Found this nice and small crackme at crackmes.de. Author comment :
Let us start solving it. We run the binary
so a ptrace with PTRACE_TRACEME is called at 0x200082 we open in IDA and break there.
We need eax=0 to bypass the ptrace, if we pass it we go to check_flag which is
this function expects an input of 4 bytes then it calls compute_answer, where ebx register is set with a value, and then xors it with our input and if ebx=0 we win. Let us see what computer_answer does.
This function set esi=&start and enters a loop from ecx=0xb7 until ecx=0, each time it gets a dword from esi and increment it by 4. Finally after the loop it
xors ebx with 0x5508046b, and leaves, then xors it with our input. The range of esi is [0x200008,0x200008+(0xb7*4)] which our input is part of, so our input affects the final result in ebx, also patching the binary in this range affects the results.
To compute the answer we need to dump all dword in the range mentioned above, with our input set to zero or whatever. The data we need to dump is :
We dump the above region, and we bruteforce the following dwords
We need to figure out what input 0xXXYYZZJJ at 0x00200296 will result in ebx being zero at the end. The following code bruteforces it.
running this gives possible inputs