Number of crackmes:
Number of solutions:
Comments:
| Name | Author | Language | Arch | Difficulty | Quality | Platform | Date | Solution | Comments |
|---|
| Crackme | Infos |
|---|---|
| Crack On The Cob - COBOL | Finding our way through an unfamiliar framework |
| Algocrack Me | Simple walk-through |
| lvl2 from noxys | Straight-foward walkthrough |
| AsTinyAsHard (2.5 kb crackme) | Relatively straightforward walkthrough that requires extracting a lot of constants |
| Simple but not simple | Solution via simple manual analysis and some python practice |
| ObfuscatedPasswordCrackme | Simple walk-through |
| UltraSec | Walk-through for solving the virtual-machine protected version. It's fairly straight-forward with the right tooling, which is included |
| Bobby | Walk-through developing a solver with angr |
| KeygenMe(Second)_SWD | Straightforward walkthrough that takes advantage of pattern recognition to develop a keygen |
| simple password crack me (not simple) | Simple walk-through with unpacking info |
| dance | Long write-up for a complex challenge. Includes copies of binaries that implement the patches explained throughout the write-up needed to eventually recover the original flag |
| crack the key | Simple walk-through for an interesting type of ctf |
| nano | Walk-through to find the flag for a clever challenge |
| Easy | Simple walk-through using an online de-compiler. |
| level2 | Walk-through with patch |
| Easy Crack me | Simple look at Java decompilation |
| Crackme1 | Quick little walk-through |
| ExotiCTF | Walk-through with solution |
| simple thing i made | Walk-through with keygen |
| First Crackme | Walk-through with keygen |
| Find The Password | Walk-through with launcher source/project for extracting passwords |
| difficult crackme by pupsik | Simple walk-through with solution |
| Easy Password Reverse 3 | Walk-through and keygen utilizing a timing attack |
| Level1 | Simple walk-through to find a rather strange solution |
| Password | Walk-through showing how to find the correct password and then patch the binary to fix the validation bug |
| ObfuscationFiesta | Walk-through with some helpful tools including code extractor for arbitrary keys |
| Easy Password Reverse | Ez walk-through with python keygen |
| Find the serial | Includes solution walk-through and a breakdown of how the Visual Basic APIs used by the target handle data |
| SimpleGame | Walk-through with patched game binary |
| Try and patch me | Simple walk-through with patched binary |
| game crackme (readme) | Full walk-through with python keygen |
| NanoButton | Walk-through with example launcher/hot-patcher solution |
| C_crackme | Simple walkthrough yielding an interesting password format |
| H1dd4n Fl4g | Walk-through finding the fake response and then developing a buffer overflow to retrieve the real flag |
| nice_crackme | Walk-though with python keygen |
| math_crackme | Full walk-through of how the clever math works plus a simple keygen |
| Really Very Easy | Walkthrough with python solution |
| 100HealthGame | Simple patch and bugfix explanation and patched binary |
| silly | Straightforward solution using a disassembler |
| Hidden | Simple decompilation overview with python keygen |
| FLAG | Solution with Ghidra and python |
| SSE Login | Includes manual solution and a solution utilizing angr |
| Array crackmes | Relatively simple walkthrough. The debugger check is flawed and must be bypassed to run the challenge at all, however |
| my_second_crackme | z3 keygen with explanation |
| crackme0 | Walkthrough and keygen |
| Crackme0x04 | Walkthrough using Ghidra and gdb to find the required password |
| Crackme0x03 | Writeup with keygen to find all possible base keys, from which more can be trivially constructed |
| Crackme0x02 | Writeup solving the 3rd installment in this series |
| Crackme0x00 | Writeup for the first in this series of MacOS challenges |
| Crackme0x01 | Walkthrough finding the password for this simple start to the set of challenges |
| Comment | Link |
|---|---|
| @SpottedZulu2217 Every challenge is zipped with the password crackmes.one | ==> |
| @imeow256 It just directly compares the input to the deobfuscated password .text:0000000140018F95 mov rdx, [rbp+230h+Str2] ; Str2 .text:0000000140018F9C mov rcx, rax ; Str1 .text:0000000140018F9F call j_strcmp You just break there and check the arguments and there isn't really anything to solve | ==> |
| @baba_yaga That's not cracking, that's patching, which defeats the point of most of these challenges | ==> |
| I'm interested in seeing a version of this that does work correctly. I don't know anything at all about Java bytecode. If there's a new version of this challenge that just requires me to learn a bunch of things then that would be interesting. | ==> |
| Also, the exe image stays together. So an address in .text or .data will always be the same offset from the base address, though the base address might be random (-ish.. there's only 12 bits of entropy for a 32-bit ASLR). The stack and external DLLs could theoretically be mapped anywhere, though that isn't quite true with DLLs because Windows tries to load them to the same address in every process. Kernel32.dll in particular is unofficially guaranteed to be in the same location for every process (Microsoft won't claim so in official documentation, but Windows Internals and other sources they semi-endorse do) Consequently, if you keep running a program from the same location, it will keep getting the same base address, but renaming it will randomize it again. | ==> |
| @OpaxIV It's (confusing) shorthand for concatenation, so CONCAT31 concatenates 3 bytes from the first argument with one byte from the second. CONCAT31(0xaabbcc,0xdd) = 0xaabbccdd | ==> |
| @majorsopa Windows ASLR isn't really randomized for the same module during a single boot. If you rename or copy the exe it's layout will change, but if you keep executing it from the same location, it will be mapped the same every time at least until a reboot. | ==> |
| @majorsopa you can calculate the password from just the base address of the main module, which you can obtain via CreateToolhelp32Snapshot without attaching to it or modifying anything. checksum = ((base + 0x27f18) ^ 0x80000103) * -1 Then the password is the checksum spelled out backwards (LSB first) in binary. (The password will be 32 '1's and '0's) | ==> |
| Please statically compile the next time 32-bit versions https://www.dllme.com/dll/files/libgcc_s_dw2-1 https://www.dllme.com/dll/files/libstdc_-6/0162843956c9a2ed520632436533d225 | ==> |
| Are we supposed to just make it not crash? $ java -jar crackme.jar Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Exception in thread "main" java.lang.ExceptionInInitializerError at org.prague.o.main(o.java) Caused by: java.lang.ArrayIndexOutOfBoundsException: Index 13 out of bounds for length 13 at org.prague.k.(k.java) ... 1 more | ==> |
| It seems fine on my end | ==> |
| Can you post a write-up? I don't see a way to determine an ordering for the allowed character set beyond an evolutionary enumeration that prioritizes combos that result in some of the final sections that execute being properly decrypted. I even performed an exhaustive search on passwords up through 12 characters in length | ==> |
| @nopx64 the strlen and individual chars of the password are compared against constants generated through convoluted ways. You need to break on those comparisons and see what the correct values are for each. | ==> |
| @DosX the site just strips potential HTML tags from comments in the clumsiest way possible. | ==> |
| @nightxyz Cool, thank you! | ==> |
| @nightxyz is this like his Heaven's Gate one where the encoded flag is just buried in the binary and not actually accessible with any kind of input? I feel like that violates the spirit of how these are supposed to be structured but would appreciate a write-up showing what we were expected to do if you get a chance. | ==> |
| @justAuser I just don't waste time on the vague ones anymore | ==> |
| @nightxyz lol it's good practice to work through things manually sometimes. I try to find unusual methods to solve these sometimes just so I can learn how to use them | ==> |
| https://github.com/charlesnathansmith/crackmes/tree/main/bobby | ==> |
| There are multiple solutions btw. I managed to get angr to process it, write-up waiting approval | ==> |
| His son Bobby was always frustrating him. | ==> |
| King of the Hill https://www.youtube.com/watch?v=y1C8C7op9LU | ==> |
| @a764934018@outlook.com Nice! I went the lazy route and just used this as a username: !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~ Then split up the password it generates in order to get the substitution values for each character (each input char is doubled up because the substitutions are variable length and it would be impossible to know where each begins and ends in the generated password otherwise) | ==> |
| @1337ReverseEngineer it would've saved you 2 hours | ==> |
| That boy's not right | ==> |
| @nightxyz try entering a repetitive username like AAABBBCCC and look at what password it converts it to, and you should be able to figure out how to extract the information you need to generate passwords for arbitrary usernames | ==> |
| Unpack with UPX, break on the size comparison before memcmp, then just check the arguments in rcx and rdx for the one that's not your input | ==> |
| 5-10 mins | ==> |
| That was a whirlwind. I'll upload a write-up after I edit down this book of notes | ==> |
| I've been wanting to see more that require unspecified license files, registry entries, etc. since that's how it always works with real programs. Maybe it turned out cool, maybe it didn't. I'll check it out when I get a chance though | ==> |
| It's a little more complicated than his last one, bruh. Working on it | ==> |
| That's just the kind of feature abuse I love to see | ==> |
| @SirWardrake There are obfuscators specifically for C# and of course there are binary packers and wrappers, but you start to get into territory of making them so complicated they're not really fair challenges at that point. If you want to use C#, then the fun thing would be to look into really obscure features of the languages you could abuse, or do some research and reversing to see how some objects are represented in memory at a low level and do some kind of direct manipulation/type confusion things. It would challenge you and the players to dig down and learn how some of these things specific to the language work. I find them fun with no patching or plain text passwords showing up in memory at any point, so you have to work out the actual routine performed on the input to reach the success outcome | ==> |
| The second input doesn't have a solution because you're doing: input2[3] = 'w'; puts(input2); iVar1 = strcmp(input2,"q77ivp5r"); which can't ever pass | ==> |
| http://icodeguru.com/Embedded/Hacker%27s-Delight/065.htm | ==> |
| @sporta778 It's magic number modulo division. Take a look at the function in Ghidra and it can work the math out for you | ==> |
| @Mahesh download and read every book with "Reverse Engineering" in the title cover to cover and then be prepared to put in a lot of hours, research, and frustration working on it. It's very doable in most cases, it's just a lot more complicated. | ==> |
| @zdu yes. The size of the input string has to be reduced by 1 to trim off the newline. The patch I made is really hacky -- it should've just gone in a new segment -- but it gets the job done lol | ==> |
| @killmonger crackmes.one | ==> |
| @Crayon open the .sln file in Visual Studio or VS Code and build it to get the executable. TARGET needs to contain the path to the challenge exe. | ==> |
| He may have. I still have one pending. They take a few days to get reviewed | ==> |
| @Programista look into how to use a constraint solver like z3 | ==> |
| Apple used to make good things | ==> |
| I don't know if there are other debuggers that handle it well, but WinDbg is generally your best bet when dealing with architecture jumping. It's designed to seamlessly handle it to make sure it can follow WoW transitions | ==> |
| Nvm it's just UPX | ==> |
| It's packed all to hell. Not sure if that's intentional or if it's actually infected. Detection engines don't like anything corrupted | ==> |
| @Mahesh Commercial programs are usually much more complex than crackmes. Here's a list of resources I put together in the response with books, youtube channels, etc. https://www.reddit.com/r/AskReverseEngineering/comments/16q6re8/comment/k1zuit8/ There's a lot of information to digest in this field to get really good at it. | ==> |
| @tanjid01 Most challenges are console applications. You need to launch them in a cmd window | ==> |
| @TEA It's always crackmes.one | ==> |
| @potichek it's a timing attack | ==> |