34 lines
1.1 KiB
Markdown
34 lines
1.1 KiB
Markdown
|
# CrackMeOne
|
||
|
|
|
||
|
|
## Steps
|
||
|
|
|
||
|
|
- Launch x32dbg and open the exe
|
||
|
|
|
||
|
|
- Run up until `EntryPoint`
|
||
|
|
|
||
|
|
- Open the strings view
|
||
|
|
|
||
|
|
- Find
|
||
|
|
|
||
|
|
> Congratulations, you found the secret password
|
||
|
|
|
||
|
|
This must be our code path on success. Double click to find it in the assembly view.
|
||
|
|
|
||
|
|
- Insert some breakpoints before and play around with entering password (anything is fine) and stepping through code, observing registers etc.
|
||
|
|
|
||
|
|
- Observe that there is a loop iterating through bytes at `*eax` and `*ecx` and comparing them.
|
||
|
|
eax points to our entered password, ecx points to `j5%9lk`.
|
||
|
|
|
||
|
|
- Clearly we are checking for equality between these two strings, thus this is the password.
|
||
|
|
|
||
|
|
- If we complete the loop, we jump straight to the `test eax, eax` that gates the success path. If we don't, we jump a few instrs before, where `eax` is set to a value that is always non-zero (thus we take the branch, which we don't want to).
|
||
|
|
`eax` will be zero in the success path due to the final equality check being performed on the null-byte string terminator.## Solution
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
## Solution
|
||
|
|
|
||
|
|
Password: `j5%9lk`.
|
||
|
|
|
||
|
|
|