Number of crackmes:
Number of solutions:
Comments:
| Name | Author | Language | Arch | Difficulty | Quality | Platform | Date | Solution | Comments |
|---|---|---|---|---|---|---|---|---|---|
| Mr Good Life Crackme V2 | devsoft | .NET | x86 | 5.0 | 5.0 | Windows | 4:01 PM 06/12/2023 | 0 | 5 |
| Mr Good Life Crackme | devsoft | .NET | x86 | 4.0 | 2.5 | Windows | 10:36 AM 05/31/2023 | 0 | 11 |
| Crackme | Infos |
|---|---|
| BadPin | PDF File with .NET code reversion and solution, provided with the help of the author. |
| timotei crackme#8 | PDF file with solution and links to information found. |
| Br34k_M3 if you can... | PDF File with 2 different techniques to fetch the current password |
| CrackItLOL | PDF file with full trace to source code. |
| Br34k_M3 1337 | PDF file with solution in how to trace correctly the key |
| ZittoKeygenme | PDF file with solution to unpack manually, and analyze in order to create Keygen. Keygen code included |
| MitoVM Test (DeVirtualizeMe) | Solution with PDF file and logs from my trace with the IL code of some methods that ware virtualized, and all the executions with their respective parameters and response. |
| Crack Me | PDF file with solution with manual edit of values during runtime |
| cryptome_.net_1 by subminking | PDF file with very details explanation in how to unpack/crack it without patching or even rename the method's to respect the checksum policy. |
| ShAPK1 | PDF file with reversion explained, and method of patching SMALI code. |
| CrackMe (VMProtect Premium) (.NET) | PDF file with solution to trace the key, and some explanation about the techniques being used by the coders. |
| crackmekeygenme by theunknownprogrammer | PDF file with solution in how to create Keygen. Keygen included as image. |
| Xrace-Crackme-#1 | PDF file with 4 different solutions, none involving patching. 2 of them via Unpack, and 2 of them by password sniffing |
| VirtualGuard Keygenme | PDF file with solution without patching |
| CrackMeNoString | PDF file with solution and code to create a keygen |
| Jeda | PDF file explaining how to intercept the password, and how to deceive my own technique |
| flappyXcrackme | PDF Explaining how to solve the Crackme without patching the original exe |
| [Fixed] CrackMe like a wannacry | PDF file with explanation in how to get valid key, and reverse the encrypted files. |
| [Modifed] Crackme like a Petya ransomware | PDF file with logTrace explaining how to reverse the ransomware lock on the fly. |
| CrackmesOneKeygenMe ByClone [#1] | PDF file with solution without patching |
| Dll injection | PDF file with explanation in how to bypass the system |
| CrackME v3.0 | PDF file with 2 different solutions to obtain key, with and without patching. |
| MediumCrackme | Simple explanation on text file on how to find one valid key on runtime. |
| Comment | Link |
|---|---|
| @rish0n this Crackme helped me to integrate my HarmonyInjector on .NET Core, thank you very much for it. I'm presenting a solution based on that. | ==> |
| This one is way more easy than expected, I'll write my own @mlmn21 | ==> |
| Hum, I have done that so far for the calli Instructions. They lead to .NET managed code, and only after hours of trying to reverse the IL code of the virtualized functions I've realized that the code is unmanaged ^^. So I see him operating those 2 number's, I see the consequent toInt64 but even with manual combination no luck for me. Anyway, I'll follow your tip's and check out if I can take anything out of this. This approach is very good, Gratz on such a great job! | ==> |
| This is madness... Has someone any info that can help on this? | ==> |
| Hint : Steganography | ==> |
| I'm presenting a full solution for this one. Thanks, @zira! :D | ==> |
| I guess you are right @s4r, I guess this needs another approach | ==> |
| PS : Link is there only in case author is "dead", it will be removed (from cloud) case accepted. | ==> |
| Posting one solution for this one, leaving here also in case the author is offline = https://drive.google.com/file/d/1_caDUFwa-G-rLHQ3-nz1jfFcndl4UsNM/view?usp=drive_link | ==> |
| @DZghost, well I guess you are not familiarized with packers right? No pall, the packer is protecting a Bitmap library and a PNG with 6mb. And now no one needs more info to resolve this... The Packers are DOTNETREACTOR and Turbo Studio... Resolve this inside a VM in case you are afraid. Any doubt you can ask, but beware your accusations. | ==> |
| There is nothing of Pascal in this PE. ^^ | ==> |
| @mito, can this be a sort of DeVirtualization? I'm only asking because imagining there were 2 methods after the readline(), and one is called when 0 and other when not, in that case I guess I wouldn't be able to trace the not selected method... SPOILER!!! = **************************************************************** ****** System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal.Prefix() ****** # Parameter(System.String[]) = System.String[] # Instance(System.Reflection.RuntimeMethodInfo) = Void EiIjGx(System.String[]) # Instance FullDescription = static System.Void iRyVey::EiIjGx(System.String[] 5OUUUj) # Instance MetadataToken = 100663300 # Instance IsAssembly = False **************************************************************** ****** System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal.Prefix() ****** # Parameter(System.String) = MitoVM 2.0 Devirtme! # Instance(System.Reflection.RuntimeMethodInfo) = Void set_Title(System.String) # Instance FullDescription = static System.Void System.Console::set_Title(System.String value) # Instance MetadataToken = 100666194 # Instance IsAssembly = False **************************************************************** ****** System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal.Postfix() ****** **************************************************************** ****** System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal.Prefix() ****** # Parameter(System.Int32) = 13 # Instance(System.Reflection.RuntimeMethodInfo) = Void set_ForegroundColor(System.ConsoleColor) # Instance FullDescription = static System.Void System.Console::set_ForegroundColor(System.ConsoleColor value) # Instance MetadataToken = 100666160 # Instance IsAssembly = False **************************************************************** ****** System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal.Postfix() ****** **************************************************************** ****** System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal.Prefix() ****** # Parameter(System.String) = math object initialized # Instance(System.Reflection.RuntimeMethodInfo) = Void WriteLine(System.String) # Instance FullDescription = static System.Void System.Console::WriteLine(System.String value) # Instance MetadataToken = 100666233 # Instance IsAssembly = False **************************************************************** | ==> |
| Still can't patch this. Anyway, patching is never the best way. I'm posting a solution without patching or even a debugger! | ==> |
| Although @OnlyPrinzP has given all the game, I'm going to put a full solution on this. But @Crackingiskindscoolerthemcoding, my advice is that you code way more than what you crack or someday, you'll be looking at a unicorn ^^. | ==> |
| Posting a solution for this one, but this time I'll try to put a POC in how to deceive my own technique | ==> |
| ==> | |
| @hoangnguyen Thank you for these birds! ^^ I'm posting a solution | ==> |
| @thebovl, I mean the 2ยบ label next to the comments, where we can submit (PDF/Word) files explaining step by step how to solve the Crackme that was posted. For example, I have achieved 4 so far = https://pasteboard.co/yX6mMjwWO8Mr.png https://pasteboard.co/nGwnXhuy7KKe.png But you need to agree with the method. Most Crackmes authors don't accept patching, and they love Keygens, but it's up to each one to agree or not. Hope this helps, aiming a strong dev community! | ==> |
| @NANOBOT, that mail is gone, i'l leave discord Discord = leonardo0011 | ==> |
| @thebovl Aren't you receiving further solutions from me? Maybe it's one per user? :P Not important at all, just trying to understand. | ==> |
| Has someone been able to find a valid key? So far only resolved via Patching, and even that was hard... | ==> |
| Posting one solution, again, thanks for the fun @thebovl! :D | ==> |
| @thebovl did I missed something with this solution? Just to be sure it works since on VM throws a memory overflow and i don't want to test outside on VM :P | ==> |
| I've been investigating the 404 issue. It seems dropbox marked my file as insecure. The new one has a VirtualFileSystem Layer to evade common systems. If anyone else has a problem running this one until it asks for a key, just mention. | ==> |
| I hate to do this, but since it's the only way = aHR0cHM6Ly90aW55dXJsLmNvbS9NUkdPT0RMSUZF Again, the data is just too much to compress, and all of that data is needed. | ==> |
| Nop not weird at all, friend. The new exe that it's getting flag is compressed to the max, still is too big to be hosted here. The second exe you see, it's protected and the injector of .NET is getting flagged. It's gets without saying that you should open an exception. Extract the .NET managed code and once you extract the data you'll realize how to solve it. | ==> |
| Posting a new solution without patching ^^, this is half you want, since it's based on a weakness. | ==> |
| @thebovl No judgment at all! I'm no big expert myself! I just like breaking stuff ^^. I tried, but the task itself is going to be hard as hell. Somewhere in the sea of RAM, there must be a pointer to the offset, but the "seeker's" I Know they depend on multiple scans. Which is instantly killed due this dynamic key system. Although I know when the value will be at ebp-14C, I can't pause the PID execution to extract it :\. But I'm eager for someone else to post a solution involving either a pointer scan, or an offset extraction. But since I'm thinking while typing, I did realize all strings have a fixed LEN of 16. This constant might be a weakness, but only time will tell. Anyway, this is a complex system with multiple usages and it's always nice to check out, where and how is it being used. | ==> |
| You can send an email to = geren93888@ratedane.com with your questions, although I hope they'r related to this. | ==> |
| I'm posting one possible solution, nice job again @thebovl! | ==> |
| In that case, Sol about to be uploaded without patch. | ==> |
| I'll apply for a solution that involves patching. But since it will be refused, I will never see it, because your examples just ask to don't get resolved :\ | ==> |
| @thebovl the question is only one. Is it acceptable to cheat the value? Since you defined the no patching rule :\ | ==> |
| Stage One : from pytransform import pyarmor_runtime pyarmor_runtime() __pyarmor__(__name__, __file__, b'PYARMOR\x00\x00\x03\x08\x00U\r\r\n\x04\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00@\x00\x00\x00\xfe\x02\x00\x00\x00\x00\x00\x18\xdat\xffn\x1a\xaa\x94\xf0\xdf\x96\x8a7\x1d\x15\xa8\x9e\x00\x00\x00\x00\x00\x00\x00\x00L\x03C\x15\\A\xbe\x84\xd5\xa0\xb3O\xb5\x18\n\xc9\x01wG\xd5\xfc\xd5\x84,Y\xd5\xef8\xfe@\x83*$\x91\xe2\x86\xc5\x0b\x98 \xfc\xd35M\xa0M\xf7Y\x11"-J\x00\xf8\r\xea\x0e2\xa8\xb5i\x94\xc1G\x06\xedry`\xd8\xea5H\xcd\xba\xcd}\xd2\x1d\x010{\x84\xe4\x17\xd6\xber\xd4\x8da\xf5p\x1e\xec\xca\xd3\x80\xbb\xa1y\xf0\xf3\xad~A\xd9D\x06_U\xad\x8d\t\x14_\x97QNb#\xf9`1\x7f\xaf\xf8\xab3\xf0=\x9f\x01\xf4O\x15\x92\xf4\xe4!\xce\xfa\x1fR\x87\xca&\xf5\xd9*\xce(\x03\\v^\x02\xd5\xa8\xdc\x07\xd8\xf0\xb15\xe3]6\xc0\x83\xc3\xf7uk \\jF}\xbb\x06eqTQTR\x96\xf2n;\xb2\xba\\p\xce\x96\n\xea\x87~F7I\xf1\xec\xc2\xb9\xb6\xf1\xe7\xd5-\x05`\x04\x8a;\x9e\x12\xfd\xb5ei\x0c\xf6\xf2\xeax\x12\xa76-/Z2\xe3\xe5\xf1\xfa', 2) | ==> |
| @thebovl, which one? :) The loader is not managed code, and I guess is c++ with a common RunPE, running a .NET payload. So the solution without a patch might only pass by cheating it... :\ | ==> |
| I'm going to write a solution for this Crackme with and without debugger, if it gets approved, it may answer your doubts with some luck. | ==> |
| Is patching valid for this scenario? The encryption is rather easy, but this List of classes Algo is something... | ==> |
| This kind of software virtualize its own actions. So the code inside DnSpy wont be "User Code", but the Algo(Engine) running the instructions that reside inside it. | ==> |
| [ebp-14C] will always contain the valid key for the instance | ==> |
| SPOILER AHEAD! # ****************************** # Method = System.Text.Encoding.GetString # BytesIn = "SHN3UEdCTV5yc0VzKlB2UHVuJkQ5RWx5YVpVeHQ4bmprMkloJHIlRF5QM2NzRzF5VUg=" # Result = "HswPGBM^rsEs*PvPun&D9ElyaZUxt8njk2Ih$r%D^P3csG1yUH" # ****************************** # ****************************** # Method = System.Text.Encoding.GetString # BytesIn = "QWN0aXZlIERvbmUh" # Result = "Active Done!" # ****************************** # ****************************** # Method = System.Text.Encoding.GetString # BytesIn = "RG9uZQ==" # Result = "Done" # ****************************** # ****************************** # Method = System.Text.Encoding.GetString # BytesIn = "QWN0aXZlIGZhbHNlIQ==" # Result = "Active false!" # ****************************** # ****************************** # Method = System.Text.Encoding.GetString # BytesIn = "IQ==" # Result = "!" # ****************************** | ==> |
| Iv made a nab video, Dk if it fits, anw here to explain myself | ==> |
| PS: Its OEM based, caught 1 Key for my hown. In that case, i found my Key with an Hook via Harmony = https://postimg.cc/CZPnVrBh | ==> |
| Key is = 09imUwTTE0uFC1DBVKYB+m5D3REGoerkkYun7dt6xdB844hVj91BRJ5qDeuDsMhc This was funny, and hard! Thank you very mutch :) | ==> |
| lets go all agaain.. ^^ | ==> |
| Pass is = 1488_xach. Done with harmony | ==> |
| The call to Hook is = AesCryptoServiceProvider.CreateEncryptor(key,iv). After this is a matter of file parsing until IV and Key produce results on the file. Again, I don't think there is a 100% correct solution on this Crackme, but using Harmony and DotNetHooker may be enough to resolve the challenge. GL Everyone. | ==> |
| Not quite sure this one depends on a solution. Since Unpacking was outside hands, I used Harmony to Hook the call and print it further more than VMUnpacker[Tracer]. As the log shows the Key is Random(), so the only way to reverse this without bruteforce, is to grab the key on the fly. I'll leave the Unvirtualized log and wait for a correct solution for this one. = https://filebin.net/fbbye561twfrgqp8 | ==> |
| This version of VMP is not DeMutable by the current tool. Has someone unpacked this? Regards | ==> |
| Hello fiend. Iv been trying to sort this out, but this is way too virtualized for my head. Iv hooked UnsafeInvoke method in order to watch the Huge ammout of instructions, but no logic can be sorted out of this = https://pastebin.com/qvs2HN62. Can you provide the name of the Obfuscator, or some Hint to help me solve this Crackme? So far is one of the hardest iv found in .NET. Thanks and Gratz on the good work. | ==> |
| This one is not hard. After a bit of fight, you will find the Zeus Anti-Debug Dll. Its a kind of easy PE to patch. Disable the bloody dam thing. Patch the code again so you can use any Tech. This step is not necessary but it releases the "Kraken". Using the same methods, now you can peek up the new ctor values. Breakpoint there and sniff the pass = https://i.postimg.cc/zf353QP3/Screenshot-3.png | ==> |