Jump to content
Tuts 4 You

Obfuscated VM CrackMe

Go to solution Solved by MistHill,

Recommended Posts


Language : C++
Platform : Windows x32
OS Version : (Windows 7-10)
Packer / Protector : None

Description :

Find password

Screenshot :




Edited by Leila.Morar48
Link to comment
Share on other sites

Teddy Rogers

Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge.


Language : (Assembler, C++, Java, .NET, Python, Borland, PureBasic, etc.)
Platform : (Windows, Linux, Android, MacOS, DOS, etc. + architecture eg. x32/x64)
OS Version : (All, Windows 7, Ubuntu 15.10, OS X v10.11, etc.)
Packer / Protector : (None, ASProtect 1.73, Confuser 1.9, Enigma 4.40, UPX 3.91, etc.)

Description :

Description of the challenge and any other related information, this must be presented clearly and legibly. Your challenge will not be approved if this is presented poorly.

Screenshot :

All challenges must include a screenshot.

The challenge must be attached directly to the topic and not linked to an external host.

You have 48 hours to correct your topic before it will be moved to the Trashcan.

For further details regarding the formatting of the topic please refer to the topic in the below link...

[This is an automated reply]

Link to comment
Share on other sites

  • Solution

password: "viva la revolution"


How the password verified?

Here, check my entered password against the correct one, both encrypted.


01322F90   55                         PUSH    EBP                               ; modulebase: 01320000
01322F91   8BEC                       MOV     EBP, ESP
01322F93   51                         PUSH    ECX
01322F94   53                         PUSH    EBX
01322F95   8BD9                       MOV     EBX, ECX
01322F97   56                         PUSH    ESI
01322F98   57                         PUSH    EDI
01322F99   8B43 04                    MOV     EAX, [EBX+0x4]
01322F9C   8B53 08                    MOV     EDX, [EBX+0x8]
01322F9F   8955 FC                    MOV     [EBP-0x4], EDX
01322FA2   8B38                       MOV     EDI, [EAX]                        ; 012C0000: 03 AB AF AC 00 - encrypted testing password "123"
01322FA4   C745 FC 710F0000           MOV     DWORD PTR [EBP-0x4], 0xF71
01322FAB   8B45 FC                    MOV     EAX, [EBP-0x4]
01322FAE   3302                       XOR     EAX, [EDX]
01322FB0   8902                       MOV     [EDX], EAX
01322FB2   C745 FC 710F0000           MOV     DWORD PTR [EBP-0x4], 0xF71
01322FB9   8B45 FC                    MOV     EAX, [EBP-0x4]
01322FBC   3302                       XOR     EAX, [EDX]
01322FBE   8902                       MOV     [EDX], EAX
01322FC0   8B43 08                    MOV     EAX, [EBX+0x8]
01322FC3   8B30                       MOV     ESI, [EAX]
01322FC5   8B4B 08                    MOV     ECX, [EBX+0x8]
01322FC8   8B43 0C                    MOV     EAX, [EBX+0xC]
01322FCB   894D FC                    MOV     [EBP-0x4], ECX
01322FCE   8B10                       MOV     EDX, [EAX]                        ; 01331054: 12 EC C5 CB AC FC 86 96 23 7C 7D 57 46 5C 43 4F
01322FD0   8B01                       MOV     EAX, [ECX]                        ; 01331064: 56 2D 2A 00
01322FD2   2D E0050000                SUB     EAX, 0x5E0
01322FD7   8901                       MOV     [ECX], EAX
01322FD9   8B01                       MOV     EAX, [ECX]
01322FDB   05 E0050000                ADD     EAX, 0x5E0
01322FE0   8901                       MOV     [ECX], EAX
01322FE2   8B43 08                    MOV     EAX, [EBX+0x8]
01322FE5   8B08                       MOV     ECX, [EAX]
01322FE7   8A0437                     MOV     AL, [EDI+ESI]
01322FEA   5F                         POP     EDI
01322FEB   5E                         POP     ESI
01322FEC   3A040A                     CMP     AL, [EDX+ECX]
01322FEF   5B                         POP     EBX
01322FF0   0F95C0                     SETNE   AL
01322FF3   8BE5                       MOV     ESP, EBP
01322FF5   5D                         POP     EBP
01322FF6   C3                         RETN


Obviously, the encrypted password at RVA 00011054 is 18 characters long.

But, what is the encryption or decryption algorithm?
Don't dive into that, instead I assume the algorithm is symmetrical.

This time, I entered the right length password "123456789012345678".


013233E0   55                         PUSH    EBP
013233E1   8BEC                       MOV     EBP, ESP
013233E3   6A FF                      PUSH    -0x1
013233E5   68 20AD3201                PUSH    0132AD20
013233EA   64:A1 00000000             MOV     EAX, FS:[0]
013233F0   50                         PUSH    EAX
013233F1   83EC 0C                    SUB     ESP, 0xC
013233F4   53                         PUSH    EBX
013233F5   56                         PUSH    ESI
013233F6   57                         PUSH    EDI
013233F7   A1 04103301                MOV     EAX, [0x1331004]
013233FC   33C5                       XOR     EAX, EBP
013233FE   50                         PUSH    EAX
013233FF   8D45 F4                    LEA     EAX, [EBP-0xC]
01323402   64:A3 00000000             MOV     FS:[0], EAX
01323408   8965 F0                    MOV     [EBP-0x10], ESP
0132340B   8BF1                       MOV     ESI, ECX                          ; 004FF534
0132340D   8975 EC                    MOV     [EBP-0x14], ESI

01323410   8B4E 04                    MOV     ECX, [ESI+0x4]
01323413   8B01                       MOV     EAX, [ECX]
01323415   8B40 04                    MOV     EAX, [EAX+0x4]
01323418   FFD0                       CALL    NEAR EAX
0132341A   84C0                       TEST    AL, AL
0132341C   74 43                      JE      SHORT 01323461

0132341E   C745 FC 00000000           MOV     DWORD PTR [EBP-0x4], 0x0
01323425   8B0E                       MOV     ECX, [ESI]
01323427   8B01                       MOV     EAX, [ECX]
01323429   FF50 04                    CALL    NEAR [EAX+0x4]
0132342C   C745 FC FFFFFFFF           MOV     DWORD PTR [EBP-0x4], -0x1
01323433   EB DB                      JMP     SHORT 01323410

01323435   8B45 E8                    MOV     EAX, [EBP-0x18]
01323438   8B00                       MOV     EAX, [EAX]
0132343A   85C0                       TEST    EAX, EAX
0132343C   75 06                      JNZ     SHORT 01323444
0132343E   B8 61343201                MOV     EAX, 01323461
01323443   C3                         RETN

01323444   83F8 01                    CMP     EAX, 0x1
01323447   75 12                      JNZ     SHORT 0132345B
01323449   B8 4F343201                MOV     EAX, 0132344F
0132344E   C3                         RETN

0132344F   8B75 EC                    MOV     ESI, [EBP-0x14]
01323452   C745 FC FFFFFFFF           MOV     DWORD PTR [EBP-0x4], -0x1
01323459   EB B5                      JMP     SHORT 01323410

0132345B   B8 4F343201                MOV     EAX, 0132344F
01323460   C3                         RETN

01323461   8B4D F4                    MOV     ECX, [EBP-0xC]
01323464   64:890D 00000000           MOV     FS:[0], ECX
0132346B   59                         POP     ECX
0132346C   5F                         POP     EDI
0132346D   5E                         POP     ESI
0132346E   5B                         POP     EBX
0132346F   8BE5                       MOV     ESP, EBP
01323471   5D                         POP     EBP
01323472   C3                         RETN


At entry of the subroutine, Ecx=004FF534, we can find the entered password at allocated buffer 008F0000:


004FF534  005AC780
004FF538  005AC770
        005AC770  0132C3C0  VM_Crack.0132C3C0
        005AC774  004FF600
                004FF600  00000000
                004FF604  008E0000
                004FF608  00001000
                004FF60C  00001000
                004FF610  008F0000  ASCII 12,"123456789012345678"
                004FF614  00001000
                004FF618  00002000
                004FF61C  00900000
                004FF620  00010000
                004FF624  00000000
                004FF628  00000000
                004FF62C  00000000
                004FF630  00000000
                004FF634  00000000
                004FF638  00002000
                004FF63C  00000000
                004FF640  00000000
                004FF644  004FF884  ASCII "Enter key: \r\n"

008F0000  12 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35  .123456789012345
008F0010  36 37 38 00                                      678.


Copy and paste with the correct cipher password from RVA 00011054:

008F0000  12 EC C5 CB AC FC 86 96 23 7C 7D 57 46 5C 43 4F
008F0010  56 2D 2A 00

Run to the end of loop at 01323461, we got:

008F0000  12 76 69 76 61 20 6C 61 20 72 65 76 6F 6C 75 74  .viva la revolut
008F0010  69 6F 6E 00                                      ion.


  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...