Crackme: LAG's crack me test

Download here: https://crackmes.one/crackme/68c8f641224c0ec5dcedc044
MD5: c73e472c7762fce291af0aec40bc67be
Sha1: 22adcf120b680d8cb916de201b272c12c4aef6fa
Sha256: d7e62af3e23649224c6d9481deab9bef13de041eafb243098f41e1a008335376

This is listed as C/C++ x64 executable with a difficulty rating of 2.2. The author is LAG and the executable is written for Windows.

The authors description:

this is a file I've worked on for a couple of hours i'm just wanting to see how well my security is I couldn't crack it myself so if you guys can good job and I've probably done a really bad job but just wonder if anybody could do it it should be pretty hard but I could be wrong it's just a simple password thing you have to put the password in and if you get it right it sounds good

If you fire up Detect it Easy and analyze the executable, everything checks out. Note that this is a console application.

Taking a look at the strings, we can begin to make some assumptions. We can assume that this program checks if certain applications are running... and that LAG's real name is Nathan.

This becomes more apparent when you take a gander at the function import strings. Primarily the use of CreateToolhelp32 snapshot. I'm seeing a little bit of process enumeration and a little bit of anti-debugging. Let's get it.

So at this point I began trying to analyze the executable using just static analysis and quickly realized that it was obfuscated. At least more so than I cared to wrestle with.



I loaded the executable in my malware analysis VM and executed it but nothing happened. Weird. Okay, let's run it inside of x64dbg and see what happens. I kept hitting exceptions. Well played, well played. At this point I checked the call stack and traced back to before the program hit the exception. I was seeing a lot of CPUID instructions. It looks as though this program checks to see if it is running inside of a VM and refuses to execute. A google search later led me to this really good blog post on VM detection and anti-debugging techniques: https://medium.com/@exploitdevvv/malware-101-anti-virtualization-anti-debugging-methods-04353f0a9407.

One knowledge detour later, I came back to ghidra and used the memory map to rebase the executable to match where x64dbg was loading the binary. I began tracing up the function calls to try and find where our input was actually obtained. On my way up, I found timing related anti-debugging techniques, anti-vm techniques, running process checks and good old debugger checks. But eventually, I arrived here where it appears as though a simple NOP and patch could lead me to where I want to be.


I NOPed out that function call, set a breakpoint on the test after the call to ensure the jump would be taken, and hit run. Yes, I could just patch the conditional jump to always jump but I like working in baby steps and making sure I get what I expect to see. It makes troubleshooting easier. And wala! My console came to life and greeted me with the most glorious thing I have ever seen. "Enter password: ". Alright, the actual password would have been better but we defeated the the anti-analysis stuff. Now we can dig in and see what is going on and maybe, just maybe, we can find that password.


Setting a breakpoint at the conditional jump right after the call for our input and single stepping a few times revealed something interesting. Do you see what I see? The password that I entered was "1234". Where is Gh0st_Hunt3r_2025 coming from? Do you smell a password? I smell a password.

Let's plug it in and see what we get! *mic drop*

And for safe measure, I made the following patches and saved the new executable as unsecureloader.exe.

 
All's well that ends well.

 

Comments

Post a Comment

Popular posts from this blog

Crackme: atherusti's First C program

Image
Download here: https://crackmes.one/crackme/68c96889224c0ec5dcedc063 MD5: fdb187c953ae9e0e98e18b1fc0683ef1 SHA1: e1f4f4a1e0629ba38cfa567c45cbee6092aabf0a SHA256: 03832f7e8e8fdfd6ee87ef4efb3eab52252edbfe246c9d2bfdd39166a27c9e30 This is listed as a C/C++ x64 executable with a difficulty rating of 2.0. The author is atherusti and the executable is written for Windows. The authors description: never coded before making this crackme, get the password That's a really interesting first programming project but I'm all for it. Let's tear this bad boy apart and see how they did. The first thing that immediately jumps out to me is seeing that it is actually an x86 executable. No big deal but its something to keep in mind. Our calling conventions are going to change. I also don't expect to see a shadow stack. One final note, this is a console application. Taking a look at the string entries doesn't really reveal anything. I find that a little strange. They must be encoded/encry...
Read more

Crackme: antilagvip's medium crackme

Image
Download here: https://crackmes.one/crackme/68e6377b2d267f28f69b7447 MD5: 406af7cd43808f1de221d36d8c7d12d6 SHA1:  736c3fee49a93c60731a2f137545b75311646f9f SHA256: 588211672f26f28731da0d30f2691f23542ea7a825f553a5edc9087dbf52b86e This is listed as a C/C++ x64 executable with a difficulty rating of 3.0. The author is antilagvip and the executable is written for Windows.   The authors description: the right key get the code.. sounds simple right?   This was a fun challenge. I went through the motions. I loaded this in Detect it Easy. It isn't packed. It's a console application. Strings aren't encoded/encrypted. I also loaded it into PE Bear and just looked around. Nothing interesting jumped out at me.   I've talked about how to find the main function in previous posts so I'm just going jump in and say that it is located at 0x140001180. Pretty basic stuff, it prompts you for a key and waits for input. It calls a function that validates whether your key is valid and ...
Read more

Crackme: Meist's Passfind Crackme

Image
  Today we're going to be solving "meist's passfind" crackme. It is described as the most easy crackme that the author could come up with. One simply needs to find the password and enter it. Great! Available here: https://crackmes.one/crackme/68be3593224c0ec5dcedbe2d MD5: f7215afaac27af81c31362fe09b0e17d SHA1: f4fbe3a9d2afad8cf4b31aac2b5fe308d0d1e3f8 SHA256:  752ed87f3783e8ba14f1585152a6abf4f8e174ca3635b705a7a9c0f88b6405e5 Running Detect it Easy, we can see that the executable is compiled as an x64 PE console application but we're unable to determine what compiler was used or what language it was written in. Taking a look at the strings, it's possible that this was compiled using the mingw compiler and possibly written in assembly. That would explain why DIE had so little information on the binary.   Dropping the executable in Ghidra and running all the defaults, we're greeted with this:   Let's take this step by step. I took a look inside of the __mai...
Read more