Reading Time : 3min

Piggy63s Crackme Speedrun Solution


Crackme: Crackme Speedrun

Author: Piggy63

Difficulty: 2.5/6.0

Platform: Windows

Language: C/C++

Architecture: X86


Description by Author: Very simple crackme, a hard coded password. Only the first few characters of the user input checked 😉 . Hex-Rays Decompiler can decompile this almost perfectly. It will take a bit of time to crack : ).


Solution

ets run this crackme using command prompt (without cmd, program seems to exit itself after showing ‘correct’ or ‘incorrect’ prompt)

After running we see simple ‘password:’ message

Image 1.1 – Running Program in CMD (Command Prompt)

lets enter a sample password ‘pwd’.

this is what we get

Image 1.2 – Incorrect Password

Program is giving Message ‘incorrect’ and giving us hint that we should use Hex-Rays decompiler to decompile this executable.

You can get Hex-Rays decompiler with IDA Pro, or IDA Evaluation version. but in this solution i am going to use old school IDA Disassembler.

So lets open the executable in IDA (i have labeled output,input & password validation functions)

IDA Disassembly

Image 2.1 – Main Function in IDA

Above view of Main function shows output function where “Password: ” string is visible, and Input password will be stored in Str2 at offset 0x00401610

After looking at Str2 being pushed at offset 0x00401627 and being compared with string “qwerty” you might think the correct password is “qwerty” but this is not right. actually the whole code shown in image below inside red border will never be executed, it is only there to trick you. Instead The actual password is being validated inside function sub_401490.

Image 2.2 – Inactive code in main functin

Yes you can patch the program to skip sub_401490 and then the password “qwerty” will work as well. But if you want to see what this function does you can continue reading.

Here is IDA view of function sub_401490

Image 2.3 – IDA view of Function sub_401490

Let me explain it step by step

As you can see in above image a pattern is repeated 6 time, where two values “dword_4203A8” and “[ebp+var_hexvalues]” are being pushed before function call of sub_4015A0(Highlighted Yellow)

here dword_4203A8 is a counter value that get increased by one from 0 to 5 inside function sub_4015A0 during each call, here we can also guess that password will be 6 character long.

[ebp+var_hexvalues] are characters of correct hard-coded password. (Image 2.3) Characters ( ‘r’, ‘e’, ‘t’, ‘s’, ‘a’, ‘f’) are actually reverse form of correct password “faster”.

Inside sub_4015A0 each user input character 1 is compared with these pushed characters 2

Image 2.4 – IDA View of Function sub_4015A0

(Image 2.4) If counter value become 5 command .text:004015B6 will get executed and value of dword_41F980 will change from 0 to 1. This will be useful in last step.

(Image 2.3) If all 6 character are matched, function sub_401573 will be called. which then replace offset of “Incorrect” string with “Correct” string.

(Image 2.3) Last step function sub_401460(image below) will be called which will check if value of dword_41F980 is 0 if YES then it will print “Hint: decompile this exe………”. but in our case due to correct password its value was changed to 1 so it will print nothing and close the program instead.

Image 2.5 IDA View of Function sub_401460

Correct Password

Here is Command prompt view for correct password: faster

Image 3.1 – Correct Answer