through using an online de-compiler. |
| level2 | Walk-through with patch |
| Easy Crack me | Simple look at Java decompilation |
| Crackme1 | Quick little walk-through |
| ExotiCTF | Walk-through with solution |
| simple thing i made | Walk-through with keygen |
| First Crackme | Walk-through with keygen |
| Find The Password | Walk-through with launcher source/project for extracting passwords |
| difficult crackme by pupsik | Simple walk-through with solution |
| Easy Password Reverse 3 | Walk-through and keygen utilizing a timing attack |
| Level1 | Simple walk-through to find a rather strange solution |
| Password | Walk-through showing how to find the correct password and then patch the binary to fix the validation bug |
| ObfuscationFiesta | Walk-through with some helpful tools including code extractor for arbitrary keys |
| Easy Password Reverse | Ez walk-through with python keygen |
| Find the serial | Includes solution walk-through and a breakdown of how the Visual Basic APIs used by the target handle data |
| SimpleGame | Walk-through with patched game binary |
| Try and patch me | Simple walk-through with patched binary |
| game crackme (readme) | Full walk-through with python keygen |
| NanoButton | Walk-through with example launcher/hot-patcher solution |
| C_crackme | Simple walkthrough yielding an interesting password format |
| H1dd4n Fl4g | Walk-through finding the fake response and then developing a buffer overflow to retrieve the real flag |
| nice_crackme | Walk-though with python keygen |
| math_crackme | Full walk-through of how the clever math works plus a simple keygen |
| Really Very Easy | Walkthrough with python solution |
| 100HealthGame | Simple patch and bugfix explanation and patched binary |
| silly | Straightforward solution using a disassembler |
| Hidden | Simple decompilation overview with python keygen |
| FLAG | Solution with Ghidra and python |
| SSE Login | Includes manual solution and a solution utilizing angr |
| Array crackmes | Relatively simple walkthrough. The debugger check is flawed and must be bypassed to run the challenge at all, however |
| my_second_crackme | z3 keygen with explanation |
| crackme0 | Walkthrough and keygen |
| Crackme0x04 | Walkthrough using Ghidra and gdb to find the required password |
| Crackme0x03 | Writeup with keygen to find all possible base keys, from which more can be trivially constructed |
| Crackme0x02 | Writeup solving the 3rd installment in this series |
| Crackme0x00 | Writeup for the first in this series of MacOS challenges |
| Crackme0x01 | Walkthrough finding the password for this simple start to the set of challenges |
| PYzdon | Interesting look at navigating a Python compiler/packer to find the password |
| find the encryptor | Simple walkthrough, convincing the target to decode hidden strings for us. |
| Trappy Crack me | A bit of early misdirection forces us to confirm our findings as we go, but following the data leads us down the correct path |
| Comment | Link |
|---|---|
| It seems fine on my end | ==> |
| Can you post a write-up? I don't see a way to determine an ordering for the allowed character set beyond an evolutionary enumeration that prioritizes combos that result in some of the final sections that execute being properly decrypted. I even performed an exhaustive search on passwords up through 12 characters in length | ==> |
| @nopx64 the strlen and individual chars of the password are compared against constants generated through convoluted ways. You need to break on those comparisons and see what the correct values are for each. | ==> |
| @DosX the site just strips potential HTML tags from comments in the clumsiest way possible. | ==> |
| @nightxyz Cool, thank you! | ==> |
| @nightxyz is this like his Heaven's Gate one where the encoded flag is just buried in the binary and not actually accessible with any kind of input? I feel like that violates the spirit of how these are supposed to be structured but would appreciate a write-up showing what we were expected to do if you get a chance. | ==> |
| @justAuser I just don't waste time on the vague ones anymore | ==> |
| @nightxyz lol it's good practice to work through things manually sometimes. I try to find unusual methods to solve these sometimes just so I can learn how to use them | ==> |
| https://github.com/charlesnathansmith/crackmes/tree/main/bobby | ==> |
| There are multiple solutions btw. I managed to get angr to process it, write-up waiting approval | ==> |
| His son Bobby was always frustrating him. | ==> |
| King of the Hill https://www.youtube.com/watch?v=y1C8C7op9LU | ==> |
| @a764934018@outlook.com Nice! I went the lazy route and just used this as a username: !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~ Then split up the password it generates in order to get the substitution values for each character (each input char is doubled up because the substitutions are variable length and it would be impossible to know where each begins and ends in the generated password otherwise) | ==> |
| @1337ReverseEngineer it would've saved you 2 hours | ==> |
| That boy's not right | ==> |
| @nightxyz try entering a repetitive username like AAABBBCCC and look at what password it converts it to, and you should be able to figure out how to extract the information you need to generate passwords for arbitrary usernames | ==> |
| Unpack with UPX, break on the size comparison before memcmp, then just check the arguments in rcx and rdx for the one that's not your input | ==> |
| 5-10 mins | ==> |
| That was a whirlwind. I'll upload a write-up after I edit down this book of notes | ==> |
| I've been wanting to see more that require unspecified license files, registry entries, etc. since that's how it always works with real programs. Maybe it turned out cool, maybe it didn't. I'll check it out when I get a chance though | ==> |
| It's a little more complicated than his last one, bruh. Working on it | ==> |
| That's just the kind of feature abuse I love to see | ==> |
| @SirWardrake There are obfuscators specifically for C# and of course there are binary packers and wrappers, but you start to get into territory of making them so complicated they're not really fair challenges at that point. If you want to use C#, then the fun thing would be to look into really obscure features of the languages you could abuse, or do some research and reversing to see how some objects are represented in memory at a low level and do some kind of direct manipulation/type confusion things. It would challenge you and the players to dig down and learn how some of these things specific to the language work. I find them fun with no patching or plain text passwords showing up in memory at any point, so you have to work out the actual routine performed on the input to reach the success outcome | ==> |
| The second input doesn't have a solution because you're doing: input2[3] = 'w'; puts(input2); iVar1 = strcmp(input2,"q77ivp5r"); which can't ever pass | ==> |
| http://icodeguru.com/Embedded/Hacker%27s-Delight/065.htm | ==> |
| @sporta778 It's magic number modulo division. Take a look at the function in Ghidra and it can work the math out for you | ==> |
| @Mahesh download and read every book with "Reverse Engineering" in the title cover to cover and then be prepared to put in a lot of hours, research, and frustration working on it. It's very doable in most cases, it's just a lot more complicated. | ==> |
| @zdu yes. The size of the input string has to be reduced by 1 to trim off the newline. The patch I made is really hacky -- it should've just gone in a new segment -- but it gets the job done lol | ==> |
| @killmonger crackmes.one | ==> |
| @Crayon open the .sln file in Visual Studio or VS Code and build it to get the executable. TARGET needs to contain the path to the challenge exe. | ==> |
| He may have. I still have one pending. They take a few days to get reviewed | ==> |
| @Programista look into how to use a constraint solver like z3 | ==> |
| Apple used to make good things | ==> |
| I don't know if there are other debuggers that handle it well, but WinDbg is generally your best bet when dealing with architecture jumping. It's designed to seamlessly handle it to make sure it can follow WoW transitions | ==> |
| Nvm it's just UPX | ==> |
| It's packed all to hell. Not sure if that's intentional or if it's actually infected. Detection engines don't like anything corrupted | ==> |
| @Mahesh Commercial programs are usually much more complex than crackmes. Here's a list of resources I put together in the response with books, youtube channels, etc. https://www.reddit.com/r/AskReverseEngineering/comments/16q6re8/comment/k1zuit8/ There's a lot of information to digest in this field to get really good at it. | ==> |
| @tanjid01 Most challenges are console applications. You need to launch them in a cmd window | ==> |
| @TEA It's always crackmes.one | ==> |
| @potichek it's a timing attack | ==> |
| I've included a patched version of the binary in the solution I posted that works as intended | ==> |
| Patch to do what exactly? The password is never verified. As long as it's 5 characters or less, the INVALID message is skipped and there's no other win condition | ==> |
| syscall 3 in x86 on Linux is sys_read. Take a look at the register arguments here: https://faculty.nps.edu/cseagle/assembly/sys_call.html "chinese baguette\n" is just hardcoded into the data section and labeled 'lmao': 0804A018 lmao db 'chinese baguette',0Ah,0 The input is read into 'string', then this is compared to 'lmao' byte-by-byte: .text:0804901B lea esi, string .text:08049021 lea edi, lmao ; "chinese baguette\n" .text:08049027 mov ecx, 11h .text:0804902C repe cmpsb .text:0804902E jnz short error | ==> |
| I don't quite understand this challenge. There doesn't appear to be any way to supply input, and all of the codebase seems to be reached | ==> |
| @MHanak You can run strings on it to get the flag, and the false flags are retrievable just from checking the memcmp arguments. My final solution overcomplicated it just because I saw an opportunity to do so and get an interesting result, but it wasn't strictly necessary. The difficulty ratings also tend to be fairly arbitrary. Just keep at it and push yourself to dig deep into anything you don't understand, and keep trying out different tools as you learn about them to understand what works best for you in different situations, and you'll be tearing into things left and right. It's just a lot of information to digest upfront. | ==> |
| All this work should be done in VMs anyway. We're executing obfuscated programs from random cracking enthusiasts on the Internet. | ==> |
| It gets the same results as the original. It's all "generic", "suspicious", "dropper", etc. Prob some unpacking in the VB runtime, or VB is uncommon enough that it's suspicious on its own. None of the major vendors are flagging it. Obv you have to choose your own comfort level and thanks for pointing it out, but it looks fine to me. | ==> |
| I just did it by hand here. There weren't that many variables here and it was pretty clear what most of them were. I've been wanting to look into working with its backend though. I joined the discord a month or two ago and sat there a week and there didn't seem to be any activity, but I can rejoin I guess. | ==> |
| I got this to open a handful of times, then never again after a restart. Guessing Microsoft's Webview is buggy, which wouldn't be surprising. I'll work on it if I ever get it to work again (maybe try in a VM) | ==> |
| I forgot to mention the netstat regex in the keygen likely needs adjusted to match your system's formatting | ==> |