Jump to content
Tuts 4 You

crackme123

casualPerson

By casualPerson
in CrackMe

 Share

Recommended Posts

casualPerson

casualPerson

Posted
Posted
crackme123

View File

crackme123

A "Crack Me" challenge created by lord "Voksi" , a well known person in the "warez" scene. 
And no, this challenge is not uploaded by "Voksi" himself, it's uploaded via a proxy which is myself, an old friend of "Voksi" .

GOAL: Obtain the Correct key 

Greetings to MasterBootRecord, Voksi, FJLJ, And also a few others, you know who you are ❤️

 

  • Like 1
CodeExplorer

CodeExplorer

Posted
Posted

It is 64 bit file, so I load the file in x64dbg

print Incorrect password:
000000014000593E   | E8 FDBCFFFF   | call crackme123.140001640  |
0000000140005943   | 48:894424 48  | mov qword ptr ss:[rsp+48],rax |
0000000140005948   | 48:8D15 81CFF | lea rdx,qword ptr ds:[1400028D0] |
000000014000594F   | 48:8B4C24 48  | mov rcx,qword ptr ss:[rsp+48]    |
0000000140005954   | E8 97E4FFFF   | call crackme123.140003DF0        |
0000000140005959   | 48:83C4 78    | add rsp,78        |
000000014000595D   | C3            | ret                   |

called from here:
000000014000838B   | 8B4424 20     | mov eax,dword ptr ss:[rsp+20]    |
000000014000838F   | 898424 B80000 | mov dword ptr ss:[rsp+B8],eax    |
0000000140008396   | 83BC24 B80000 | cmp dword ptr ss:[rsp+B8],31     | 31:'1'
000000014000839E   | 0F87 3C0F0000 | ja crackme123.1400092E0          |
00000001400083A4   | 48:638424 B80 | movsxd rax,dword ptr ss:[rsp+B8] |
00000001400083AC   | 48:8D0D 4D7CF | lea rcx,qword ptr ds:[140000000] |
00000001400083B3   | 8B8481 B09300 | mov eax,dword ptr ds:[rcx+rax*4+93B0]     |
00000001400083BA   | 48:03C1       | add rax,rcx    |
00000001400083BD   | FFE0          | jmp rax      |

but I don't know which is proper valid value of dword ptr ss:[rsp+B8]
 

  • Like 1
CodeExplorer

CodeExplorer

Posted
Posted

On the 000000014000838B
0, 1, 2, 3  8, 9, A, B, C, D, 6, 7 -

0000000140008BD4   | 8B4424 20   | mov eax,dword ptr ss:[rsp+20]
0000000140008BD8   | FFC0        | inc eax          
0000000140008BDA   | 894424 20   | mov dword ptr ss:[rsp+20],eax
0000000140008BDE   | E9 07070000 | jmp crackme123.1400092EA  

0000000140008A16   | 8B4424 30               | mov eax,dword ptr ss:[rsp+30]     |
0000000140008A1A   | FFC0                    | inc eax  |
0000000140008A1C   | 894424 30               | mov dword ptr ss:[rsp+30],eax  |
0000000140008A20   | 837C24 30 04            | cmp dword ptr ss:[rsp+30],4   |
0000000140008A25   | 0F8D A9010000           | jge crackme123.140008BD4       |
0000000140008A2B   | 8B4424 24               | mov eax,dword ptr ss:[rsp+24]   |
0000000140008A2F   | 99                      | cdq   |
0000000140008A30   | 83E2 03                 | and edx,3 |
0000000140008A33   | 03C2                    | add eax,edx  |
0000000140008A35   | 83E0 03                 | and eax,3     |
0000000140008A38   | 2BC2                    | sub eax,edx  |
0000000140008A3A   | 898424 80000000         | mov dword ptr ss:[rsp+80],eax   |
0000000140008A41   | 83BC24 80000000 00      | cmp dword ptr ss:[rsp+80],0    |
0000000140008A49   | 74 2B                   | je crackme123.140008A76  |
0000000140008A4B   | 83BC24 80000000 01      | cmp dword ptr ss:[rsp+80],1  |
0000000140008A53   | 74 60                   | je crackme123.140008AB5    |
0000000140008A55   | 83BC24 80000000 02      | cmp dword ptr ss:[rsp+80],2    |
0000000140008A5D   | 0F84 90000000           | je crackme123.140008AF3   |
0000000140008A63   | 83BC24 80000000 03      | cmp dword ptr ss:[rsp+80],3   |
0000000140008A6B   | 0F84 C3000000           | je crackme123.140008B34    |
0000000140008A71   | E9 0B010000             | jmp crackme123.140008B81   |
0000000140008A76   | 8B4424 30               | mov eax,dword ptr ss:[rsp+30]  |
0000000140008A7A   | D1E0                    | shl eax,1  |
0000000140008A7C   | 48:98                   | cdqe  |
0000000140008A7E   | 48:898424 E8010000      | mov qword ptr ss:[rsp+1E8],rax   |
0000000140008A86   | 48:8D8C24 98000000      | lea rcx,qword ptr ss:[rsp+98] |
0000000140008A8E   | E8 0DEDFFFF             | call crackme123.1400077A0    |

so I don't any idea where the password test is made...
 

  • Like 2
CodeExplorer

CodeExplorer

Posted
Posted
17 minutes ago, 0xret2win said:

@CodeExplorer Hey Code,did you run this in VM?

I didn't run in VM, but on real machine.
 

  • Like 1
0xret2win

0xret2win

Posted
Posted (edited)
24 minutes ago, CodeExplorer said:

I didn't run in VM, but on real machine.
crackmecapture..PNG.e6987e1680e25b4332e44a7359d1f6de.PNG

Yeah something aint right about this crackme. Also once you get into here you will find quite more interesting things like hostname checking and so on. Not 100% sure but be aware of where you are executing "new" crackmes by "V0KsISsSs" friend.

Edited by 0xret2win
  • Like 1
casualPerson

casualPerson

Posted
  • Author
Posted (edited)
6 hours ago, 0xret2win said:

Yeah something aint right about this crackme. Also once you get into here you will find quite more interesting things like hostname checking and so on. Not 100% sure but be aware of where you are executing "new" crackmes by "V0KsISsSs" friend.

Greetings, if "YOU" are so "PARANOID" , just run it in a "VM" , i can tell you "1" thing , its completely safe. So, i don't know where your getting this garbage | bullshit , from.
And there is "virustotal" for a reason !
The only weird things is , you making these stupid remarks about this challenge.... ! 

Regarding the false accusations thrown about...
 

Spoiler

https://www.virustotal.com/gui/file/61dc343b8e0a4efd81b28836f8ef46ba43fbb0ceb06fa5733ac89e0ffcfbab5c/detection

Nor does this challenge require internet. 
No HTTP/s communication | In-between, whatsoever.

Greetings !

Edited by casualPerson
Duplicated "Words"
  • Like 1
Washi

Washi

Posted
Posted (edited)

Your crackme seems to have multiple solutions. Not sure if this was intended:

image.png.ee2e9cefca4086d9e4bacd11716de697.png

Some example passwords:

Spoiler

800Xk6PHl5Ef101

Aa4B6DDOZR6BE1H

aA4B6DDOZR6BE1H

DjY0X3bj0J03174

a05000077soUOAL

Approach:

Spoiler

  There is a lot of junk in this crackme.

In the main function (FUN_140008220), a lot of useless string loops are added and some control flow flattening is applied to confuse the reverse engineer. However, the control flow obfuscation are easy to follow, as the next value for the state variable that switches between the cases are easily readable in the decompiler. Especially because many state switches are just switching to the next case block in the switch statement. Breakdown of main follows:

  • 1400083cd: Prints prompt
  • 1400083f0: Reads input password
  • 1400086bf: A function that either prints "Invalid password" or "Good password" depending on the global value it passes into it as parameter (DAT_14003d1f0).
  • Cross referencing on DAT_14003d1f0 tells you that FUN_140007d10 is the only function that writes to it --> FUN_140007d10 is the actual verifier of the input password. This function computes three checksums on the input password:
    • Checksum 1 (FUN_1400059b0) Computes a simple wrapping 32-bit checksum sum of all characters, which has to equal 0x407
    • Checksum 2 (FUN_140005a50) Computes a wrapping product modulo 0xffff that has to equal 0x12ed
    • Checksum 3 (FUN_140005b10) Computes an xor sum that has to equal 0x6f
  • We don't know the length yet, but we can see the verifier (FUN_140007d10) is called by FUN_140008eb5, which checks at 140006b3d if length == 0xf.
  • We now know everything to create passwords, just make a z3 script that solves the constraints (see below).
  • Script occasionally spits out wrong password (likely due to lack of signed modulo operator in Z3), but most of the time you will get a valid password. 

from z3 import *

password = [BitVec(f"x{i}", 8) for i in range(0xf)]

s = Solver()

# Restrict to alphanumerical characters only
for p in password:
    s.add(Or(
        And(p >= ord('A'), p <= ord('Z')),
        And(p >= ord('a'), p <= ord('z')),
        And(p >= ord('0'), p <= ord('9'))
    ))

# Checksum 1
checksum1 = BitVecVal(0, 32)
for p in password:
    checksum1 += ZeroExt(24, p)
s.add(checksum1 == 0x407)

# Checksum 2
checksum2 = BitVecVal(1, 32)
for p in password:
    checksum2 = (checksum2 * ZeroExt(24, p)) % 0xffff
    
s.add(checksum2 == 0x12ed)

# Checksum 3
checksum3 = BitVecVal(0, 8)
for p in password:
    checksum3 ^= p
s.add(checksum3 == 0x6f)

# Solve
result = s.check()
print(result)
while result == sat:
    m = s.model()

    # Reconstruct password
    reconstructed = bytearray()
    for p in password:
        reconstructed.append(m[p].as_long())
    print(reconstructed)

    # Find more solutions
    s.add(Or(*(p != m[p] for p in password)))
    result = s.check()

 

Edited by Washi
Move approach into spoiler
  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...