This is a write up for a crackme I found on the internet: https://crackmes.one/crackme/5ed5b3c833c5d449d91ae6d0 by raxer.
This is a simple crackme which involves finding a secret password to succeed. You can't bytepatch, so you are forced to understand the password algorithm to pass this challenge.
I was bored and had nothing to do, so I decided to find a simple crackme just to pass the time :-)
The tools I used to reverse engineer this crackme and find the solution were:
- Windows 10 PRO
- x64dbg (32bit)
- Notepad
So first of all I ran the program normally. As soon as you start it you are greeted with a prompt asking for the valid password. If you input the wrong password it will print the following message and close:
Don't think you have the slightest clue about debugging.
After this I opened the crackme with x64dbg and ran the program again. It produced the same results so you can assume that it has no anti-debugging measures in place.
Then, I analyzed the code and stepped through it until I found where the prompt to introduce the password began.
This section starts in 2E0422. After you input the password, you will notice that there is a string loaded into R8. This string alerted me along with a "inc rax" and "cmp rax, D" and a "jne" instruction to the fact that the password algorithm might be happening here.
(you could also search for referenced strings and get to the this code faster than stepping through it)
So I continued with this in mind, and stepped through the code, which is the following:
lea r8,qword ptr ds:[2E0262]
mov dl,byte ptr ss:[rsp+rax+20]
movzx ecx,byte ptr ds:[rsi+rax]
and ecx,7
cmp dl,byte ptr ds:[rcx+r8]
jne crack_me.2E0473
The first instruction will load the address of a "BGOTHXIY" string into r8. The following instruction will load the next character on the input that the user provided according to rax.
For example, if rax is equal to 1 it would do rsp + 1 + 20 which will in turn give you the 2nd character of the string you provided (remember, indexes start at 0).
The next instruction is going to load the value contained in the pointer generated by rsi + rax to ecx. If you follow this address on memory, you will see that you get an array of (supposedly) random bytes. Next, this result is overwriten by itself AND 7. This calculated value is then used to index on r8 (which has the "BGOTHXIY" string in it) and compared to the value on dl.
If the comparison fails (as in, not equal), the code will jne to the fail routine, displaying the message we saw earlier.
So with this we can assume:
- rax is an index
- The loop is going to run 0x0D times (13 times in decimal)
- r8 contains a string
- ecx contains a byte from a byte array in memory
- r8 is indexed with ecx value (which is a random byte array in memory) & 7
- the byte array in ecx has 13 positions (we can tell by the times that the loop happens - 0x0D times)
Here is the code roughly in C (sorry if anything is wrong, haven't coded in C in a long time :-P):
void passwordCheck(){
char userInput[] = { 'a', 'b', 'c' };
int rax = 0; // our index
char r8[] = { 'B', 'G', 'O', 'T', 'H', 'X', 'I', 'Y' }; //'random string'
char ecx[] = { 0x48, 0x8D, 0x05, 0xF9, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0xC6, 0x48, 0x8D, 0x0D };
while (rax < 13) {
if (userInput[rax] != r8[ecx[rax]&7]) {
goto invalid_password;
}
rax++;
}
goto success;
}
With this code, we can now generate the valid password. We just need to recreate this code without the goto invalid_password routine. I did this in javascript. So you have this:
function keygen(){
var passwordArray = [];
"48 8D 05 F9 FF FF FF 48 89 C6 48 8D 0D".split(' ').forEach(x => passwordArray.push("BGOTHXIY"[parseInt('0x'+x) & 7]));
return passwordArray.join('');
}
keygen();You can run this on your browser's console and it will generate the key.
The key is: BXXGYYYBGIBXX
If you input this key on the crackme it will output the following message:
Good job on decrypting the password!
Thank you for reading this, it was really fun to crack this (even though it is an easy one :-P)
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent