Profile

Crackme	Comment	Date
Next generation Keygen	Nice little crackme. The validation logic was compact but fun: once the statically linked glibc rand/srand path was identified, the rest came down to faithfully reproducing the 32-bit state transitions and searching for a candidate that lands inside the accepted final range. Cute challenge, good lesson in not trusting libc PRNGs for key checks. :3	2026-06-23 10:22
EZFTP_ByTOMUT	Nice beginner-friendly .NET crackme. The README basically points you in the right direction, and since there is no obfuscation the password can be found pretty quickly by opening the binary in dnSpy/ILSpy and checking the main method. The password is stored as a plain string and compared directly with the user input, so the solution is: TihiyOmut_Secret_2026 Good first crackme overall. Simple, clear, and useful for learning how basic C# binaries look in a decompiler.	2026-06-17 21:03
winkeygenme	Nice WPF crackme! Perfect for practicing .NET single-file binary extraction. Analysis and Solution: Extraction: The executable is a native .NET 8.0 single-file bootstrapper. By scanning the binary, we can find the inner managed PE header at offset 0x25000 (which is Cr4ckM3.dll). Reversing the Logic (F06 Method): The username must be at least 6 characters. The application computes the SHA-256 hash of the username. It maps each byte of the hash using a custom 256-byte S-Box (referenced in metadata as struct 59DCA538572A233693BB774EEF01D8C86B4190C6E5A37A2785F89BDC1BABA5D2). The permuted hash is encoded using a custom Base32 alphabet: ABCDEFGHJKLMNPQRSTUVWXYZ23456789. Finally, it takes the first 25 characters and formats them with dashes: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX. Valid Credentials Example: Username: crackmes.one Serial Key: TNL3M-G6CE5-75H2T-8A4U5-8Z4D2 Username: Elzzie Serial Key: AYH35-G85GW-P55TE-TJNJ4-CNLNA Thanks for the challenge!	2026-06-08 21:01
FirstCrackMe	pretty easy one, solved with static analysis, didn't even need a debugger. opened it up in a hex editor and literally the first thing that popped out was the password sitting in plaintext in the .data section, right next to the "Enter password:" string. no encryption, no xor, nothing. Enter password: [null] simba123 [null] CORRECT! [null] WRONG! just to confirm i traced through the main function (RVA 0x1490). it calls printf for the prompt, scanf to read input, then strcmp against the hardcoded string "simba123". if strcmp returns 0 it prints CORRECT!, otherwise WRONG!. that's literally it. password: simba123 the binary still has dwarf debug symbols in it which makes everything even more readable. good starter crackme if you're just getting into RE, but don't expect any challenge here.	2026-06-08 20:50
NiTiNOL CrackMe	VM is just an 8-round loop of obfuscated operations. Basically: (A \| B) - (A & B) is just XOR. This hides the X ^= X << 13 and X ^= X >> 7 shifts. (A ^ B) + ((A & B) << 1) is just addition. This hides X += 0x9e3779b97f4a7c15. Since everything is invertible, you can solve it backwards from the target 0xf4d1a2c3b5e60718. Valid Key: dT\x16\xb9\xdax\xaa? (0x645416b9da78aa3f) Solver: python def inv_sr(val, shift): res = 0 for i in range(63, -1, -1): bit = ((val >> i) & 1) if i + shift < 64: bit ^= ((res >> (i + shift)) & 1) res \|= (bit << i) return res def inv_sl(val, shift): res = 0 for i in range(64): bit = ((val >> i) & 1) if i >= shift: bit ^= ((res >> (i - shift)) & 1) res \|= (bit << i) return res X = 0xf4d1a2c3b5e60718 C = 0x9e3779b97f4a7c15 for _ in range(8): X = (X - C) & 0xffffffffffffffff X = inv_sr(X, 7) X = inv_sl(X, 13) print(X.to_bytes(8, 'big'))	2026-06-08 17:47
JavyFlag	Nice challenge! The file is a WebAssembly module compiled using Shopify's Javy toolchain (which embeds QuickJS). Since Javy stores the original JavaScript source code inside the javy_source custom section, I just parsed the WASM file, extracted the payload of that section, and decompressed it using Brotli. The decompressed source code directly revealed the flag bytes: RELUNSEC{j3vy_1s_4w3s0m3} Thanks for the crackme!	2026-06-02 18:32
very easy crackme	Easy .NET crackme. Just dumped the strings from the binary and found the password `crackme12345ez`. The other string `crackmebro` is just the class name (`crackme.crackmebro`) containing the entry point. Worked out of the box. Thanks for the challenge!	2026-06-02 12:50
Floating password	Solved. Fun little trap crackme! The password is dynamically generated after you type in your input. It's calculated on the fly using std::random_device + _time64 and a formula based on the float constant 67745.0. Since the check is non-deterministic and run after input, you can't guess it statically. Plus, the binary intentionally crashes at the end with a UD2 instruction to prevent the stdout buffer from flushing "ok, that's it" out. To solve it, I patched the binary: 1. In `kol()`, NOP'ed out the conditional jumps (JP at 0xd8E and JNZ at 0xd93) to force the success branch. 2. Patched the UD2 crash at 0xebc with a clean stack cleanup & return: ADD RSP, 0x13d8 (48 81 C4 D8 13 00 00) POP RBX (5B), POP RBP (5D), RET (C3) Now it prints the success message and exits cleanly. Thanks for the challenge!	2026-06-02 12:47
Hard CME	Username: testuser Serial: 22dd29bfbe934d7c Username: admin Serial: 6f734c07feba5004 Username: crackme Serial: c8ae99ae5bd5e55	2026-06-02 11:51
Hard CME 2	V1RTU4L_M4CH1N3_5T4CK	2026-06-02 11:40

Next generation Keygen

Nice little crackme. The validation logic was compact but fun: once the statically linked glibc rand/srand path was identified, the rest came down to faithfully reproducing the 32-bit state transitions and searching for a candidate that lands inside the accepted final range. Cute challenge, good lesson in not trusting libc PRNGs for key checks. :3

2026-06-23 10:22

EZFTP_ByTOMUT

Nice beginner-friendly .NET crackme. The README basically points you in the right direction, and since there is no obfuscation the password can be found pretty quickly by opening the binary in dnSpy/ILSpy and checking the main method. The password is stored as a plain string and compared directly with the user input, so the solution is: TihiyOmut_Secret_2026 Good first crackme overall. Simple, clear, and useful for learning how basic C# binaries look in a decompiler.

2026-06-17 21:03

winkeygenme

Nice WPF crackme! Perfect for practicing .NET single-file binary extraction. Analysis and Solution: Extraction: The executable is a native .NET 8.0 single-file bootstrapper. By scanning the binary, we can find the inner managed PE header at offset 0x25000 (which is Cr4ckM3.dll). Reversing the Logic (F06 Method): The username must be at least 6 characters. The application computes the SHA-256 hash of the username. It maps each byte of the hash using a custom 256-byte S-Box (referenced in metadata as struct 59DCA538572A233693BB774EEF01D8C86B4190C6E5A37A2785F89BDC1BABA5D2). The permuted hash is encoded using a custom Base32 alphabet: ABCDEFGHJKLMNPQRSTUVWXYZ23456789. Finally, it takes the first 25 characters and formats them with dashes: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX. Valid Credentials Example: Username: crackmes.one Serial Key: TNL3M-G6CE5-75H2T-8A4U5-8Z4D2 Username: Elzzie Serial Key: AYH35-G85GW-P55TE-TJNJ4-CNLNA Thanks for the challenge!

2026-06-08 21:01

FirstCrackMe

pretty easy one, solved with static analysis, didn't even need a debugger. opened it up in a hex editor and literally the first thing that popped out was the password sitting in plaintext in the .data section, right next to the "Enter password:" string. no encryption, no xor, nothing. Enter password: [null] simba123 [null] CORRECT! [null] WRONG! just to confirm i traced through the main function (RVA 0x1490). it calls printf for the prompt, scanf to read input, then strcmp against the hardcoded string "simba123". if strcmp returns 0 it prints CORRECT!, otherwise WRONG!. that's literally it. password: simba123 the binary still has dwarf debug symbols in it which makes everything even more readable. good starter crackme if you're just getting into RE, but don't expect any challenge here.

2026-06-08 20:50

NiTiNOL CrackMe

VM is just an 8-round loop of obfuscated operations. Basically: (A | B) - (A & B) is just XOR. This hides the X ^= X << 13 and X ^= X >> 7 shifts. (A ^ B) + ((A & B) << 1) is just addition. This hides X += 0x9e3779b97f4a7c15. Since everything is invertible, you can solve it backwards from the target 0xf4d1a2c3b5e60718. Valid Key: dT\x16\xb9\xdax\xaa? (0x645416b9da78aa3f) Solver: python def inv_sr(val, shift): res = 0 for i in range(63, -1, -1): bit = ((val >> i) & 1) if i + shift < 64: bit ^= ((res >> (i + shift)) & 1) res |= (bit << i) return res def inv_sl(val, shift): res = 0 for i in range(64): bit = ((val >> i) & 1) if i >= shift: bit ^= ((res >> (i - shift)) & 1) res |= (bit << i) return res X = 0xf4d1a2c3b5e60718 C = 0x9e3779b97f4a7c15 for _ in range(8): X = (X - C) & 0xffffffffffffffff X = inv_sr(X, 7) X = inv_sl(X, 13) print(X.to_bytes(8, 'big'))

2026-06-08 17:47

JavyFlag

Nice challenge! The file is a WebAssembly module compiled using Shopify's Javy toolchain (which embeds QuickJS). Since Javy stores the original JavaScript source code inside the javy_source custom section, I just parsed the WASM file, extracted the payload of that section, and decompressed it using Brotli. The decompressed source code directly revealed the flag bytes: RELUNSEC{j3vy_1s_4w3s0m3} Thanks for the crackme!

2026-06-02 18:32

very easy crackme

Easy .NET crackme. Just dumped the strings from the binary and found the password `crackme12345ez`. The other string `crackmebro` is just the class name (`crackme.crackmebro`) containing the entry point. Worked out of the box. Thanks for the challenge!

2026-06-02 12:50

Floating password

Solved. Fun little trap crackme! The password is dynamically generated after you type in your input. It's calculated on the fly using std::random_device + _time64 and a formula based on the float constant 67745.0. Since the check is non-deterministic and run after input, you can't guess it statically. Plus, the binary intentionally crashes at the end with a UD2 instruction to prevent the stdout buffer from flushing "ok, that's it" out. To solve it, I patched the binary: 1. In `kol()`, NOP'ed out the conditional jumps (JP at 0xd8E and JNZ at 0xd93) to force the success branch. 2. Patched the UD2 crash at 0xebc with a clean stack cleanup & return: ADD RSP, 0x13d8 (48 81 C4 D8 13 00 00) POP RBX (5B), POP RBP (5D), RET (C3) Now it prints the success message and exits cleanly. Thanks for the challenge!

2026-06-02 12:47

Hard CME

Username: testuser Serial: 22dd29bfbe934d7c Username: admin Serial: 6f734c07feba5004 Username: crackme Serial: c8ae99ae5bd5e55

2026-06-02 11:51

Hard CME 2

V1RTU4L_M4CH1N3_5T4CK

2026-06-02 11:40

crackmes.one

crackmes.one

koray105's profile

0

0

10

Crackmes

Writeups

Comments