Reading Time : 2min

Linux Jcwasmx86s Cm002 Crackme Solution


Crackme: cm002

Author: JCWasmx86

Difficulty: 3.5/6.0

Platform: Unix/Linux

Language: C/C++

Architecture: x86-64


Description by Author: You have to think outside the box. Have fun!


Running the Application

by running the application we get these results

1.1 running the app

Solution

This is a relatively easy crackme if you look “outside the box” as said in description

Here is Main function when open in IDA

2.1 main function

Lets go to the end here we find these three references as conditioning code before is just garbage to waste your time.

  • unk_410100
  • loc_401360
  • loc_401340
2.2 end of main function

Here i have renamed these according to their functionality

2.3 renamed refferences

Here bear with me a little i will tell you why i renamed them like this.
but remember that Correct_Password is stored in ESI
and Wrong_Password is stored in EDI

This is whats inside Correct_Password

2.4 inside Correct_Password

And this is how Wrong_Password looks like

2.5 inside Wrong_Password

And at last the Validation_Function
this is the only function that we need to look at to guess password algorithm

2.6 Validation_Function

Inside validation function we get a few important information to determine overall shape and size of our password

As you can see at 0x410100 pointer to the given password is stored inside R8 register so R8 is representing first character of the typed in password “password”

Now look at 0x410107, 0x41010E and 0x410115 where fifth, tenth and sixth characters of password are being compared with letter ‘M’, Space ‘ ‘, and double quote ‘ ” ‘
ASCII values (IDA made it easy to understand) and if not equal the jnz value will take us to 0x410133 where we will be jumped again to “RDI” which is if you remember
Wrong_Password and you will get prompt of Wrong password!

take note here that 0x41011C ninth character is being compare with slash character ‘/’ but in this case we will jump if the letter matches so it should not be ‘/’

last two cmp instructions at 0x410123 and 0x41012A are again garbage code as these comparisons are not being checked
We also conclude that the password should be at least 10 characters long because of the [r8+9]

In the end this is what we are left

2.7 password recipe

Testing our hypothesis

According to this formula all of these sample passwords will be valid

#each of these have single space at the end
'0000M"000 '
'asdfM"jkl '
'1234M"789 '
3.1 correct answers output