| Hi, I was able to bypass your anti-debug, but I can't figure out what the output should be if the password is correct, pin: *********
b-bbut how? what does it mean? |
==> |
| TECHNICAL CRACKME ANALYSIS REPORT
Solution via Three Patches
Patch 1: Bypassing checkDebugger (Address 0x401E9A)
Original bytes: 55 (push ebp)
Patched bytes: C3 (ret)
The checkDebugger() function is invoked multiple times throughout execution. Each invocation internally calls mt19937(), thereby altering the internal state (and seed) of the Mersenne Twister PRNG. By patching the function to return immediately, we prevent both the anti-debug checks and the unintended RNG state corruption.
Protection mechanism: The author exploits a side effect—every call to checkDebugger() advances the MT19937 generator, making the correct password unpredictable under a debugger due to divergent RNG states.
Patch 2: Bypassing Password Validation (Address 0x402359)
Original bytes: 0F 85 1A 02 00 00 (jne 0x402579)
Patched bytes: E9 FB FD FF FF (jmp 0x40235F)
Validation logic:
At 0x402162: the correct password hash (computed by MixValues) is stored at [ebp-1430].
At 0x4021F2–0x402200: user input is read into [ebp-1440].
At 0x40231A: hash of the user-supplied password is computed.
At 0x402331–0x402357: the two hashes are compared via XOR.
At 0x402359: a conditional jump (jne) redirects execution to the "Incorrect Password" handler if hashes differ.
Patch effect: The conditional jump is replaced with an unconditional jump directly to the success path (0x40235F), effectively skipping validation.
Patch 3: Forcing "Congrats!" Message (Address 0x4023C6)
Original bytes: 0F 84 A1 00 00 00 (je 0x40246D)
Patched bytes: 0F 85 A1 00 00 00 (jne 0x40246D)
Issue: Even after successful password validation, the program performs a final anti-debug check:
0x402394–0x4023B6: four anti-debug techniques are used (IsDebuggerPresent, PEB flags, NtGlobalFlag, etc.).
0x4023C4: result is tested via test al, al.
0x4023C6: if no debugger is detected (je), execution skips the congratulatory message and proceeds to a timer loop.
0x4023CC–0x4023FA: block responsible for printing "Congrats!" and flushing output.
0x402468: call ExitProcess.
Patch effect: The jump condition is inverted (je → jne), so when no debugger is present (the normal case), the program now displays "Congrats!" instead of entering the timer routine.
Protection Architecture Overview
Password Generation Logic:
c
1
correctPassword = MixValues(mt19937(), combined, cpuHash, mt19937());
0x4020E1: first mt19937() call
0x402123: second mt19937() call
0x40215D: call MixValues — computes the reference hash
0x402162: result stored at [ebp-1430]
Author’s Trick: Because checkDebugger() (at 0x401E9A) invokes mt19937() each time it runs, the RNG state diverges between debugged and non-debugged executions. Consequently, the generated password differs when analyzed under a debugger, effectively thwarting dynamic analysis—unless the debugger checks are neutralized, as done in Patch 1.
p.s this wirte AI because i am busy |
==> |
| The function sub_140001850 implements a custom encoding scheme using the following steps:
Key Addition: Each byte of the input password is added to the corresponding byte from a predefined constant array:
adgjmpsvyBEHKNQTWZ258behknqtwzCF.
Position Offset: The index (position) of the current character is added to the result of the previous step.
Masking: The sum is masked with 0x3F, effectively keeping only the lower 6 bits (resulting in a value in the range 0–63).
Substitution: This masked value is used as an index into a 62-character alphabet string.
Comparison: The resulting character is compared against a precomputed reference string (obtained by decoding an expected output).
The algorithm is reversible in principle, but recovering the original password requires brute-forcing possible modular combinations for each byte due to the loss of information during the masking step.
The anti-debugging measures weren’t even needed—the entire analysis was carried out directly in IDA Pro. |
==> |
| Are the library and entry point errors your fault, or am I having library problems? |
==> |
| 000000014001A0CB | 74 74 | je ezcrackme.14001A141 | patch login
000000014001A18E | 0F84 81000000 | je ezcrackme.14001A215 | patch password
Enter your name: 123123
Enter the password: 123
Access granted. Welcome, 123123!
|
==> |
| 004021BD | 0F84 AD000000 | je ul_win.402270 | patch this = cracked |
==> |
| I wrote a keygen and am waiting for the solution to be posted |
==> |
| ru: подсказка: имя пользователя вашего пк
en: Hint: Your PC's user name |
==> |
| en: I wrote a solution and published it, it will be added soon, the idea is interesting but the implementation is poor, you inject an empty dll and just check if the dll is in the .exe folder, I patched this check and voila, I can run the .exe without a protector
ru: я написал решение и опубликовал его, скоро добавят, задумка интересная но реализация никакая, ты инжектишь пустую длл и просто делаешь проверку есть ли длл в папке с .exe, пропатчил эту проверку и вуаля я могу запускать .exe без протектора
|
==> |
| the point is, it doesn't even open, and it says um... try again? |
==> |
| 004019A1 | 74 21 | je keygenme90.4019C4 | patch this valid key
p.s I'm too lazy to search for password and login verification, and there are too many wrapper functions for me to explore each one. |
==> |
| EN: What's the point if it accepts any password and writes "you win"?
RU: А в чем суть, если он принимает любой пароль и пишет you win? |
==> |
| 0000000140007DA2 | 74 6C | je crakersme.140007E10 | this patch
try find password, cpuid nice, but hash its bad |
==> |
| @dredge maybe can you give your tg or other messengers? |
==> |
| @dresge, wow legend! make writeup please |
==> |
| @nightxyz, you're not looking well bro, the title is directly related to the task, hint: watch runtime carefully |
==> |
| Hasn't anyone tried it? Tell me what the difficulty is, and I'll try to help you. |
==> |
| @nightxyz, thanks for your answser, wait new today or tomorrow |
==> |
| @nightxyz, bro you legend! i have really hard crackme with many defence, I'll upload it here today. |
==> |
| @nightxyz, I'll make a new one tomorrow, but it will have some self-written protection that I'm making for my future project. I'll need to check it out. |
==> |
| nightxyz, was it too easy? just don't feel like adding different obfuscations and so on |
==> |
| good, i think its was be hard, i remake this |
==> |
| 0000000140001509 | 73 22 | jae crackme.14000152D | breakpoint and f9 and makepass in stack |
==> |
| i am patch this, but i dont understand crash it is anti-debug or bug? |
==> |
| 00007FF72C5D2A2C | 74 2D | je ctf_level6.7FF72C5D2A5B | we set the breakpoint and then change the zf from 1 to 0 |
==> |
| this is really hard i cant find solution but i find password maybe 50 symbols, and ebp-140 and ebp-150 maybe work with password |
==> |
| Great crackme! The use of C++ STL vectors and bitwise operations added a nice layer of complexity, making the reverse-engineering process engaging. The "matrix" theme and AI-related functions (AI::generate_matrix, AI::calculate_score) were intriguing, though their lack of impact on the final result slightly reduced their significance. Including a unique pattern or additional constraints could enhance the challenge. Overall, well-crafted and fun to solve!
|
==> |
| Отличная идея! Использование C++ STL-векторов и побитовых операций добавило дополнительный уровень сложности, сделав процесс обратного проектирования увлекательным. Тема "матрица" и функции, связанные с искусственным интеллектом (AI::generate_matrix, AI::calculate_score), были интригующими, хотя отсутствие их влияния на конечный результат несколько снижало их значимость. Включение уникального шаблона или дополнительных ограничений могло бы усложнить задачу. В целом, все хорошо продумано и решать его интересно! |
==> |
| Great crackme challenge! The logic was clear, and the use of XOR and arithmetic checks made it engaging. Including sub_140001EE0 added a nice layer of complexity. A hint about case sensitivity would improve clarity. Thanks for the fun reverse engineering task!
|
==> |
| how do I open your file? |
==> |