| Thank you so much for the feedback, @dev0! Regarding your question, after the ptrace check, the code executes shellcodec, a function pointer to shellcode. This shellcode includes an INT3 instruction, which could cause the shell to spawn under specific debugging traps if the debugger interrupts on INT3. Check the source code for details: https://github.com/juliangrtz/crackmes/blob/main/sew3rr4t/crackme.c#L180 |
==> |
| Thanks for the feedback, guys! This crackme was just a quick smoke test to see how well it's received. The next one will be way more convoluted! |
==> |
| It's been late, sporta778 ;) |
==> |
| I see. Feel free to upload a whole solution. |
==> |
| Well done, jewdev! Could you elaborate on how you reached the last layer? |
==> |
| I haven't phrased that well in the description: Patching IS allowed and encouraged to get rid of the anti-debugging techniques and junk bytes. However, patching isn't allowed to force the program to display the flag without you having reversed the key generation algorithm first.
The source code can be found here: https://github.com/juliangrtz/crackmes/tree/main/FortKnox |
==> |
| Make sure you've installed the x86 2019 Visual C++ Redistributable Runtime. |
==> |
| I can't run it on Windows 11, there seem to be several DLL files missing. Please reupload the crackme and make sure it is compiled and linked correctly. |
==> |
| Nobody? |
==> |
| https://juliangrtz.me/2024/01/08/x0rb0y_crackme/ |
==> |
| Sure, @alexisreen0. The binary is statically linked with stripped symbols. Hence, it would make sense to identify some libc functions first (printf, puts, strcmp etc.) using signatures, for example, and work backwards from there. As for the anti-debugging measures: There is a separate thread checking whether a debugger is attached. Try to prevent this thread from being started. You should rely on dynamic analysis as much as possible because of the stripped symbols and anti-disassembly measures. |
==> |
| 1. Attach a debugger before entering the password
2. Put a breakpoint at ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A (std::cin)
3. Enter an arbitrary password
4. Look at register RSI |
==> |
| admin / kaka123 |
==> |
| Although the applied obfuscation techniques are definitely rather simple, it is still a fine crackme. Interestingly, IDA's decompiler slightly struggles with the key validation function – it'd be great to see a more difficult version of this crackme in which the IDA decompiler (and similar decompilers) completely fail(s). |
==> |
| The password is enesibledev.
Great crackme! It wasn't trivial to circumvent the anti-debug techniques. |
==> |
| The password is hard-coded at offset 0x2CE0... |
==> |
| Error: An unexpected error occurred while trying to open file crackme.jar
It seems the MANIFEST.MF file is broken. |
==> |
| Well done, db123! Any chance you could upload your full solution? |
==> |
| A good challenge. Debugging helps a lot. |
==> |
| VirusTotal reports 27/68 malicious flags. It could be 27 false positives due to the strong obfuscation, but I would encourage the author to upload the source code somewhere. Comparing the hash of the compiled program with the one in the .zip file would prove that the CrackMe is indeed harmless. |
==> |
| This CrackMe was written by me. Please give me respective ownership. I can prove it if you want me to. |
==> |
| Nice CrackMe. Enjoyed solving it. |
==> |