tiny-crackme

Found this nice and small crackme at crackmes.de[1]. Author comment :

1: http://crackmes.de/users/yanisto/tiny_crackme/

Let us start solving it. We run the binary

so a ptrace with PTRACE_TRACEME is called at 0x200082 we open in IDA and break there.

We need eax=0 to bypass the ptrace, if we pass it we go to check_flag which is

this function expects an input of 4 bytes then it calls compute_answer, where ebx register is set with a value, and then xors it with our input and if ebx=0 we win. Let us see what computer_answer does.

This function set esi=&start and enters a loop from ecx=0xb7 until ecx=0, each time it gets a dword from esi and increment it by 4. Finally after the loop it

xors ebx with 0x5508046b, and leaves, then xors it with our input. The range of esi is [0x200008,0x200008+(0xb7*4)] which our input is part of, so our input affects the final result in ebx, also patching the binary in this range affects the results.

To compute the answer we need to dump all dword in the range mentioned above, with our input set to zero or whatever. The data we need to dump is :

We dump the above region, and we bruteforce the following dwords

We need to figure out what input 0xXXYYZZJJ at 0x00200296 will result in ebx being zero at the end. The following code bruteforces it.

running this gives possible inputs

done.

Proxied content from gemini://0x80.org/gemlog/2016-02-19-practice-tiny-crackme.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
gemini://0x80.org/gemlog/2016-02-19-practice-tiny-crackme.gmi
Status code
20
Meta
text/gemini;lang=en-US