| finally cracked this crackme. Pretty good algorithm you got there. The hardest part except the algorithm was to find the procedure(main). |
==> |
| you need a little bit restriction on patching or give a clue as to what it is you want people to patch.. for example I could've just edited some part to jump straight into the success part without even asking the serial number... and it'll make it less funny.. so you might want to put some restrictions that make people not allow patching to play easy mode. |
==> |
| I did it the second way.. it's working now |
==> |
| or what about setting all args to ) therefore serial=code/3 exactly? Is that the intended way? |
==> |
| yeah this XOR is what I'm talking about, am I supposed to disable this by patching in a jump around it or what? |
==> |
| hey, so your serial number XORs make it very hard to correctly align it with the generated serial.. I'm always off by 1 or 2. Any tips? |
==> |
| I almost cracked it(I downloaded the required dlls).. seems your algorithm requires to to do some work to calculate the serial number |
==> |
| dude it doesn't work coz you compiled it in debug mode, so SDK is required to run... Probably that's why it's removed the first time |
==> |
| solved, needed to learn dozens of new windows functions and structures... thankfully most of my guesses was right. A bit more difficulty for level 2. I'd say 2.5-3.0 |
==> |
| I kinda see that you take time and get a random number based on that, but I couldn't identify what you do with the array initialization, but you take some values from the array depending on the random generator, and then you generate the 'password'. I'd like to see the source code. |
==> |
| z3n well although it's L1, it's meant for people learning assembly. However, you can start by finding a good debugger and start analyzing the code. |
==> |
| This was my first experience with arguably obfuscated code. Ngl, I thought that is the main algo and I took deep look into that with Ghidra, at the end I realized it's some kind of length analysis, and when debugged, it was embarrassing lol. Then, I immediately found the string cmp and I used your own decoder to find the pass.
I'm gonna enjoy writing it's writeup! |
==> |
| fantastic crackme! Although brute force difficulty != crackme difficulty in most cases I guess. |
==> |
| please make sure to build in release mode or Windows installations who don't have Win10 SDK installed won't run your crackme.. |
==> |
| That was kinda easier than 2.5, made a Keygen that lists out all possible keys..
Here is all valid keys for the crackme
https://drive.google.com/file/d/1dNCX4QpN8b0B-NC1sqy5zD0Q0n5mY89a/view?usp=sharing |
==> |
| that was clever!
Especially that you modifying an inbuilt function that causes 'abnormal' behavior! How did you even do that? |
==> |
| 9 days no progress, so here is the solution password:
functioncallbyoverflow
|
==> |
| It is an exploitation based crackme. So by default no patching is allowed. You have to look for and exploit possible vulnerabilities in the crackme. Also do string analysis or something to find the success message. read Readme.txt for more info. |
==> |
| thank you @giacomo270197 for your comprehensive solution. One of the best solution write ups I have ever read. |
==> |
| By the way, the password for solution_file.rar : solutionbypranav007 |
==> |
| strngl Hey! Got your solution! Nice one! Also you can use a file to write null characters to stdin(the way I used), but this is new info to me!! Good job! |
==> |
| and for all yes, you are allowed to patch out the anti-debugger if it is failing to work properly.. |
==> |
| This is an older crackme, which is not actively supported.. anyway, yes it can sometimes fail, but not always.. It's a side effect of my early anti debugger.. but most of the cases it should be fine.. message me on pranavappu007 at the discord server on crackmes.one, if you want more help. |
==> |
| I do not have the debug version of visual C++ runtime.. please make sure to upload release versions of the code, as otherwise I have to install visual studio Windows 10 SDK for crack.. |
==> |
| Thanks! Upload a writeup, I'll love to read it! |
==> |
| I'll try but I haven't ever tried a L3 or L4 yet.. |
==> |
| also try to get a real key in addition to patching it, so that the key works in an unpatched version... And for others no the patching doesn't count as a solution |
==> |
| mohammadali Are you sure you defeated all the anti-debugging protections?? :wink: |
==> |
| hey! Well there is a lot of stuff in it! Make sure you read the Readme fully. |
==> |
| This one have just the right amount of difficulty to be interesting..! I have identified that you process the string first and then validation is performed.. Anyway I'll probably upload a solution when I crack it! |
==> |
| Me too, didn't have a discord account at first, but it's worth it. I'm also kinda busy, so I'll email you when I get time. |
==> |
| thanks!.. Well, you can join the discord server, and I'm there along with a very good community. It's fun! |
==> |
| oh, so mohammadali, s4gr00_x, me are all idiots. Okay. I just simply asked why don't you superior intellectuals put your stuff into some higher levels, so that idiots like us won't crawl into your shit? For me, I never had to crack an md5 or similar in a *L2 crackme*. That's all. Please don't misguide us idiots into shit like this. Thanks. |
==> |
| what? *sighs* well, as I understand, you take the input string, creates the md5 hash of the input string, and compares it to the md5 string stored in the system. For a valid input to work, we have to find an input that gives the exact same md5 as what you've stored. And how to get it? Reversing the hash.
I talked to one of the "solvers" and he said he just googled the hash to get a solution. That is not how a crackme's solution should be found. You can say we're crying and all, but that doesn't change that your idea of this crackme is flawed.
Comparing hashes to check password is actually a commercial way of storing password, because it is that secure. You can do it here, as long as the algorithm is not that strong and can be reversed. MD5 is a real algorithm that is commercially being used!
Please check the FAQ. It is mentioned that no commercial packing/encrypting systems can be used. Since you used a commercial method to hash your password, you violated the rules. Just simple as that. |
==> |
| mohammadali dude you did it! HAHA lol. Hey are you on the discord server? I'm there at pranavappu007 |
==> |
| mohammadali you are a strong patcher, you patch everything.. A new crackme by me is coming, I suggest you try patching that.. also do a writeup! |
==> |
| s4gr00_x He didn't even design it, he straight up copied some md5 implementation, wrote a wrapper and there you go! This is how you should not build a crackme. |
==> |
| what? he said it is extremely hard as I understand...and btw you won't get the solution by understanding the last cmp instruction, you have to reverse the goddamn md5 to get the real input and thus the solution... It is actually banned to use commercial or open source strong algorithms in the crackme.. let alone something like md5 |
==> |
| You can request in the discord server to remove the crackme. Or maybe even update it? |
==> |
| I don't even have IDA pro |
==> |
| ali0gamer please post a solution writeup |
==> |
| Nice classical cipher. Liked it very much! |
==> |
| Personal opinion ofc, but I think it should be L3 for the sole reason it's C++. It feels like searching for a tiny piece of gold in a whole river |
==> |
| Hey! Is the challenge is to reverse the md5 hash of a string???? |
==> |
| It is intended to me a keygenme |
==> |
| ali0gamer well if it's really easy then generate a valid .key file instead of patching the .auth file. You were actually supposed to do that, although I'll allow patching on .auth for now |
==> |
| ragnar_crackbeard87 well, you have to follow the thread start after printing InitialChecks.. It's actually an anti patching mechanism, you have to prevent it from executing. For more details, join the website discord server and find me as PranavAppu007. |
==> |
| MaxP unless ebp-0x10 is accessible from another thread.. |
==> |
| ragnar_crackbeard87 yes, there are anti debugging/patching implemented. You can disable it if you wanted, although it is not preferred. You are generally expected to use static analysis to reverse the crackme |
==> |
| Scopes how did you do that? Did you patch the crackme? |
==> |