Hmm, it took 20 minutes... - h3110f413nD_9L@9Jl!s*jG
IT allocates an execute-enabled stub at runtime (0x140004dcc) and decrypts 0x17 bytes from .rdata (0x1400100b0) using a byte wise XOR derived from the constants 0xDEADBEEFCAFEBABE and 0x1337BABE12345678. The resulting buffer is compared via the imported memcmp thunk (0x140009280) against the user-supplied wide string, so the decrypted ASCII text is the exact key accepted by the program
Thank you for your work |
==> |
trendcrusher
596E-A989-6FB0-548E |
==> |
Thank you it's a good task
Dry Tau
07D3-A4D8-73D8-B2A0
Very fun |
==> |
Yeah a couple of the VM semantics did trip me up - the bogus flag updates on some ALU ops and a quirky byte order on loads made my first emulator wrong. I fixed it by difftesting tiny bytecode snippets against the real VM until every opcode matched. After that the hash collapsed to a small round function, and I did a constrained search over printable bytes not blind brute force. Nice touch with the misleading dispatch and opaque predicates, that kept it fun |
==> |
Not brute forcing. I extracted and emulated your hidden VM from the JAR, verified its 32-bit instruction semantics, and only then ran a tiny constrained search over printable chars to satisfy the final 0x6A3B7FF5 check. |
==> |
Thank you... I spent three hours working on the task, it was interesting. I learned a lot for myself. Password: nscSK1fV |
==> |
Wow nice, wait new version. Thanks for your work |
==> |
}la |
==> |
thanks)Its easy. GJ |
==> |
I love this fruit) |
==> |
Gh0st_Hunt... You know next) |
==> |
xxoslayo, no it's not correct |
==> |
Thanks) |
==> |
It's not certain that there is anything, but just in case) Need to check carefully. |
==> |
27/72 security vendors flagged this file as malicious |
==> |
Thanks |
==> |
Serial - -AZAAfAAAAA1AAAxA-AA |
==> |
Ok sorry for early spoiler. Thanks for your task😊 |
==> |
Very nice, thanks...
helium-crackme.exe
Welcome to Helium.
Access granted, welcome to the system!
solved the problem in an hour) license.bin (Zstd+MessagePack) builds a small neural network and checks 9 fixed inputs (seeds).
The output is 32 bits; after thresholding ( 0.5) it must match
T(S) = (ROL32(S, 5) * (ROL32(S, 5) ^ 0xDEDBEEF) + 4919) & 0xFFFFFFFF |
==> |
hmm... Its correct or no - Trac{SXgM7Sa{3X5a9wnvm{lSDakcfewsccy3d{WCVoASS{pCS31gsg3{ag3kTCSl6cN2CXqpskVv9_mK2iGrvg33qM0kpCh{rLceKf3b} |
==> |
And corect password without patch - Key:))*;'.(*
Applicatin finished.
Thank you for this) |
==> |
Thank you)Patch working well.
Starting application with PatchCRC protection
CRC Monitoring Thread Started
Key:dfr54435435 - not real)
Applicatin finished. |
==> |
Username: 41Le1yID!uFbAxC
Password: a0bahTbblPba0Bb
Correct! Access Granted.
Thanks, but so easy) |
==> |
TotallyNotThePassword |
==> |
c{oOwc |
==> |