Leila.Morar48 Posted August 13, 2019 Posted August 13, 2019 (edited) Language : C++ Platform : Windows x32 OS Version : (Windows 7-10) Packer / Protector : None Description : Find password Screenshot : VT VM_CrackMe.exe Edited August 13, 2019 by Leila.Morar48
Teddy Rogers Posted August 13, 2019 Posted August 13, 2019 Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge. Quote Language : (Assembler, C++, Java, .NET, Python, Borland, PureBasic, etc.) Platform : (Windows, Linux, Android, MacOS, DOS, etc. + architecture eg. x32/x64) OS Version : (All, Windows 7, Ubuntu 15.10, OS X v10.11, etc.) Packer / Protector : (None, ASProtect 1.73, Confuser 1.9, Enigma 4.40, UPX 3.91, etc.) Description : Description of the challenge and any other related information, this must be presented clearly and legibly. Your challenge will not be approved if this is presented poorly. Screenshot : All challenges must include a screenshot. The challenge must be attached directly to the topic and not linked to an external host. You have 48 hours to correct your topic before it will be moved to the Trashcan. For further details regarding the formatting of the topic please refer to the topic in the below link... [This is an automated reply]
Solution MistHill Posted August 15, 2019 Solution Posted August 15, 2019 password: "viva la revolution" How the password verified? Here, check my entered password against the correct one, both encrypted. Spoiler 01322F90 55 PUSH EBP ; modulebase: 01320000 01322F91 8BEC MOV EBP, ESP 01322F93 51 PUSH ECX 01322F94 53 PUSH EBX 01322F95 8BD9 MOV EBX, ECX 01322F97 56 PUSH ESI 01322F98 57 PUSH EDI 01322F99 8B43 04 MOV EAX, [EBX+0x4] 01322F9C 8B53 08 MOV EDX, [EBX+0x8] 01322F9F 8955 FC MOV [EBP-0x4], EDX 01322FA2 8B38 MOV EDI, [EAX] ; 012C0000: 03 AB AF AC 00 - encrypted testing password "123" 01322FA4 C745 FC 710F0000 MOV DWORD PTR [EBP-0x4], 0xF71 01322FAB 8B45 FC MOV EAX, [EBP-0x4] 01322FAE 3302 XOR EAX, [EDX] 01322FB0 8902 MOV [EDX], EAX 01322FB2 C745 FC 710F0000 MOV DWORD PTR [EBP-0x4], 0xF71 01322FB9 8B45 FC MOV EAX, [EBP-0x4] 01322FBC 3302 XOR EAX, [EDX] 01322FBE 8902 MOV [EDX], EAX 01322FC0 8B43 08 MOV EAX, [EBX+0x8] 01322FC3 8B30 MOV ESI, [EAX] 01322FC5 8B4B 08 MOV ECX, [EBX+0x8] 01322FC8 8B43 0C MOV EAX, [EBX+0xC] 01322FCB 894D FC MOV [EBP-0x4], ECX 01322FCE 8B10 MOV EDX, [EAX] ; 01331054: 12 EC C5 CB AC FC 86 96 23 7C 7D 57 46 5C 43 4F 01322FD0 8B01 MOV EAX, [ECX] ; 01331064: 56 2D 2A 00 01322FD2 2D E0050000 SUB EAX, 0x5E0 01322FD7 8901 MOV [ECX], EAX 01322FD9 8B01 MOV EAX, [ECX] 01322FDB 05 E0050000 ADD EAX, 0x5E0 01322FE0 8901 MOV [ECX], EAX 01322FE2 8B43 08 MOV EAX, [EBX+0x8] 01322FE5 8B08 MOV ECX, [EAX] 01322FE7 8A0437 MOV AL, [EDI+ESI] 01322FEA 5F POP EDI 01322FEB 5E POP ESI 01322FEC 3A040A CMP AL, [EDX+ECX] 01322FEF 5B POP EBX 01322FF0 0F95C0 SETNE AL 01322FF3 8BE5 MOV ESP, EBP 01322FF5 5D POP EBP 01322FF6 C3 RETN Obviously, the encrypted password at RVA 00011054 is 18 characters long. But, what is the encryption or decryption algorithm? Don't dive into that, instead I assume the algorithm is symmetrical. This time, I entered the right length password "123456789012345678". Spoiler 013233E0 55 PUSH EBP 013233E1 8BEC MOV EBP, ESP 013233E3 6A FF PUSH -0x1 013233E5 68 20AD3201 PUSH 0132AD20 013233EA 64:A1 00000000 MOV EAX, FS:[0] 013233F0 50 PUSH EAX 013233F1 83EC 0C SUB ESP, 0xC 013233F4 53 PUSH EBX 013233F5 56 PUSH ESI 013233F6 57 PUSH EDI 013233F7 A1 04103301 MOV EAX, [0x1331004] 013233FC 33C5 XOR EAX, EBP 013233FE 50 PUSH EAX 013233FF 8D45 F4 LEA EAX, [EBP-0xC] 01323402 64:A3 00000000 MOV FS:[0], EAX 01323408 8965 F0 MOV [EBP-0x10], ESP 0132340B 8BF1 MOV ESI, ECX ; 004FF534 0132340D 8975 EC MOV [EBP-0x14], ESI 01323410 8B4E 04 MOV ECX, [ESI+0x4] 01323413 8B01 MOV EAX, [ECX] 01323415 8B40 04 MOV EAX, [EAX+0x4] 01323418 FFD0 CALL NEAR EAX 0132341A 84C0 TEST AL, AL 0132341C 74 43 JE SHORT 01323461 0132341E C745 FC 00000000 MOV DWORD PTR [EBP-0x4], 0x0 01323425 8B0E MOV ECX, [ESI] 01323427 8B01 MOV EAX, [ECX] 01323429 FF50 04 CALL NEAR [EAX+0x4] 0132342C C745 FC FFFFFFFF MOV DWORD PTR [EBP-0x4], -0x1 01323433 EB DB JMP SHORT 01323410 01323435 8B45 E8 MOV EAX, [EBP-0x18] 01323438 8B00 MOV EAX, [EAX] 0132343A 85C0 TEST EAX, EAX 0132343C 75 06 JNZ SHORT 01323444 0132343E B8 61343201 MOV EAX, 01323461 01323443 C3 RETN 01323444 83F8 01 CMP EAX, 0x1 01323447 75 12 JNZ SHORT 0132345B 01323449 B8 4F343201 MOV EAX, 0132344F 0132344E C3 RETN 0132344F 8B75 EC MOV ESI, [EBP-0x14] 01323452 C745 FC FFFFFFFF MOV DWORD PTR [EBP-0x4], -0x1 01323459 EB B5 JMP SHORT 01323410 0132345B B8 4F343201 MOV EAX, 0132344F 01323460 C3 RETN 01323461 8B4D F4 MOV ECX, [EBP-0xC] 01323464 64:890D 00000000 MOV FS:[0], ECX 0132346B 59 POP ECX 0132346C 5F POP EDI 0132346D 5E POP ESI 0132346E 5B POP EBX 0132346F 8BE5 MOV ESP, EBP 01323471 5D POP EBP 01323472 C3 RETN At entry of the subroutine, Ecx=004FF534, we can find the entered password at allocated buffer 008F0000: Spoiler 004FF534 005AC780 004FF538 005AC770 005AC770 0132C3C0 VM_Crack.0132C3C0 005AC774 004FF600 004FF600 00000000 004FF604 008E0000 004FF608 00001000 004FF60C 00001000 004FF610 008F0000 ASCII 12,"123456789012345678" 004FF614 00001000 004FF618 00002000 004FF61C 00900000 004FF620 00010000 004FF624 00000000 004FF628 00000000 004FF62C 00000000 004FF630 00000000 004FF634 00000000 004FF638 00002000 004FF63C 00000000 004FF640 00000000 004FF644 004FF884 ASCII "Enter key: \r\n" ... 008F0000 12 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 .123456789012345 008F0010 36 37 38 00 678. Copy and paste with the correct cipher password from RVA 00011054: 008F0000 12 EC C5 CB AC FC 86 96 23 7C 7D 57 46 5C 43 4F 008F0010 56 2D 2A 00 Run to the end of loop at 01323461, we got: 008F0000 12 76 69 76 61 20 6C 61 20 72 65 76 6F 6C 75 74 .viva la revolut 008F0010 69 6F 6E 00 ion. 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now