jack/crackmes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Jack Bond-Preston 2023-02-13 15:42:53 +00:00
commit e341625a66
Signed by: jack
GPG Key ID: 010071F1482BA852
7 changed files with 113 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.exe

33
1/README.md Normal file
View File

@ -0,0 +1,33 @@
# CrackMeOne
## Steps
- Launch x32dbg and open the exe
- Run up until `EntryPoint`
- Open the strings view
- Find
> Congratulations, you found the secret password
This must be our code path on success. Double click to find it in the assembly view.
- Insert some breakpoints before and play around with entering password (anything is fine) and stepping through code, observing registers etc.
- Observe that there is a loop iterating through bytes at `*eax` and `*ecx` and comparing them.
eax points to our entered password, ecx points to `j5%9lk`.
- Clearly we are checking for equality between these two strings, thus this is the password.
- If we complete the loop, we jump straight to the `test eax, eax` that gates the success path. If we don't, we jump a few instrs before, where `eax` is set to a value that is always non-zero (thus we take the branch, which we don't want to).
`eax` will be zero in the success path due to the final equality check being performed on the null-byte string terminator.## Solution
## Solution
Password: `j5%9lk`.

36
1b/README.md Normal file
View File

@ -0,0 +1,36 @@
# CrackMeTwo
- Same idea as one, just with anti-debugger measures.
- Uses [NtQueryInformationProcess](https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess) to check debugger state. Note the linked documentation doesn't cover the `ProcessInfoClass` option it uses. [Full enumeration is available here](https://www.pinvoke.net/default.aspx/ntdll/PROCESSINFOCLASS.html).
- Debugger stepping can confirm we are calling this function with `0x1F` (`ProcessDebugFlags`). This anti-debug method is documented [here](https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugflags).
- Basically just need to make this function return anything but zero. Bunch of ways to do this (edit eax in breakpoint, modify instructions to mov something in, etc.).
A patch is a bit cleaner, we can patch the `call ebx` instruction (the call to `NtQueryInformationProcess`) with `mov eax,ebp` or any other instructions with the same length that will give us a non-zero `eax`:
```patch
>crackmeoneb.exe
00001169:FF->89
0000116A:D3->E8
```
- Now we've patched this, we can get to the input dialog. However, trying to enter anything and hit ok gives us another exception.
- Inspecting the exception seems we are dividing by zero on purpose, unconditionally, which throws an exception.
- Looking at the instructions above, we can see calls to `UnhandledExceptionFilter()`. This means we are encountering [another anti-debug technique, documented here](https://anti-debug.checkpoint.com/techniques/exceptions.html#unhandledexceptionfilter).
- We can inspect the exception handler that would be registered if not debugging, and see that it is adding 2 to the `eip` and returning `EXCEPTION_CONTINUE_EXECUTION`. This just skips the `div` instruction.
- Just fill the `div` instruction with `nop`s and everything works great under the debugger again.
- Use the same method as CrackMeOne to find the password
##
## Solution
Password: `zoq98m`

5
1b/patch.1337 Normal file
View File

@ -0,0 +1,5 @@
>crackmeoneb.exe
00001169:FF->89
0000116A:D3->E8
00001247:F7->90
00001248:F0->90

14
3/keygen.py Normal file
View File

@ -0,0 +1,14 @@
import hashlib
username = input("Enter your username: ")
print(f"\nUsername: {username}")
hash = int(hashlib.sha256(bytes(username, encoding="ascii")).hexdigest()[-8:], base=16)
print(f"SHA256-derived bytes: {hex(hash)}")
target = hash ^ 0x2faecb0d
print(f"Target bytes: {hex(target)}")
password = target ^ 0xa2f99eae
print(f"Your password: {hex(password)[2:]}")

9
3/patch.1337 Normal file
View File

@ -0,0 +1,9 @@
>crackmethree.exe
0000116C:C0->F6
00001239:C0->F6
000013D1:50->90
000013D2:33->90
000013D3:C0->90
000013D4:F7->90
000013D5:F0->90
000013D6:58->90

15
README.md Normal file
View File

@ -0,0 +1,15 @@
# CrackMes
Crackmes and solutions, from [GitHub - ripxorip/crackmes: A set of "CrackMe"s intended for beginners who wants to learn more about x86 assembly and reverse engineering](https://github.com/ripxorip/crackmes). Solutions my own, may not be optimal or anything, just for learning.
- [CrackMeOne](./1/)
- [CrackMeOneB](./1b/)
- [CrackMeTwo](./2/) - Not completed yet.
- [CrackMeThree](./3/) - Not written up yet.