Some Crack Me’s
Hey! everyone it’s been a while, today I ended up solving a few CrackMe’s to get back in touch to reversing, so I found this domain it’s a cool website, but don’t just run any file some are malware as well. So it’s suggest to run the files over Virus Total before running the binary or as always run it in a sandbox environment (aka VMware or Virtualbox).
CrackMe
Difficulty : Very Easy
This is the very basic binary that you can load directly in IDA and check the cmp segment to get the code.
After opening the binary in IDA we get
Looking closely at the instructions
mov rax, 6361726379736165h
Hex value let’s reverse it from this tool
But this doesn’t work
Looking further
It also adds a “k”
Let’s rearrange carcysaek : easycrack
You can save the time if you have IDA-Pro and you directly de-compile the binary source which shows the password directly.
But this doesn’t mean the challenge isn’t solvable without paid tools, in fact it’s really fun to play around with restricted tool functionalities
Simple Keygen
Difficulty : Easy
Running a simple file command reveals that it’s a executable file.
Next up let’s try to execute it, expects the command line arguments which it refers as SERIAL, which might come handy when we are debugging inside IDA or GDB.
Opening this in IDA there’s a function called “CheckSerial” now if you want you can look for a “cmp” call I ended up de-compiling the whole binary (Premium Feature)
So after de-compiling the source we can see that the expected length is “16” and there’s a basic login acts like a +1 to the ASCII value so let’s try the password as “abcdefghijklmnop”.
So the password was abcdefghijklmnop.
CrackMe J1
Difficulty : Medium
As always let’s check what kind of file is it?
Let’s load it up in IDA again, then I checked the strings it reads “Shutdown command” which seems like this binary runs shutdown automatically at this point I didn’t know what it’s about and was too lazy to reset my computer.
So I patched the binary wherever it calls “.rdata:004062DC 00000028 C c:\\windows\\system32\\shutdown /s /t 5 \n\n”
Now I can PAD the shutdown with NOPs (90) and analyze the binary further.
Let’s run the binary from the basic string analysis we can see that it looks for 3 stages and passwords so we are looking for 3 passwords.
Now we can hop to stage 1
So now we can double click on the string (mentioned above) and get the address so now you can look for a basic “cmp” to see if there’s a string comparison.
But the binary is padded with garbage which is a long chain
Now let’s move down and check the cmp and see the value it’s compared against.
There’s 2 arrows red and green which tells you what executes if True then green if Red then Else
Now you can see if the password is wrong it shutdown’s the system which is padded by NOP.
After going all the way down we can see the correct compare value is 539h (which is 539 in hex) which coverts to 1337.
So the first password is: 1337
Let’s try it out!
It indeed gets accepted now it asks another question let’s hop to the string, now you can analyze the binary or just check the imports which I did and it clearly shows me GetComputerNameA which takes my PC name and I tried passing that and it WORKS!
Let’s try passing the computer name
Final stage let’s look for the string “3rd Serial Number:”
Let’s just pass this string value in the program and wait for the output once I enter
nuf-si-gnireenigne-esrever
It exits out which is really odd! if you looked closely there’s a isDebugger call present which won’t let you debug this binary inside a debugger.
Maybe we can cover bypassing isDebugger() call sometime later
Let’s try to trace the steps and see where it goes to! So it invokes a small segment of command later in the program which I again patched, now it works as expected.
Now this neither crashes nor shutdown the PC and exits gracefully you can try printing out the “Challenge complete flag” but I didn’t bother doing that.
