| Located comparison at 0x1400bd566 (cmp byte ptr [rbp-0x64], 0) followed by a conditional jump to the failure handler and replaced the conditional je instruction with two nop bytes (0x90 0x90) at file offset 0x00000000000BC5EA (772458) to disable the failure branch.
Thank you for task |
==> |
| Hmm, it took 20 minutes... - h3110f413nD_9L@9Jl!s*jG
IT allocates an execute-enabled stub at runtime (0x140004dcc) and decrypts 0x17 bytes from .rdata (0x1400100b0) using a byte wise XOR derived from the constants 0xDEADBEEFCAFEBABE and 0x1337BABE12345678. The resulting buffer is compared via the imported memcmp thunk (0x140009280) against the user-supplied wide string, so the decrypted ASCII text is the exact key accepted by the program
Thank you for your work |
==> |
| trendcrusher
596E-A989-6FB0-548E |
==> |
| Thank you it's a good task
Dry Tau
07D3-A4D8-73D8-B2A0
Very fun |
==> |
| Yeah a couple of the VM semantics did trip me up - the bogus flag updates on some ALU ops and a quirky byte order on loads made my first emulator wrong. I fixed it by difftesting tiny bytecode snippets against the real VM until every opcode matched. After that the hash collapsed to a small round function, and I did a constrained search over printable bytes not blind brute force. Nice touch with the misleading dispatch and opaque predicates, that kept it fun |
==> |
| Not brute forcing. I extracted and emulated your hidden VM from the JAR, verified its 32-bit instruction semantics, and only then ran a tiny constrained search over printable chars to satisfy the final 0x6A3B7FF5 check. |
==> |
| Thank you... I spent three hours working on the task, it was interesting. I learned a lot for myself. Password: nscSK1fV |
==> |
| Wow nice, wait new version. Thanks for your work |
==> |
| }la |
==> |
| thanks)Its easy. GJ |
==> |
| I love this fruit) |
==> |
| Gh0st_Hunt... You know next) |
==> |
| xxoslayo, no it's not correct |
==> |
| Thanks) |
==> |
| It's not certain that there is anything, but just in case) Need to check carefully. |
==> |
| 27/72 security vendors flagged this file as malicious |
==> |
| Thanks |
==> |
| Serial - -AZAAfAAAAA1AAAxA-AA |
==> |
| Ok sorry for early spoiler. Thanks for your task😊 |
==> |
| Very nice, thanks...
helium-crackme.exe
Welcome to Helium.
Access granted, welcome to the system!
solved the problem in an hour) license.bin (Zstd+MessagePack) builds a small neural network and checks 9 fixed inputs (seeds).
The output is 32 bits; after thresholding ( 0.5) it must match
T(S) = (ROL32(S, 5) * (ROL32(S, 5) ^ 0xDEDBEEF) + 4919) & 0xFFFFFFFF |
==> |
| hmm... Its correct or no - Trac{SXgM7Sa{3X5a9wnvm{lSDakcfewsccy3d{WCVoASS{pCS31gsg3{ag3kTCSl6cN2CXqpskVv9_mK2iGrvg33qM0kpCh{rLceKf3b} |
==> |
| And corect password without patch - Key:))*;'.(*
Applicatin finished.
Thank you for this) |
==> |
| Thank you)Patch working well.
Starting application with PatchCRC protection
CRC Monitoring Thread Started
Key:dfr54435435 - not real)
Applicatin finished. |
==> |
| Username: 41Le1yID!uFbAxC
Password: a0bahTbblPba0Bb
Correct! Access Granted.
Thanks, but so easy) |
==> |
| TotallyNotThePassword |
==> |
| c{oOwc |
==> |