Number of crackmes:
Number of solutions:
Comments:
Name | Author | Language | Arch | Difficulty | Quality | Platform | Date | Solution | Comments |
---|
Crackme | Infos |
---|
Comment | Link |
---|---|
Username : zzzzzzzzzz Password : 1220 Sum of the username letters decimal equivalent. For example if you enter only A char for username, then password is decimal equivalent 65. username : A password : 65 | ==> |
@Mattpackman Patch is not allowed otherwise specified. | ==> |
@Enhancer Password is 4 chars. Total is decimal 895. It also adds Line Feed character as a fifth char. So, 5 x 0ah = decimal 50. Now result is 945. | ==> |
Password = 3p(smaller than sign)n Password is 4 characters long. | ==> |
Password : 3p | ==> |
Key = ThisPasswordIsRandomAsFuck | ==> |
@gimi001 Read Faq at menu. | ==> |
pseudo code: var1 = length of name looptimes = var1 repeat looptimes { var1 = (var1 * 19660Dh) + 3C6EF35Fh char result array[] = (var1 mod 5Eh) + 21h } split result with xxxx-xxxx-xxxx... format or xxxx-xx if odd length of input name. if result hex value contains letter like 7A, 4B etc.. then add 0Ch to that value. For example 7A becomes 7M, 3B becomes 3N. 3B645B becomes 3N64-5N | ==> |
I only used getdlgitemtexta breakpoint and used F7, F8 keys. | ==> |
Interestingly, i debuged program with x32dbg in my notebook and same password worked. But without debugger, password doesn't work in my notebook. In my desktop, password works without debugger. | ==> |
@fatmike I don't have discord account and discord unavailable in my country temporarily. On my desktop computer, I deleted zip file and exe file. Also turn off my computer and start again. Download zip file again and extracted exe file. Started exe file and entered my password. It says "Well Done". Something is wrong with your crackme because my password doesn't work on my notebook which is same operating system windows 10 x64. | ==> |
I completely closed my x32dbg and executed exe file. My password works only on my computer. Did you try it on another computers ? | ==> |
@fatmike In my computer, it works without debugger. But it doesn't work on another computer. You used rand function inside program, maybe it doesn't work properly. | ==> |
Name : 1234 Serial : 11111111-bbc39b72-94229d8a | ==> |
I simply removed with cffexplorer but in x64dbg, i couldn't bypass. So, i decided not to struggle with more. | ==> |
Name = FATMIKE Key = x8hpx8hpx8hpx8h | ==> |
I used X64dbg , ScyllaHide Basic profile. First, i found the point where user key gets. After that, i traced step by step. I bypassed Int 4 trap. I "traced into" every "call juggler_v2.7FF72EDE9860" because "Trace over" failed. After loading all libraries, I continued to stepping. Somewhere in loop, I saw "curly bracket" next some register. The other register shows my entered key first character. I remembered the password structure for first revision of this crackme and I guessed that this crackme has same type password. I executed loop 32 times and write everey character to a paper. Finally it worked. I can't write solution but i solved with this way and a little bit luck :) | ==> |
Key = {7h3_h4nd_0f_90d_h0v321n9_480v3} | ==> |
@StillAching I used x64 debugger and made 3 breakpoints until getting password. Then continued running step by step. Somewhere, there was comparison using like test eax,eax. I changed zero flag, it said "coreect password". Then i return a few commands back and it compares rcx and rdx register contents. One of them holds password which user entered and the other one holds real password. I tried that password and it worked 😀 | ==> |
StillAching@CrackMes.one | ==> |
I solved it, but it is requested to write keygen. | ==> |
Password : UZZZ Password can be multiple value, so there is no one password. | ==> |
@nopx64 You've probably either made a runtime debugging or made a patch to get that message. Patching is not allowed unless otherwise specified, You need to find the real password. | ==> |
----- spoiler ------- yallGayAsf ----- spoiler ------- | ==> |
Solved. -----Spoiler------ Starts with "x" character. -----Spoiler------ | ==> |
@cnathansmith As you said, there is no input even with commandline or argv ,argc etc.. | ==> |
@cnathansmith Yes, it is burried inside binary and i think it doesn't execute it. I examined the code and several function calls adds numbers like sub_691170. i manually changed EIP to .text.00691614 marking with Ctrl-N key on IDA Pro after sub_6915D0 executed. Then pressing F8 key displayed the Flag. .text:00691614 call sub_691170 .text:00691619 lea eax, [esp+28h+flOldProtect] .text:0069161D push eax ; lpflOldProtect .text:0069161E push 40h ; '@' ; flNewProtect .text:00691620 push 80h ; dwSize .text:00691625 push offset sub_691170 ; lpAddress .text:0069162A call ds:VirtualProtect .text:00691630 push offset asc_6931DC ; "..." .text:00691635 lea ecx, [esp+2Ch+Block] ; void * .text:00691639 call sub_691720 .text:0069163E call sub_6914B0 .text:00691643 call sub_6914E0 .text:00691648 call sub_691510 .text:0069164D call sub_691540 .text:00691652 call sub_691570 .text:00691657 call sub_6915A0 .text:0069165C call sub_6915D0 | ==> |
ZAYOTEM{FACTS_CAN_BE_SO_MISLEADING} | ==> |
ANSWER:MORDOR | ==> |
@cnathansmith Good algorithm to solve it. I manually calculated every digits 😀 | ==> |
@cnathansmith Thank you. I have already found the password equivalent of usernames such as "AAAAA" or "aa". Later, I thought about making a table for all the letters, but I gave up because it was a long job and I was struggling with cracking the password of the crackme file named Bobby. | ==> |
Bobby's medicine is : 07014620352040506000012238200008007020113308080020070008 | ==> |
We will see, who will pull the shortest time value out of his ass ? After all, we don't know the truth. | ==> |
Found valid usernames/passwords but couldn't solve algorithm yet. | ==> |
9 characters beginning with capital letter. 2 hours 20 minutes with manual unpacking using x64dbg. | ==> |
Use latest ILSpy. YAY - GOOD JOB | ==> |
@rrookie You are right, there is no loop. Only four characters are loaded. As you see, there is no print function also. I dedoded rest of the bytes with same xor value by manually. I thought that author wants this secret message. | ==> |
@Programista After your code snippet, Process enters 64-bit mode and your debugger doesn't follow it. After the "ret far" command, there is a code snippet which ends with "ret far" again. The codes in between are 64-bit instructions. To decode it easily, copy that code hex equivalent and paste it to online x64 disassembler. For example this online disassembler : https://defuse.ca/online-x86-assembler.htm Hint : EB instruction jumps next byte in 64-bit mode as you will see in online disassembler. So, delete EB and redisassemble it. Also search on this site with name "heaven" and there are two other heaven's gate related crackmes which has solution on it. | ==> |
What is the challenge ? I found password at memory and enteree it. It gives success message. It creates random password at every start the crackme file so there is no fixed password. | ==> |
@rrookie Yes,0x153168 is address of flag data which begins just after "did you capture the flag" message. It is xor'ed with 0x68657974 value four by four. | ==> |
ZAYOTEM{r3v3r53_3n61n33r}eyt | ==> |
ZAYOTEM | ==> |
Username : Any name Password : Sum of the ascii number of username characters. | ==> |
@cnathansmith Check your system because this file is trojan. Check with virustotal. | ==> |
Too easy. patched. | ==> |
It was really easy. | ==> |
Password : HkVf3z8MS2 | ==> |
"Knight's Tour" problem in Chess Board. Password : 00473049321562172950450261181334460148311433166351280344196035120443245508392059275207402356113642055425380958215326410657223710 | ==> |
@sporta778 Protectors like Enigma, Themida, VMProtect etc.. use obfuscation, anti-debug and many methods like viruses and trojans. So, those antiviruses give false alarms for these crackmes especially. | ==> |
@sporta778 if you scan with virustotal.com, lots of crackmes give false alarm because trojans use same methods like anti-debugging etc.. | ==> |