Forum > Coding >

[REL] Reversal of a basic crackme

Posts: 224

Threads: 43

Joined: May, 2022

Reputation: -5

Posted

(All names of functions, variables etc have been renamed)

crackme link: https://crackmes.one/crackme/62c5da5d33c5d44a934e9684

 

In the main function of the program we see a call to a function which asks for a username with a maximum of 10 characters:

	push    ebp

	mov     ebp, esp

	sub     esp, 18h

	mov     dword ptr [esp], offset aWhatSYourUsern ; "What's your username? (MAX 10 CHAR): "

	call    _printf

	mov     dword ptr [esp+4], offset name

	mov     dword ptr [esp], offset a10s ; "%10s"

	call    _scanf

	call    encrypt_name

	nop

	leave

	retn

 

In the disassembly of the function we see a call to a function called "encrypt_name". If we go into the disassembly of this function we'll see the following:

(IDA Pseudo-code)

 

int encrypt_name()

{

  bool v0; // bl

  size_t i; // [esp+1Ch] [ebp-Ch]



  for ( i = 0; ; ++i )

  {

    v0 = strlen(name) > i;

    if ( (v0 & (strlen(name) > i)) == 0 )

      break;

    encrypted_name[i] = name[i] + i + 101;

  }

  return check();

}

 

 

We see that this function encrypts the name we passed and then calls a check function.

 

(IDA Pseudo-code)

 

int check()

{

  char Str1[18]; // [esp+16h] [ebp-12h] BYREF



  printf("What's the password? ");

  scanf("%s", Str1);

  if ( strcmp(Str1, encrypted_name) == 1 )

    return printf("Nice! Submit your solution on crackmes.one!");

  else

    return printf("Incorrect! Try again.");

}

 

Obviously this function checks our input against the encrypted name from earlier, and it makes use of the strcmp function to do so.

strcmp returns 0 if the two strings match and 1 if the first non-matching letter is greater (greater in terms of ascii codes) than the first non matching letter in the second string

 

What we need to do is really simple, simply replicate the encrypt function and return a key which has its first letter greater than the first letter in the encrypted name. 

 

#include <iostream>
#include <string_view>

std::pair<std::string, std::string> keygen( std::string_view name )
{
    std::string encrypted_name{ 10, '\0' };

    for ( auto i = 0; ; ++i )
    {
        const auto v0 = name.size( ) > i;
        if ( (v0 & ( name.size( ) > i ) ) == 0)
            break;
        encrypted_name[ i ] = name[ i ] + i + 101;
    }

    std::string key{ encrypted_name };
    key[ 0 ] =  encrypted_name[ 0 ] + 1;
    return { encrypted_name, key };
    
}

int main()
{

    const auto [ encrypted_name, key ] = keygen( "key" );

    std::printf( " %s\n%s ", encrypted_name.data( ), key.data( ) );

	return 0;
}

 

  • 2

Added

@_realnickk

 

templates simply "write code for you" at compile time, you'll see no references to templates if you look at a compiled application, you'll simply see the provided template arguments as normal code. 

  • 0

Added

@_realnickk

 

true ig

  • 0

https://media.discordapp.net/attachments/1044764388546068510/1051935933836050482/Signature_4.png

Users viewing this thread:

( Members: 0, Guests: 1, Total: 1 )