Number of crackmes:
Number of writeups:
Comments:
| Name | Author | Language | Arch | Difficulty | Quality | Platform | Date | Downloads | Writeups | Comments |
|---|
| Crackme | Date | Infos |
|---|---|---|
| Crack On The Cob - COBOL | 2024-05-10 21:34 | Finding our way through an unfamiliar framework |
| Algocrack Me | 2024-05-09 21:28 | Simple walk-through |
| lvl2 from noxys | 2024-05-09 21:07 | Straight-foward walkthrough |
| AsTinyAsHard (2.5 kb crackme) | 2024-04-14 20:19 | Relatively straightforward walkthrough that requires extracting a lot of constants |
| Simple but not simple | 2024-04-08 20:39 | Solution via simple manual analysis and some python practice |
| ObfuscatedPasswordCrackme | 2024-03-19 11:25 | Simple walk-through |
| UltraSec | 2024-03-17 02:52 | Walk-through for solving the virtual-machine protected version. It's fairly straight-forward with the right tooling, which is included |
| Bobby | 2024-03-16 22:58 | Walk-through developing a solver with angr |
| KeygenMe(Second)_SWD | 2024-03-15 23:22 | Straightforward walkthrough that takes advantage of pattern recognition to develop a keygen |
| simple password crack me (not simple) | 2024-03-15 20:24 | Simple walk-through with unpacking info |
| dance | 2024-03-15 02:40 | Long write-up for a complex challenge. Includes copies of binaries that implement the patches explained throughout the write-up needed to eventually recover the original flag |
| crack the key | 2024-03-14 15:27 | Simple walk-through for an interesting type of ctf |
| nano | 2024-03-11 03:03 | Walk-through to find the flag for a clever challenge |
| Easy | 2024-02-28 13:02 | Simple walk-through using an online de-compiler. |
| level2 | 2024-02-26 12:56 | Walk-through with patch |
| Easy Crack me | 2024-02-26 12:13 | Simple look at Java decompilation |
| Crackme1 | 2024-02-26 11:47 | Quick little walk-through |
| ExotiCTF | 2024-02-22 19:50 | Walk-through with solution |
| simple thing i made | 2024-02-22 17:42 | Walk-through with keygen |
| First Crackme | 2024-02-22 14:22 | Walk-through with keygen |
| Find The Password | 2024-02-22 12:52 | Walk-through with launcher source/project for extracting passwords |
| difficult crackme by pupsik | 2024-02-22 06:09 | Simple walk-through with solution |
| Easy Password Reverse 3 | 2024-02-22 03:33 | Walk-through and keygen utilizing a timing attack |
| Level1 | 2024-02-21 17:03 | Simple walk-through to find a rather strange solution |
| Password | 2024-02-13 09:00 | Walk-through showing how to find the correct password and then patch the binary to fix the validation bug |
| ObfuscationFiesta | 2024-02-06 19:26 | Walk-through with some helpful tools including code extractor for arbitrary keys |
| Easy Password Reverse | 2024-02-02 18:35 | Ez walk-through with python keygen |
| Find the serial | 2024-02-02 15:56 | Includes solution walk-through and a breakdown of how the Visual Basic APIs used by the target handle data |
| SimpleGame | 2024-01-31 05:45 | Walk-through with patched game binary |
| Try and patch me | 2024-01-31 05:01 | Simple walk-through with patched binary |
| NanoButton | 2024-01-28 20:25 | Walk-through with example launcher/hot-patcher solution |
| C_crackme | 2024-01-28 17:29 | Simple walkthrough yielding an interesting password format |
| H1dd4n Fl4g | 2024-01-27 00:50 | Walk-through finding the fake response and then developing a buffer overflow to retrieve the real flag |
| nice_crackme | 2024-01-26 09:01 | Walk-though with python keygen |
| math_crackme | 2024-01-26 07:02 | Full walk-through of how the clever math works plus a simple keygen |
| Really Very Easy | 2024-01-25 05:13 | Walkthrough with python solution |
| 100HealthGame | 2024-01-25 03:52 | Simple patch and bugfix explanation and patched binary |
| silly | 2024-01-24 21:58 | Straightforward solution using a disassembler |
| Hidden | 2024-01-23 11:40 | Simple decompilation overview with python keygen |
| FLAG | 2024-01-23 10:28 | Solution with Ghidra and python |
| SSE Login | 2024-01-22 01:31 | Includes manual solution and a solution utilizing angr |
| Array crackmes | 2023-11-20 18:38 | Relatively simple walkthrough. The debugger check is flawed and must be bypassed to run the challenge at all, however |
| my_second_crackme | 2023-11-12 12:59 | z3 keygen with explanation |
| crackme0 | 2023-11-12 09:01 | Walkthrough and keygen |
| Crackme0x04 | 2023-11-11 10:11 | Walkthrough using Ghidra and gdb to find the required password |
| Crackme0x03 | 2023-11-11 08:56 | Writeup with keygen to find all possible base keys, from which more can be trivially constructed |
| Crackme0x02 | 2023-11-11 07:00 | Writeup solving the 3rd installment in this series |
| Crackme0x00 | 2023-11-11 06:34 | Writeup for the first in this series of MacOS challenges |
| Crackme0x01 | 2023-11-11 05:59 | Walkthrough finding the password for this simple start to the set of challenges |
| PYzdon | 2023-11-08 23:59 | Interesting look at navigating a Python compiler/packer to find the password |
| find the encryptor | 2023-11-08 16:20 | Simple walkthrough, convincing the target to decode hidden strings for us. |
| Trappy Crack me | 2023-11-06 20:30 | A bit of early misdirection forces us to confirm our findings as we go, but following the data leads us down the correct path |
| ROT13 crackme | 2023-11-06 19:45 | Straightforward writeup showing the simplest solution method is often the correct one |
| easy crack me Pusik | 2023-10-20 04:26 | Simple walkthrough |
| hellokittyfan's crackme | 2023-10-20 04:07 | Walkthrough with keygen |
| GPTCrackMe | 2023-09-25 17:59 | Complete walk-through with keygen |
| Secret message from a traveller | 2023-09-24 21:14 | Long writeup is loooooong. But there's a lot to cover and we look at all of it. |
| hexagon | 2023-09-21 04:07 | Simple walkthrough and keygen |
| Freemasonry | 2023-09-17 11:16 | Simple walkthrough using dnSpy |
| EAX-Crackme | 2023-09-17 10:46 | Simple walkthrough, with api_log tool included for easily finding API calls |
| based | 2023-09-17 08:14 | Walkthrough and keygen source code implementing the atypical approach of converting the target into a shared library to directly interface with program functions externally |
| snake | 2023-09-16 17:50 | Full walk-through with source for solver |
| encrypted_box | 2023-09-14 04:35 | Full walk-through with custom tool source needed to solve |
| C# Login-Crackme by #BeginnerCracker123 | 2023-09-13 14:03 | Simple walkthrough |
| heaven.exe | 2023-09-09 12:33 | Full walkthrough and solution |
| timotei crackme#11 1K-Edition :-) | 2023-08-18 23:24 | Walkthrough with keygen and searches for interesting messages that can be produced. |
| Crackme v1.0 | 2023-08-08 17:56 | Walkthrough and keygen. This was a fun opportunity to learn about MFC strings |
| timotei crackme#9 | 2023-08-08 13:49 | Full walkthrough with z3 python keygen to enumerate all valid serials |
| cracknkeygen | 2023-08-06 19:27 | Reverse engineering walkthrough and python keygen to generate all valid keys up to any given length |
| lisence_checker | 2023-08-06 10:51 | Overview of both requested bypass types, plus a buffer overflow solution. |
| angry file | 2023-08-05 22:57 | Constraint solving with z3 |
| crackme#1 | 2023-08-01 12:55 | The answer was staring right at me the whole time! |
| Lizz by Lucas0001 | 2023-07-28 10:47 | Fairly simple, but it's rated as such. Practice is practice, and the program is very encouraging ;) |
| CondiAntiCrack | 2023-07-28 09:47 | Simple but fun challenge, with a very unusual password |
| KeygenMePls | 2023-07-27 00:30 | This was a nice opportunity to learn dnSpy a bit. There's a subtle bug (or purposeful subterfuge) in the key verification that's easy to miss. |
| Lmao crackme | 2023-07-26 22:48 | Simple crack, but good example of letting the program do the work for you and just catching the end result when possible. |
| Crackme | Comment | Date |
|---|---|---|
| CrYP70NYM'S CRACKME FIXED | @SpottedZulu2217 Every challenge is zipped with the password crackmes.one | 2024-06-23 20:36 |
| Venix[HARD] | @imeow256 It just directly compares the input to the deobfuscated password .text:0000000140018F95 mov rdx, [rbp+230h+Str2] ; Str2 .text:0000000140018F9C mov rcx, rax ; Str1 .text:0000000140018F9F call j_strcmp You just break there and check the arguments and there isn't really anything to solve | 2024-06-04 07:16 |
| guess_the_password | @baba_yaga That's not cracking, that's patching, which defeats the point of most of these challenges | 2024-05-24 19:36 |
| patch it. | I'm interested in seeing a version of this that does work correctly. I don't know anything at all about Java bytecode. If there's a new version of this challenge that just requires me to learn a bunch of things then that would be interesting. | 2024-05-16 23:38 |
| crackme2 | Also, the exe image stays together. So an address in .text or .data will always be the same offset from the base address, though the base address might be random (-ish.. there's only 12 bits of entropy for a 32-bit ASLR). The stack and external DLLs could theoretically be mapped anywhere, though that isn't quite true with DLLs because Windows tries to load them to the same address in every process. Kernel32.dll in particular is unofficially guaranteed to be in the same location for every process (Microsoft won't claim so in official documentation, but Windows Internals and other sources they semi-endorse do) Consequently, if you keep running a program from the same location, it will keep getting the same base address, but renaming it will randomize it again. | 2024-05-13 18:23 |
| FirstCrack | @OpaxIV It's (confusing) shorthand for concatenation, so CONCAT31 concatenates 3 bytes from the first argument with one byte from the second. CONCAT31(0xaabbcc,0xdd) = 0xaabbccdd | 2024-05-11 08:23 |
| crackme2 | @majorsopa Windows ASLR isn't really randomized for the same module during a single boot. If you rename or copy the exe it's layout will change, but if you keep executing it from the same location, it will be mapped the same every time at least until a reboot. | 2024-05-11 07:31 |
| crackme2 | @majorsopa you can calculate the password from just the base address of the main module, which you can obtain via CreateToolhelp32Snapshot without attaching to it or modifying anything. checksum = ((base + 0x27f18) ^ 0x80000103) * -1 Then the password is the checksum spelled out backwards (LSB first) in binary. (The password will be 32 '1's and '0's) | 2024-05-11 04:48 |
| lvl2 from noxys | Please statically compile the next time 32-bit versions https://www.dllme.com/dll/files/libgcc_s_dw2-1 https://www.dllme.com/dll/files/libstdc_-6/0162843956c9a2ed520632436533d225 | 2024-05-09 20:46 |
| patch it. | Are we supposed to just make it not crash? $ java -jar crackme.jar Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Exception in thread "main" java.lang.ExceptionInInitializerError at org.prague.o.main(o.java) Caused by: java.lang.ArrayIndexOutOfBoundsException: Index 13 out of bounds for length 13 at org.prague.k.(k.java) ... 1 more | 2024-05-08 11:27 |
| Fort Knox | It seems fine on my end | 2024-04-23 10:40 |
| crackme-puzzle | Can you post a write-up? I don't see a way to determine an ordering for the allowed character set beyond an evolutionary enumeration that prioritizes combos that result in some of the final sections that execute being properly decrypted. I even performed an exhaustive search on passwords up through 12 characters in length | 2024-04-17 22:54 |
| AsTinyAsHard (2.5 kb crackme) | @nopx64 the strlen and individual chars of the password are compared against constants generated through convoluted ways. You need to break on those comparisons and see what the correct values are for each. | 2024-04-15 00:37 |
| AsTinyAsHard (2.5 kb crackme) | @DosX the site just strips potential HTML tags from comments in the clumsiest way possible. | 2024-04-14 09:32 |
| self-modifying crackme | @nightxyz Cool, thank you! | 2024-03-22 00:36 |
| self-modifying crackme | @nightxyz is this like his Heaven's Gate one where the encoded flag is just buried in the binary and not actually accessible with any kind of input? I feel like that violates the spirit of how these are supposed to be structured but would appreciate a write-up showing what we were expected to do if you get a chance. | 2024-03-20 16:59 |
| CFFlat | @justAuser I just don't waste time on the vague ones anymore | 2024-03-19 19:25 |
| Bobby | @nightxyz lol it's good practice to work through things manually sometimes. I try to find unusual methods to solve these sometimes just so I can learn how to use them | 2024-03-18 17:00 |
| Bobby | https://github.com/charlesnathansmith/crackmes/tree/main/bobby | 2024-03-18 01:35 |
| Bobby | There are multiple solutions btw. I managed to get angr to process it, write-up waiting approval | 2024-03-17 21:24 |
| Bobby | His son Bobby was always frustrating him. | 2024-03-16 23:01 |
| Bobby | King of the Hill https://www.youtube.com/watch?v=y1C8C7op9LU | 2024-03-16 22:57 |
| KeygenMe(Second)_SWD | @a764934018@outlook.com Nice! I went the lazy route and just used this as a username: !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~ Then split up the password it generates in order to get the substitution values for each character (each input char is doubled up because the substitutions are variable length and it would be impossible to know where each begins and ends in the generated password otherwise) | 2024-03-16 17:13 |
| simple password crack me (not simple) | @1337ReverseEngineer it would've saved you 2 hours | 2024-03-16 15:11 |
| Bobby | That boy's not right | 2024-03-16 00:38 |
| KeygenMe(Second)_SWD | @nightxyz try entering a repetitive username like AAABBBCCC and look at what password it converts it to, and you should be able to figure out how to extract the information you need to generate passwords for arbitrary usernames | 2024-03-15 23:14 |
| simple password crack me (not simple) | Unpack with UPX, break on the size comparison before memcmp, then just check the arguments in rcx and rdx for the one that's not your input | 2024-03-15 20:26 |
| simple password crack me (not simple) | 5-10 mins | 2024-03-15 20:24 |
| dance | That was a whirlwind. I'll upload a write-up after I edit down this book of notes | 2024-03-13 18:54 |
| crack the key | I've been wanting to see more that require unspecified license files, registry entries, etc. since that's how it always works with real programs. Maybe it turned out cool, maybe it didn't. I'll check it out when I get a chance though | 2024-03-11 23:46 |
| dance | It's a little more complicated than his last one, bruh. Working on it | 2024-03-11 23:41 |
| nano | That's just the kind of feature abuse I love to see | 2024-03-11 03:04 |
| KeygenMe_SWD | @SirWardrake There are obfuscators specifically for C# and of course there are binary packers and wrappers, but you start to get into territory of making them so complicated they're not really fair challenges at that point. If you want to use C#, then the fun thing would be to look into really obscure features of the languages you could abuse, or do some research and reversing to see how some objects are represented in memory at a low level and do some kind of direct manipulation/type confusion things. It would challenge you and the players to dig down and learn how some of these things specific to the language work. I find them fun with no patching or plain text passwords showing up in memory at any point, so you have to work out the actual routine performed on the input to reach the success outcome | 2024-03-05 17:21 |
| level3 | The second input doesn't have a solution because you're doing: input2[3] = 'w'; puts(input2); iVar1 = strcmp(input2,"q77ivp5r"); which can't ever pass | 2024-03-01 17:29 |
| Easy Password Reverse 3 | http://icodeguru.com/Embedded/Hacker%27s-Delight/065.htm | 2024-03-01 16:31 |
| Easy Password Reverse 3 | @sporta778 It's magic number modulo division. Take a look at the function in Ghidra and it can work the math out for you | 2024-03-01 16:09 |
| Easy Password Reverse 2 | @Mahesh download and read every book with "Reverse Engineering" in the title cover to cover and then be prepared to put in a lot of hours, research, and frustration working on it. It's very doable in most cases, it's just a lot more complicated. | 2024-02-29 20:28 |
| Password | @zdu yes. The size of the input string has to be reduced by 1 to trim off the newline. The patch I made is really hacky -- it should've just gone in a new segment -- but it gets the job done lol | 2024-02-29 20:16 |
| Crackme1 | @killmonger crackmes.one | 2024-02-29 20:11 |
| Easy Password Reverse 3 | @Crayon open the .sln file in Visual Studio or VS Code and build it to get the executable. TARGET needs to contain the path to the challenge exe. | 2024-02-29 20:09 |
| simple thing i made | He may have. I still have one pending. They take a few days to get reviewed | 2024-02-25 11:28 |
| simple thing i made | @Programista look into how to use a constraint solver like z3 | 2024-02-24 16:15 |
| ExotiCTF | Apple used to make good things | 2024-02-22 18:31 |
| Heaven's Gate & Impossible Disassembly | I don't know if there are other debuggers that handle it well, but WinDbg is generally your best bet when dealing with architecture jumping. It's designed to seamlessly handle it to make sure it can follow WoW transitions | 2024-02-22 14:31 |
| First Crackme | Nvm it's just UPX | 2024-02-22 13:17 |
| First Crackme | It's packed all to hell. Not sure if that's intentional or if it's actually infected. Detection engines don't like anything corrupted | 2024-02-22 13:13 |
| difficult crackme by pupsik | @Mahesh Commercial programs are usually much more complex than crackmes. Here's a list of resources I put together in the response with books, youtube channels, etc. https://www.reddit.com/r/AskReverseEngineering/comments/16q6re8/comment/k1zuit8/ There's a lot of information to digest in this field to get really good at it. | 2024-02-22 13:01 |
| Easy Password Reverse 3 | @tanjid01 Most challenges are console applications. You need to launch them in a cmd window | 2024-02-22 12:54 |
| Easy Password Reverse 3 | @TEA It's always crackmes.one | 2024-02-22 03:32 |
| Easy Password Reverse 3 | @potichek it's a timing attack | 2024-02-21 19:19 |
| Password | I've included a patched version of the binary in the solution I posted that works as intended | 2024-02-14 22:32 |
| sh0uld_b3_e4zy | Patch to do what exactly? The password is never verified. As long as it's 5 characters or less, the INVALID message is skipped and there's no other win condition | 2024-02-13 06:46 |
| silly | syscall 3 in x86 on Linux is sys_read. Take a look at the register arguments here: https://faculty.nps.edu/cseagle/assembly/sys_call.html "chinese baguette\n" is just hardcoded into the data section and labeled 'lmao': 0804A018 lmao db 'chinese baguette',0Ah,0 The input is read into 'string', then this is compared to 'lmao' byte-by-byte: .text:0804901B lea esi, string .text:08049021 lea edi, lmao ; "chinese baguette\n" .text:08049027 mov ecx, 11h .text:0804902C repe cmpsb .text:0804902E jnz short error | 2024-02-08 05:51 |
| Heaven's Gate & Impossible Disassembly | I don't quite understand this challenge. There doesn't appear to be any way to supply input, and all of the codebase seems to be reached | 2024-02-07 21:27 |
| H1dd4n Fl4g | @MHanak You can run strings on it to get the flag, and the false flags are retrievable just from checking the memcmp arguments. My final solution overcomplicated it just because I saw an opportunity to do so and get an interesting result, but it wasn't strictly necessary. The difficulty ratings also tend to be fairly arbitrary. Just keep at it and push yourself to dig deep into anything you don't understand, and keep trying out different tools as you learn about them to understand what works best for you in different situations, and you'll be tearing into things left and right. It's just a lot of information to digest upfront. | 2024-02-01 07:30 |
| Try and patch me | All this work should be done in VMs anyway. We're executing obfuscated programs from random cracking enthusiasts on the Internet. | 2024-02-01 07:15 |
| Try and patch me | It gets the same results as the original. It's all "generic", "suspicious", "dropper", etc. Prob some unpacking in the VB runtime, or VB is uncommon enough that it's suspicious on its own. None of the major vendors are flagging it. Obv you have to choose your own comfort level and thanks for pointing it out, but it looks fine to me. | 2024-02-01 07:13 |
| FLAG | I just did it by hand here. There weren't that many variables here and it was pretty clear what most of them were. I've been wanting to look into working with its backend though. I joined the discord a month or two ago and sat there a week and there didn't seem to be any activity, but I can rejoin I guess. | 2024-01-30 17:42 |
| H1dd4n Fl4g | There's another function that prints the flag and a buffer overflow that's possible, but ASLR is enabled and I couldn't find any way to leak an address to construct an input that would trigger it. Obv you can just find the flag in the strings but I didn't think that was the point. | 2024-01-25 00:28 |
| FLAG | @thrash nope | 2024-01-24 15:50 |
| find the encryptor | Submitted a solution last week. Always takes forever for the site to update | 2023-11-14 18:34 |
| XOR crackmes | It also crashes because 7*8 bytes are being overwritten past the result buffer that you also can't control beyond choosing one set of values or the other | 2023-11-08 21:11 |
| XOR crackmes | SUPERNOVA nailed it. The only thing you can control is whether the password is odd or even, and neither evaluates to a correct solution | 2023-11-08 21:05 |
| func crackme | This crashes trying to use the input as a memory pointer. Is this intended? | 2023-11-08 16:31 |
| shy | I hope you don't mind me talking through where I'm at with this a bit, but I've been stuck on one part for days and can't see a way around it. The response has to be in the same format as the challenge. The '-' separated sections of it are broken up and built into two identical CLists. Several registers are populated with the atoi() version of each section from one list, then 3 other registers are set to the first 3 numbers from the other list. Then math is performed, one part of which has to satisfy: (atoi(CList1[0]) - atoi(CList2[0])) % 0xea == 0x84, but this can never be true when CList1[0] == CList2[0]. I have been pouring over all the assignments and the list building function and cannot for the life of me figure out what would ever cause these lists to be populated with different values | 2023-09-27 17:10 |
| Secret message from a traveller | Thanks! | 2023-09-27 01:22 |
| shy | You search for the error message or call to MessageBoxA or W and trace your way back. I wouldn't start with this one, though, there's something really subtle going on that's hard to work out. Try one of the low difficulty rated console-based challenges. | 2023-09-26 16:40 |
| Secret message from a traveller | Actually I just figured out there's a --romfile option in qemu that probably does what I wanted, but I think what I ended up doing worked out better because it doesn't require the copyrighted ROM image | 2023-09-26 12:34 |
| Secret message from a traveller | Sounds about right. I guess I don't know enough about floppy emulation to find the simpler solution you had in mind. I just ended up removing the hardware locking. https://github.com/charlesnathansmith/crackmes/blob/main/floppy/README.md | 2023-09-26 10:59 |
| Secret message from a traveller | Thank you. I solved it and posted a write-up last night, but approvals always take a while. | 2023-09-25 20:42 |
| GPTCrackMe | @thebovl I accidentally tried a correct combo while I was working on it and realized what it was doing, which threw me off because I try to outline the write-ups as I go to help demonstrate the discovery process in a way that would help readers with other challenges and I wasn't sure how to work that in lol. I'll try to take another look at it soon | 2023-09-24 07:44 |
| based | @b3n the whole point is just to learn. The simpler ones are a good opportunity to try out new techniques. It's cool that you were able to find a way to solve it with ChatGPT, but then try a different approach on the next one, and so on. Then submit writeups so we can learn too! | 2023-09-24 07:25 |
| Secret message from a traveller | There's no way to edit comments so I apologize, but I also haven't figured out how that value is remotely related to the solving for the actual keys, which is why I came looking for some guidance. | 2023-09-23 21:04 |
| Secret message from a traveller | That's not the solution, though. I'm trying to understand if it's something as convoluted as it appears or if I'm just completely overlooking something lol | 2023-09-23 19:31 |
| Secret message from a traveller | Does this require a very specific BIOS ROM to run against? The verification requires the string '92F9674' to be present at f000:0000, which is normally R/O reserved BIOS memory and never reached by the XTEA decryption loop here anyway. | 2023-09-23 17:59 |
| Secret message from a traveller | This is an incredible idea. I haven't thought about floppy drive boot code since the last time I could plug one in to see what happened | 2023-09-21 16:54 |
| GPTCrackMe | It's detecting processes or windows you have open | 2023-09-16 23:09 |
| illusion.exe | 401ffa movzx eax, byte ptr [eax+0x53d040] *** key_buf read by 401ffa from 53d040 | 2023-09-14 04:52 |
| illusion.exe | It makes static analysis easier. Just note that there's IAT hooking (eg. Sleep() really points to ExitProcess()) Be careful not to get confused by trusting call names in the static disassembly. That's presumably the "illusion" aspect of the challenge. | 2023-09-14 04:47 |
| illusion.exe | When you instrument with Pin, you still need to hook ZwQueryInformationProcess to hide the debugger checks involving it, but it otherwise flies under the radar If you hook CryptEncrypt and log the data it affects after, you can patch the exe with the code segments up to whatever point your key causes an exit. (Be mindful it generally gets called on each location twice, once to decrypt then again to re-encrypt.) Good luck with it. I might not have a chance to work on it for a while. | 2023-09-14 04:44 |
| illusion.exe | No, sorry... I actually commented on the wrong challenge of his lol. This was meant for encrypted_box. I'm still working on this one. Used Pin to track down where the key gets validated. It goes through a loop checking chars against 'A', 'B', 'C', or 'D', then uses the value to calculate an index (through some clever SEH abuse) it compares a byte from to either continue the loop, break out with a specific value, or otherwise fail out through ExitProcess(). I started fuzzing they keys a char at a time and following branches that don't die. There are combos that would let you keep the loop going forever no matter the length (eg. CACACA...) but clearly you want to cause the break condition at some point, so I need to look at what's happening after that to figure out when/how exactly. | 2023-09-14 04:34 |
| illusion.exe | I almost had to break out the PlayStation controller to solve this one | 2023-09-13 11:45 |
| snake | When I run this, it immediately says "You WIN!" and gives a flag ending with "chachas}" Is there a deeper a layer we're supposed to find or is this just the wrong version uploaded? | 2023-09-09 20:06 |
| lisence_checker | It won't allow uploading a second solution, but here is a follow-up implementing the time-based attack https://github.com/charlesnathansmith/crackmes/blob/main/lisence_checker/timing.md | 2023-08-16 21:24 |
| timotei crackme#9 | Thanks! | 2023-08-16 15:19 |
| BadPin WPF Edition | I started looking at the last BadPin a while back but got distracted by other work. Whether or not I get a chance to give either the proper deep dive they deserve, I just want to say I really like what you've done with these. The UIs are completely different but have a cohesive theme. Obfuscated .NET is a really fringe RE topic without much coverage. These are what the challenges are supposed to look like. | 2023-08-08 22:57 |
| timotei crackme#9 | There is a small mistake in the writeup portion of my solution, where I stated that 'if "9999CMabcd" is a valid key, then so are the permutations "9999aCMbcd", "9999bcCMda", etc.' 'CM' must be at an even position in the serial. This is handled correctly in the keygen, I just forgot to update it in the writeup after realizing it. Note that 9999CMabcd isn't a valid key, just an illustrative example when explaining the permutations. If you want valid keys, run the keygen and you'll be lousy with them: 8823CMi 3077CM\ 2044CMJ 4003CMq 7146CMx ... | 2023-08-08 13:58 |
| my first | It looks like some interesting calculations were about to happen. Look forward to this getting fixed and reuploaded | 2023-08-07 15:35 |
| Spoof me! (network validation) | I uploaded a solution waiting approval that demonstrates altering the packet but also how to track down the API calls in the program. I bundled the source for a simple API logging Pin tool with the solution but forgot to include the GitHub link to go with it. You'll see where it's missing once the submission is approved: https://github.com/charlesnathansmith/api_log | 2023-08-05 12:20 |
| Very Hard Crackme | I mean, I didn't solve it lol Do you have a github link or something to the source? This site is butchering your comment with it trying to prevent XSS. I never quite figured out what I was supposed to do with Discord but have accounts pretty much everywhere else. Reddit: u/anaccountbyanyname Twitter ("X" -_-): @cnathansmith IG: @charlesnathansmith | 2023-08-01 13:10 |
| EsoLangVM Test | I got a late start on this one, but I'm getting there. I wrote a gdb script to give me a log of all the macros/code stubs called in order, then just finished a python script to reduce each macro's esi table reads and writes into a form that actually let's some structure emerge. This has definitely been a fun challenging one so far. Not sure if there are any upcoming surprises that'll throw a curveball, but it's looking promising so far. | 2023-08-01 11:35 |
| Very Hard Crackme | I worked on this for the better part of yesterday and got completely stuck lol. I'm probably overlooking something simple, but here's the rabbit hole I went down with it. If this were a real product, I would've just patched it and called it a day :) https://github.com/charlesnathansmith/scratch/blob/main/crackmes/veryhard.md | 2023-07-26 20:21 |