Write-up: heaven (CrackMe)
Hash: 64f1f77ad931496abf90951d (from crackmes.one)
Launching the exe in IDA, I got the following decompiled function:
From here I can see that it expects a password. Following those functions sub_*
shows some complex codes, so I decided to debug it by passing a random string.
The code seems to be changing itself based on the inputs, more specifically at loc_4016CE.
But the only registers that are changed via the password input are eax and ebx.
I started the program passing a string consisting of 29 A characters. At
loc_4016C5, eax and ebx look like this:
When al is equal to bl, a “hidden” code seems to be executed, which
jumps back to the beginning of the loop. With that in mind, I made the following
logic:
F9h(set-point,alvalue) -D8h(Ainput,blvalue) =21h
A+21h=b(this seems to be the first letter of the password)
Having a breakpoint at loc_4016C5, I checked the values of al and bl based on the input of multiple b characters.
The results are shown below:
| Input char | Set-Point (al) |
Input (bl) |
Diff (al - bl) |
Char output (Input char + Diff) |
|---|---|---|---|---|
A |
F9h |
D8h |
21h |
b |
b |
AFh |
9Fh |
10h |
r |
b |
N/A | N/A | 00h |
b |
b |
B4h |
9Bh |
19h |
{ |
b |
75h |
6h4 |
11h |
s |
b |
1Ch |
0A |
12h |
t |
b |
86h |
86h |
-01h |
a |
b |
A2h |
9Bh |
07h |
i |
b |
6Eh |
5Eh |
10h |
r |
b |
97h |
9Ah |
-03h |
_ |
b |
CCh |
BCh |
10h |
r |
b |
8Ah |
87h |
03h |
e |
b |
A6h |
94h |
12h |
t |
b |
CAh |
CDh |
-03h |
_ |
b |
9Fh |
8Ah |
15h |
w |
b |
6Dh |
6Eh |
-01h |
a |
b |
EEh |
D7h |
17h |
y |
b |
20h |
23h |
-03h |
_ |
b |
98h |
86h |
12h |
t |
b |
99h |
8Ch |
0Dh |
o |
b |
80h |
83h |
-03h |
_ |
b |
3Fh |
39h |
06h |
h |
b |
7Dh |
7Ah |
03h |
e |
b |
65h |
66h |
-01h |
a |
b |
C1h |
ADh |
14h |
v |
b |
F6h |
F3h |
03h |
e |
b |
BCh |
B0h |
0Ch |
n |
b |
84h |
69h |
1Bh |
} |
And this is the output of the program when passing the correct password:
