Reading Time : 3min
Crackme: Crackme Speedrun
Author: Piggy63
Difficulty: 2.5/6.0
Platform: Windows
Language: C/C++
Architecture: X86
Description by Author: Very simple crackme, a hard coded password. Only the first few characters of the user input checked 😉 . Hex-Rays Decompiler can decompile this almost perfectly. It will take a bit of time to crack : ).
ets run this crackme using command prompt (without cmd, program seems to exit itself after showing ‘correct’ or ‘incorrect’ prompt)
After running we see simple ‘password:’ message
lets enter a sample password ‘pwd’.
this is what we get
Program is giving Message ‘incorrect’ and giving us hint that we should use Hex-Rays decompiler to decompile this executable.
You can get Hex-Rays decompiler with IDA Pro, or IDA Evaluation version. but in this solution i am going to use old school IDA Disassembler.
So lets open the executable in IDA (i have labeled output,input & password validation functions)
Above view of Main function shows output function where “Password: ” string is visible, and Input password will be stored in Str2 at offset 0x00401610
After looking at Str2 being pushed at offset 0x00401627 and being compared with string “qwerty” you might think the correct password is “qwerty” but this is not right. actually the whole code shown in image below inside red border will never be executed, it is only there to trick you. Instead The actual password is being validated inside function sub_401490.
Yes you can patch the program to skip sub_401490 and then the password “qwerty” will work as well. But if you want to see what this function does you can continue reading.
Here is IDA view of function sub_401490
Let me explain it step by step
As you can see in above image a pattern is repeated 6 time, where two values “dword_4203A8” and “[ebp+var_hexvalues]” are being pushed before function call of sub_4015A0(Highlighted Yellow)
here dword_4203A8 is a counter value that get increased by one from 0 to 5 inside function sub_4015A0 during each call, here we can also guess that password will be 6 character long.
[ebp+var_hexvalues] are characters of correct hard-coded password. (Image 2.3) Characters ( ‘r’, ‘e’, ‘t’, ‘s’, ‘a’, ‘f’) are actually reverse form of correct password “faster”.
Inside sub_4015A0 each user input character 1
is compared with these pushed characters 2
(Image 2.4) If counter value become 5 command .text:004015B6 will get executed and value of dword_41F980
will change from 0 to 1.
This will be useful in last step.
(Image 2.3) If all 6 character are matched, function sub_401573 will be called. which then replace offset of “Incorrect” string with “Correct” string.
(Image 2.3) Last step function sub_401460(image below) will be called which will check if value of dword_41F980
is 0 if YES then it will
print “Hint: decompile this exe………”. but in our case due to correct password its value was changed to 1 so it will print nothing and
close the program instead.
Here is Command prompt view for correct password: faster