Crackme Writeup 2

danyad29011's crackme is a Windows-based x86 executable written in C/C++. The challenge involves reverse-engineering the binary to crack a hardcoded encrypted password. With a difficulty rating of 2.0, it’s designed for intermediate-level reverse engineers, requiring knowledge of assembly, encryption schemes, and debugging techniques. The main objective is to analyse the binary, identify the encryption or obfuscation mechanism, and retrieve or bypass the password verification logic embedded within the program.

Once the main section of the executable is located, we can examine the initial part of its logic. The first observation is that the entered password is compared to the hexadecimal value 0xC, which translates to 12 in decimal. This suggests that the hardcoded password has a length requirement of 12 characters. To proceed, we simply need to ensure that the password we enter matches this length, allowing the program to jump to the next section of the logic.

In this section, the effective address of the password is loaded into the EAX register, followed by a function call to crackme.1049E30. Once the function completes, a TEST instruction performs a bitwise AND operation on the AL register with itself. This operation is likely setting up a conditional check, prompting us to wonder what is this function actually doing?

But hold on we're hackers, not computer scientists! Instead of digging deeper into the function's inner workings, we can simply modify the JE (jump if equal) instruction to JNE (jump if not equal) to bypass the check entirely, sparing us the headache.

This instruction loads the value at memory location [ebp-20] into the ECX register. Here, [ebp-20] holds the string IloveCr4ckM3. This string is compared with the user entered password at [ebp-38] which suggests this is the hardcoded password we are trying to locate.

In this section, the memcmp function, a standard library function for comparing memory blocks, is used to compare the user-entered password in edx stored at [esp] with the hardcoded password in ecx stored at [esp+4]. If the two strings match, memcmp returns zero; otherwise, it returns a non-zero value. After the function call, the result is stored in eax. The test eax, eax instruction then performs a bitwise check on eax. If eax is zero (indicating a match), the Zero Flag (ZF) is set. This allows a conditional jump to be triggered, and the instruction pointer jumps to the "Access Granted" section, indicating a successful password match.

All that remains is to patch the modified executable and save the changes. We can now enter the password IloveCr4ckM3, which should result in the Access Granted! message. This indicates that we have successfully bypassed the password verification.

Have we actually solve this challenge? The answer is no. This was a lazy approach which technically works however, it would be impressive if we can reverse-engineering the executable to uncover the actual password, avoiding any need to patch the code directly. This will be covered in the next section.