Jump to content
Tuts 4 You

My first easy CrackMe


m0rfl1ng

Recommended Posts

My first easy CrackMe


Hi guys , i write a very simple crack me , i really do not know how i should secure my code just write a very basic one . anyway i know it's very easy but still wanted to know other peoples opinion. if it did not run please let me know , i did not use any packer , or protector , just my own code , and it's written in C++ with visual studio 2019 on windows 10.

Submitter: m0rfl1ng

Category: CrackMe

Virus Total Scan


 

Link to comment
Share on other sites

  • 3 weeks later...
  • 6 months later...
  • 11 months later...

Had a look at this one, it's not as straightforward as the title suggests, but in hindsight it may look trivial.

Tools used: x64dbg, optionally idafree

The strings that the program outputs are encrypted, setting a breakpoint at WriteConsole and searching the decryption function starting from main() was kinda slow as the decryption core lies 5 levels deep in the callstack.

The Decryption algorithm for the output strings is AES-NI, the encrypted strings are embedded in control flow as single-byte pieces, thereby nodes containing payload are easy to spot in the  callgraph.

main.png.4ceb12d20a95aed8af8a7b1e5629752c.png

The main function loops until the correct input is entered, some of the program's replies are checked (switch or if). The decryption routine (top level) is at offset 2540. It is called for all strings, no matter if the input is correct or not.

The obvious vulnerability is this conditional jump at file offset 5369, patch out the jump and the program will always accept the input.

The jump is done when a check-function for the payload of the encrypted string "Correct !" returns 0.

Analyzing that check-function (offset 3750) is only necessary to get the genuine password which is left as an exercise to the reader...

I was surprised,  the strings were well hidden with encryption, I have seen others doing worse.

I struggled with the complexity introduced by aes at first, I was used to easier string encryptions like XORing, TEA where one can observe the decryption more or less directly.

 

 

 

  • Like 1
Link to comment
Share on other sites

  • 1 month later...

This is my solution:

1. add breakpoint at kernel32.dll:WriteFile

2.enter any thing, it will break on output error message.

3. you will find the key codes is in the main function. then you will find the importa jmp codes

4.change jz xxx to nop:

00007FF709525F69    0x2    74 14     90 90 

apply patch to file.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...