Crackme: FentCat's Assembler Crackme

-
Download here: https://crackmes.one/crackme/68fce1922d267f28f69b783a

MD5: d984f4a4bbb82a815f0c16f55335db9a
SHA1: 01b8463234e66e91c96052414eaff8dd7053cd99
SHA256: 104f850cf4e7d3f6bc09d286fcbe651795c632a79ebbc2242ea8be08cd8b8e41

This is listed as an x86 Assembler executable with a difficulty rating of 3.0. The author is FentCat and the executable is written for Windows.

The authors description: 

Hello, this is my first ever upload. Please give me feedback. Was made in Assembler using nasm. have a great day

Loading this executable in Detect it Easy, it appears to be extremely complex but after loading it into Ghidra, you realize that you have a plethora of information available to you. Below is the output and the only variable I named was the return result of validate_password and the g_ variables.

 
At first I thought maybe the author was trying to fool me into not checking those fake function calls but they are legit fake calls. As you can see below, the call just sets a local variable to some arbitrary number before returning.

Perhaps if the fake_cheksum function call was made first, it may have given me some pause as it actually looks like it does something. But I decided to ignore it and see if I can just go straight into the validate_password function.

 
I did have to rename some variables here but even without my labels, it isn't too hard to figure out what is going on. The entered password needs to match the global encoded_data bytes. By the way, the variable name "encoded_data" came conveniently labeled... Strip your variable names!

 
Taking a look at the data stored in encoded_data, we get this. (I did have to tell Ghidra to display the bytes as chars but you could just use the hex values and an ascii chart to deduce the same thing.) In our main function, there is a check to see that our entered password is either 10 or 9 characters long to be considered a valid password. The number of bytes stored in encoded_data is 8. The discrepancy comes from the addition of the null terminator and the newline character.

 

Using the password "@CBEDGFI" is the correct password. 

 

Comments

Post a Comment

Popular posts from this blog

Crackme: antilagvip's medium crackme

-
Image
Download here: https://crackmes.one/crackme/68e6377b2d267f28f69b7447 MD5: 406af7cd43808f1de221d36d8c7d12d6 SHA1:  736c3fee49a93c60731a2f137545b75311646f9f SHA256: 588211672f26f28731da0d30f2691f23542ea7a825f553a5edc9087dbf52b86e This is listed as a C/C++ x64 executable with a difficulty rating of 3.0. The author is antilagvip and the executable is written for Windows.   The authors description: the right key get the code.. sounds simple right?   This was a fun challenge. I went through the motions. I loaded this in Detect it Easy. It isn't packed. It's a console application. Strings aren't encoded/encrypted. I also loaded it into PE Bear and just looked around. Nothing interesting jumped out at me.   I've talked about how to find the main function in previous posts so I'm just going jump in and say that it is located at 0x140001180. Pretty basic stuff, it prompts you for a key and waits for input. It calls a function that validates whether your key is valid and ...
Read more

Crackme: git's simple crackme medium-hard

-
Image
Download here: https://crackmes.one/crackme/68e2b4652d267f28f69b738e MD5: 49c66031be227cc5982daadfd7368e9d SHA1: 0f01dfd5c1775dd7b605c992903d67bbafa3051f SHA256: 67b06c9c003f0c26c319d82b1fc6436207eaf0e3ed31f438312be8349225272f This is listed as a C/C++ x64 executable with a difficulty rating of 2.5. The author is git and the executable is written for Windows. The authors description: medium-hard crackme with antidebug checks obfuscated strings and key With this crack me, I'm going to take a bit of a different approach. I'm not going to use a decompiler. Taking a look at the strings, I can see some base64 encoded strings. Other than that, Detect it Easy believes this was compiled using Visual Studio 2022 as a console application. It does not appear to be packed. IDA shows us a long series of various debugger checks. At this point, I will manually step through the code and navigate the executable to the good boy. The base64 decode function takes the encoded string and a buffer a...
Read more

Crackme: atherusti's First C program

-
Image
Download here: https://crackmes.one/crackme/68c96889224c0ec5dcedc063 MD5: fdb187c953ae9e0e98e18b1fc0683ef1 SHA1: e1f4f4a1e0629ba38cfa567c45cbee6092aabf0a SHA256: 03832f7e8e8fdfd6ee87ef4efb3eab52252edbfe246c9d2bfdd39166a27c9e30 This is listed as a C/C++ x64 executable with a difficulty rating of 2.0. The author is atherusti and the executable is written for Windows. The authors description: never coded before making this crackme, get the password That's a really interesting first programming project but I'm all for it. Let's tear this bad boy apart and see how they did. The first thing that immediately jumps out to me is seeing that it is actually an x86 executable. No big deal but its something to keep in mind. Our calling conventions are going to change. I also don't expect to see a shadow stack. One final note, this is a console application. Taking a look at the string entries doesn't really reveal anything. I find that a little strange. They must be encoded/encry...
Read more