Crackmes

Comment	Link
unpack it by de4dot, and then debug it by dnspy. it has a datetime check and we need dump the picture byte array to a file by this code in watch view: System.IO.File.WriteAllBytes("rew1nd.png", array20) if you want to patch it, you can edit il in dnspy directly.	==>
can't work on windows 11	==>
CrackMe v1 \| by c0d3x94 You Username: Crack You Key: Cracked Your key is correct Crack	==>
G1CZ0-WE8I4-CJ7IQ-38L89-9O57N	==>
[SUCCESS] The key was: 06277a852e979af7f8bb721421b0acd9 just use Process Hacker 2 search memory, you will get this key.	==>
char v15m[16] = { 0x4E, 0, 0x69, 0, 0x63, 0 , 0x65, 0, 0x4F, 0, 0x6E, 0, 0x65, 0, 0x21, 0 }; memcpy(&v15, v15m, sizeof(v15)); char v16m[16] = { 0x2D, 0, 0x5F, 0, 0, 0 , 0, 0, 0x80, 0x50, 0x5D, 0x61, 0xF8, 0x7F, 0, 0 }; memcpy(&v16, v16m, sizeof(v16)); memset(&si128, 0, sizeof(si128)); si128.m128i_i8[0] = (uint8)strlen(username); si128.m128i_u8[8] = 0x0F; userpassword[0] = (si128.m128i_i32[0] ^ (unsigned __int16)&v15); userpassword[1] = (si128.m128i_i32[0] ^ WORD1(v15)); userpassword[2] = (si128.m128i_i32[0] ^ WORD2(v15)); userpassword[3] = (si128.m128i_i32[0] ^ WORD3(v15)); userpassword[4] = (si128.m128i_i32[0] ^ WORD4(v15)); userpassword[5] = (si128.m128i_i32[0] ^ WORD5(v15)); userpassword[6] = (si128.m128i_i32[0] ^ WORD6(v15)); userpassword[7] = (si128.m128i_i32[0] ^ HIWORD(v15)); userpassword[8] = (si128.m128i_i32[0] ^ v16.m128i_u16[0]); userpassword[9] = (si128.m128i_i32[0] ^ v16.m128i_u16[1]); userpassword[10] = (si128.m128i_i32[0] ^ v16.m128i_u16[2]); userpassword[11] = 0;	==>
username: db123 password: 132240 1. remove debugger check by change jz to jmp. 2. input a user word. find code at: .text:00007FF79A381640 .text:00007FF79A381640 loc_7FF79A381640: ; CODE XREF: check_password+A6↑j .text:00007FF79A381640 F2 0F 59 05 78 40 00 00 mulsd xmm0, cs:qword_7FF79A3856C0 .text:00007FF79A381648 F2 0F 2C C0 cvttsd2si eax, xmm0 .text:00007FF79A38164C 48 63 C8 movsxd rcx, eax .text:00007FF79A38164F 48 0F AF CF imul rcx, rdi .text:00007FF79A381653 48 3B D1 cmp rdx, rcx .text:00007FF79A381656 0F 85 C6 01 00 00 jnz loc_7FF79A381822 debug it, you will get a hex vlaue in rcx. convert it to dec value, and change to string. it is the password.	==>
password:5up3rH1dd3nPa55w0rd codes: // length must be 19 // ignore memory leak char* encrypt_simple(char* text) { int length; // r8d int byte; // ecx assert(strlen(text) == 19); int* result = new int[19]; memset(result, 0, 19*sizeof(int)); length = 0; do { byte = text[length]; result[length] = byte % 2 == 0 ? byte + 1 : byte - 1; ++length; } while (length	==>
real keys:I-AM-A-CR4CKER_(o \| o) 1. unpack exe by upx 2. remove debugger/driver check 3. remove serials check.	==>

unpack it by de4dot, and then debug it by dnspy. it has a datetime check and we need dump the picture byte array to a file by this code in watch view: System.IO.File.WriteAllBytes("rew1nd.png", array20) if you want to patch it, you can edit il in dnspy directly.

==>

can't work on windows 11

==>

CrackMe v1 | by c0d3x94 You Username: Crack You Key: Cracked Your key is correct Crack

==>

G1CZ0-WE8I4-CJ7IQ-38L89-9O57N

==>

[SUCCESS] The key was: 06277a852e979af7f8bb721421b0acd9 just use Process Hacker 2 search memory, you will get this key.

==>

char v15m[16] = { 0x4E, 0, 0x69, 0, 0x63, 0 , 0x65, 0, 0x4F, 0, 0x6E, 0, 0x65, 0, 0x21, 0 }; memcpy(&v15, v15m, sizeof(v15)); char v16m[16] = { 0x2D, 0, 0x5F, 0, 0, 0 , 0, 0, 0x80, 0x50, 0x5D, 0x61, 0xF8, 0x7F, 0, 0 }; memcpy(&v16, v16m, sizeof(v16)); memset(&si128, 0, sizeof(si128)); si128.m128i_i8[0] = (uint8)strlen(username); si128.m128i_u8[8] = 0x0F; userpassword[0] = (si128.m128i_i32[0] ^ *(unsigned __int16*)&v15); userpassword[1] = (si128.m128i_i32[0] ^ WORD1(v15)); userpassword[2] = (si128.m128i_i32[0] ^ WORD2(v15)); userpassword[3] = (si128.m128i_i32[0] ^ WORD3(v15)); userpassword[4] = (si128.m128i_i32[0] ^ WORD4(v15)); userpassword[5] = (si128.m128i_i32[0] ^ WORD5(v15)); userpassword[6] = (si128.m128i_i32[0] ^ WORD6(v15)); userpassword[7] = (si128.m128i_i32[0] ^ HIWORD(v15)); userpassword[8] = (si128.m128i_i32[0] ^ v16.m128i_u16[0]); userpassword[9] = (si128.m128i_i32[0] ^ v16.m128i_u16[1]); userpassword[10] = (si128.m128i_i32[0] ^ v16.m128i_u16[2]); userpassword[11] = 0;

==>

username: db123 password: 132240 1. remove debugger check by change jz to jmp. 2. input a user word. find code at: .text:00007FF79A381640 .text:00007FF79A381640 loc_7FF79A381640: ; CODE XREF: check_password+A6↑j .text:00007FF79A381640 F2 0F 59 05 78 40 00 00 mulsd xmm0, cs:qword_7FF79A3856C0 .text:00007FF79A381648 F2 0F 2C C0 cvttsd2si eax, xmm0 .text:00007FF79A38164C 48 63 C8 movsxd rcx, eax .text:00007FF79A38164F 48 0F AF CF imul rcx, rdi .text:00007FF79A381653 48 3B D1 cmp rdx, rcx .text:00007FF79A381656 0F 85 C6 01 00 00 jnz loc_7FF79A381822 debug it, you will get a hex vlaue in rcx. convert it to dec value, and change to string. it is the password.

==>

password:5up3rH1dd3nPa55w0rd codes: // length must be 19 // ignore memory leak char* encrypt_simple(char* text) { int length; // r8d int byte; // ecx assert(strlen(text) == 19); int* result = new int[19]; memset(result, 0, 19*sizeof(int)); length = 0; do { byte = text[length]; result[length] = byte % 2 == 0 ? byte + 1 : byte - 1; ++length; } while (length

==>

real keys:I-AM-A-CR4CKER_(o | o) 1. unpack exe by upx 2. remove debugger/driver check 3. remove serials check.

==>

crackmes.one

crackmes.one

db123's profile

0

0

9

Crackmes

Latest solutions

Latest comments