Crackme: atherusti's First C program

Download here:https://crackmes.one/crackme/68c96889224c0ec5dcedc063
MD5: fdb187c953ae9e0e98e18b1fc0683ef1
SHA1: e1f4f4a1e0629ba38cfa567c45cbee6092aabf0a
SHA256: 03832f7e8e8fdfd6ee87ef4efb3eab52252edbfe246c9d2bfdd39166a27c9e30

This is listed as a C/C++ x64 executable with a difficulty rating of 2.0. The author is atherusti and the executable is written for Windows.

The authors description:

never coded before making this crackme, get the password

That's a really interesting first programming project but I'm all for it. Let's tear this bad boy apart and see how they did.

The first thing that immediately jumps out to me is seeing that it is actually an x86 executable. No big deal but its something to keep in mind. Our calling conventions are going to change. I also don't expect to see a shadow stack. One final note, this is a console application.

Taking a look at the string entries doesn't really reveal anything. I find that a little strange. They must be encoded/encrypted somehow. At this point, I decided to take a look at the entropy and see if the executable is possibly packed. Detect it Easy doesn't believe the executable to be packed but the .text section does have a pretty high entropy score especially when compared to all of the other sections. Strings are normally stored in the .rdata section and that has a relatively low score. My guess is that the strings are going to be getting stored as integers in the .text section.

Using PE bear to take a look at the function imports, we can see that there isn't really a whole lot going on. It is only importing 3 libraries. But we should definitely expect to see strings in an executable like this.



After popping the executable in Ghidra and running all the defaults, the entry point seemed kind of strange. I normally expect to see some CRT stuff and when taking a look at the disassembly, I normally see three pushes before a function call about 2/3 of the way through the function. That is normally the programs real main function. I poked around for a bit and kept stumbling through compiler generated code before deciding to take a different approach. I noticed that one of the imports was scanf, my assumption was that this was going to be used to get user input so I searched for where it was cross referenced and ended up here. This is what I believe to be the programs true main function. It also confirms that the program is storing the strings as integers in an integer array. Good guess work earlier.



So, what I've determined is happening is this. A global integer array is copied to a local array. Next, some arithmetic is performed to extract the appropriate ascii characters. On the first for loop, the index begins at 0. So it grabs the first element and then it is divided by 1 which essentially results in just grabbing the first element. The first element happens to be 0x49 which is equivalent to the letter I. At this point, I need to perform a sanity check and see if the the first character printed to the console is actually an "I". If this is the case, the algorithm is fairly simple.

local_integer_array[i] / [i + 1]

Let's execute the program and see what we get.



"Input the password: "Alright. So we got it. Now all we need to do is write a program to rip the correct password out.



It looks like our password is banana. Let's just go ahead and verify.

Comments

Post a Comment

Popular posts from this blog

Crackme: Meist's Passfind Crackme

Image
  Today we're going to be solving "meist's passfind" crackme. It is described as the most easy crackme that the author could come up with. One simply needs to find the password and enter it. Great! Available here: https://crackmes.one/crackme/68be3593224c0ec5dcedbe2d MD5: f7215afaac27af81c31362fe09b0e17d SHA1: f4fbe3a9d2afad8cf4b31aac2b5fe308d0d1e3f8 SHA256:  752ed87f3783e8ba14f1585152a6abf4f8e174ca3635b705a7a9c0f88b6405e5 Running Detect it Easy, we can see that the executable is compiled as an x64 PE console application but we're unable to determine what compiler was used or what language it was written in. Taking a look at the strings, it's possible that this was compiled using the mingw compiler and possibly written in assembly. That would explain why DIE had so little information on the binary.   Dropping the executable in Ghidra and running all the defaults, we're greeted with this:   Let's take this step by step. I took a look inside of the __mai...
Read more

Crackme: antilagvip's medium crackme

Image
Download here: https://crackmes.one/crackme/68e6377b2d267f28f69b7447 MD5: 406af7cd43808f1de221d36d8c7d12d6 SHA1:  736c3fee49a93c60731a2f137545b75311646f9f SHA256: 588211672f26f28731da0d30f2691f23542ea7a825f553a5edc9087dbf52b86e This is listed as a C/C++ x64 executable with a difficulty rating of 3.0. The author is antilagvip and the executable is written for Windows.   The authors description: the right key get the code.. sounds simple right?   This was a fun challenge. I went through the motions. I loaded this in Detect it Easy. It isn't packed. It's a console application. Strings aren't encoded/encrypted. I also loaded it into PE Bear and just looked around. Nothing interesting jumped out at me.   I've talked about how to find the main function in previous posts so I'm just going jump in and say that it is located at 0x140001180. Pretty basic stuff, it prompts you for a key and waits for input. It calls a function that validates whether your key is valid and ...
Read more