chenx221/Reverse
1
0
Fork 0
Code Pull Requests Activity

solved new crackme

Browse Source
This commit is contained in:
Chenx221 2024-10-13 16:39:16 +08:00
parent ab7bb39fdb
commit 911f09829d
Signed by: chenx221
GPG Key ID: D7A9EC07024C3021
11 changed files with 314 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
brutecfcrackme/BruteCFcrackme.txt Normal file
View File

@ -0,0 +1,11 @@
October 2002-Greece
BruteCFcrackme by human_thought written in Win32Asm
Rate: 1-2/10
Hello dear crackers,
taking a break from the daily routine,i coded this crackme.This one should be solvable with a bit of bruteforce.Well,this is not the only way,but finding the key by thinking is a bit difficult but not impossible,of course.The key is deliberately small,as the purpose here is just to let you know of a possible way of encryption using a somehow "weird" way.I really don't know if someone has thought of this before,personally i've not seen it somewhere,but as i had this idea,i thought it would be nice to share with other crackers.
If you bruteforce,be sure to understand what is going on and explain it in your tutorial(if you write one).I would rate it about 1-2/10 personally.Just take a look at this...
Kind Regards,
human_thought

BIN
brutecfcrackme/bruteCFcrackme.exe Normal file
View File

Binary file not shown.

23
brutecfcrackme/keygen/FindKey.deps.json Normal file
View File

@ -0,0 +1,23 @@
{
"runtimeTarget": {
"name": ".NETCoreApp,Version=v8.0",
"signature": ""
},
"compilationOptions": {},
"targets": {
".NETCoreApp,Version=v8.0": {
"FindKey/1.0.0": {
"runtime": {
"FindKey.dll": {}
}
}
}
},
"libraries": {
"FindKey/1.0.0": {
"type": "project",
"serviceable": false,
"sha512": ""
}
}
}

BIN
brutecfcrackme/keygen/FindKey.dll Normal file
View File

Binary file not shown.

BIN
brutecfcrackme/keygen/FindKey.exe Normal file
View File

Binary file not shown.

13
brutecfcrackme/keygen/FindKey.runtimeconfig.json Normal file
View File

@ -0,0 +1,13 @@
{
"runtimeOptions": {
"tfm": "net8.0",
"framework": {
"name": "Microsoft.NETCore.App",
"version": "8.0.0"
},
"configProperties": {
"System.Reflection.Metadata.MetadataUpdater.IsSupported": false,
"System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization": false
}
}
}

1
brutecfcrackme/knowledge.is.power Normal file
View File

@ -0,0 +1 @@
Пи

64
brutecfcrackme/solve.md Normal file
View File

@ -0,0 +1,64 @@
看起来要准备一个指定内容的密钥文件
先放解决方法:
crackme同路径下新建文件`knowledge.is.power`,内容`BF D8`
细节:
给`CreateFileA`下个断点,点击按钮就能找到检查的函数了
首先程序会读取文件的前5字节内容实际上只用前2字节
```assembly
004011E7 | 6A 00 | push 0 |
004011E9 | 68 80000000 | push 80 |
004011EE | 6A 03 | push 3 |
004011F0 | 6A 00 | push 0 |
004011F2 | 6A 00 | push 0 |
004011F4 | 68 00000080 | push 80000000 |
004011F9 | 68 F3304000 | push brutecfcrackme.4030F3 | 4030F3:"knowledge.is.power"
004011FE | E8 E9000000 | call <JMP.&CreateFileA> |
00401203 | 3D FFFF0000 | cmp eax,FFFF |
00401208 | A3 F8314000 | mov dword ptr ds:[4031F8],eax |
0040120D | 74 53 | je brutecfcrackme.401262 |
0040120F | 6A 00 | push 0 |
00401211 | 68 06324000 | push brutecfcrackme.403206 | lpNumberOfBytesRead
00401216 | 6A 05 | push 5 | nNumberOfBytesToRead
00401218 | 68 FC314000 | push brutecfcrackme.4031FC | lpBuffer
0040121D | FF35 F8314000 | push dword ptr ds:[4031F8] | file handle
00401223 | E8 D6000000 | call <JMP.&ReadFile> |
```
往下一点点就能看到程序对读取内容进行处理,再往后就是最后的检查了,有一点垃圾干扰,下面已经整理好了
```assembly
00401228 | B9 10000000 | mov ecx,10 |
0040122D | 8D35 FC314000 | lea esi,dword ptr ds:[4031FC] |
00401233 | 66:8B06 | mov ax,word ptr ds:[esi] |
00401236 | 33D2 | xor edx,edx |
00401238 | EB 02 | jmp brutecfcrackme.40123C |
0040123A | E8 | ascii | 垃圾
0040123B | 33 | ascii 3 | 垃圾
0040123C | 66:D1D0 | rcl ax,1 | Loop 0x10
0040123F | 66:13D0 | adc dx,ax |
00401242 | E2 F8 | loop brutecfcrackme.40123C |
00401244 | 66:81FA 7EA1 | cmp dx,A17E | 最后的比较
00401249 | 75 17 | jne brutecfcrackme.401262 |
0040124B | EB 02 | jmp brutecfcrackme.40124F | 成功
0040124D | E8 | ascii | 垃圾
0040124E | 33 | ascii 3 | 垃圾
0040124F | 6A 00 | push 0 |
00401251 | 68 06314000 | push brutecfcrackme.403106 | 403106:"KeyFile Present && Valid !!!"
00401256 | 68 23314000 | push brutecfcrackme.403123 | 403123:"Please contact our company so that we can provide you with the program now that you cracked its protection...;)"
```
说白了就是跑0x10次(`rcl ax,1`和`adc dx,ax`),最后和`0xA17E`对比
```
0040123C | 66:D1D0 | rcl ax,1 |
0040123F | 66:13D0 | adc dx,ax |
00401242 | E2 F8 | loop brutecfcrackme.40123C |
00401244 | 66:81FA 7EA1 | cmp dx,A17E |
```

10
brutecfcrackme/source/FindKey/FindKey.csproj Normal file
View File

@ -0,0 +1,10 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net8.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
</Project>

43
brutecfcrackme/source/FindKey/Program.cs Normal file
View File

@ -0,0 +1,43 @@
namespace FindKey
{
internal class Program
{
static void Main()
{
for (int i = 0; i <= 0xFFFF; i++)
{
if (CheckIfMatchesCondition((ushort)i))
{
Console.WriteLine($"Found match: 0x{i:X4}");
string filePath = "knowledge.is.power";
using (BinaryWriter writer = new(File.Open(filePath, FileMode.Create)))
{
writer.Write((ushort)i);
}
break;
}
}
}
static bool CheckIfMatchesCondition(ushort ax)
{
ushort dx = 0x0000; // sum
const ushort target = 0xA17E; // target value
int loopCount = 0x10; // loop count
bool cf = false; //0
while (loopCount > 0)
{
bool tcf = (ax & 0x8000) != 0; // 检查高位是否为 1
ax = (ushort)(ax << 1 | (cf ? 1 : 0)); // 左旋转 ax
cf = tcf; // 更新进位
tcf = (ax + dx + (cf ? 1 : 0)) > 0xFFFF; // 检查加法是否产生进位
dx += (ushort)(ax + (cf ? 1 : 0)); // 求和
cf = tcf; // 更新进位
loopCount--;
}
return dx == target;
}
}
}

149
brutecfcrackme/source/keygen1.sln Normal file
View File

@ -0,0 +1,149 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.11.35303.130
MinimumVisualStudioVersion = 10.0.40219.1
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "keygen1", "keygen1\keygen1.csproj", "{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "keygen2", "keygen2\keygen2.csproj", "{2446CB50-1882-4219-9DB0-E7F5517E6E20}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "keygen3", "keygen3\keygen3.csproj", "{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GiveMeSerial", "GiveMeSerial\GiveMeSerial.vcxproj", "{E3604156-7DF2-4B5F-AECA-64786B92F38C}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "DllInjector", "DllInjector\DllInjector.csproj", "{A5A24406-1296-457B-91A3-60E67511D807}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GetSerial", "GetSerial\GetSerial.vcxproj", "{85044A5C-C4A3-4C79-9AD5-6895F61F8515}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "GuessSerial", "GuessSerial\GuessSerial.csproj", "{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Validator", "Validator\Validator.csproj", "{6BE1ED72-6CA9-4442-B529-C867A9D6904C}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "FindKey", "FindKey\FindKey.csproj", "{D5E3C871-EA87-48E7-9287-E96B8410EB18}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|Any CPU = Release|Any CPU
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Debug|Any CPU.Build.0 = Debug|Any CPU
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Debug|x64.ActiveCfg = Debug|Any CPU
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Debug|x64.Build.0 = Debug|Any CPU
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Debug|x86.ActiveCfg = Debug|x86
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Debug|x86.Build.0 = Debug|x86
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Release|Any CPU.ActiveCfg = Release|Any CPU
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Release|Any CPU.Build.0 = Release|Any CPU
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Release|x64.ActiveCfg = Release|x64
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Release|x64.Build.0 = Release|x64
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Release|x86.ActiveCfg = Release|x86
{D0E162E3-FC99-4405-BEE1-AB85D9D41DA9}.Release|x86.Build.0 = Release|x86
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Debug|Any CPU.Build.0 = Debug|Any CPU
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Debug|x64.ActiveCfg = Debug|x64
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Debug|x64.Build.0 = Debug|x64
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Debug|x86.ActiveCfg = Debug|x86
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Debug|x86.Build.0 = Debug|x86
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Release|Any CPU.ActiveCfg = Release|Any CPU
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Release|Any CPU.Build.0 = Release|Any CPU
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Release|x64.ActiveCfg = Release|x64
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Release|x64.Build.0 = Release|x64
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Release|x86.ActiveCfg = Release|x86
{2446CB50-1882-4219-9DB0-E7F5517E6E20}.Release|x86.Build.0 = Release|x86
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Debug|Any CPU.Build.0 = Debug|Any CPU
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Debug|x64.ActiveCfg = Debug|Any CPU
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Debug|x64.Build.0 = Debug|Any CPU
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Debug|x86.ActiveCfg = Debug|x86
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Debug|x86.Build.0 = Debug|x86
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Release|Any CPU.ActiveCfg = Release|Any CPU
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Release|Any CPU.Build.0 = Release|Any CPU
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Release|x64.ActiveCfg = Release|x64
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Release|x64.Build.0 = Release|x64
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Release|x86.ActiveCfg = Release|x86
{BC47A6DE-7F9D-4D65-A996-69FB778C95F3}.Release|x86.Build.0 = Release|x86
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Debug|Any CPU.ActiveCfg = Debug|x64
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Debug|Any CPU.Build.0 = Debug|x64
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Debug|x64.ActiveCfg = Debug|x64
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Debug|x64.Build.0 = Debug|x64
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Debug|x86.ActiveCfg = Debug|Win32
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Debug|x86.Build.0 = Debug|Win32
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Release|Any CPU.ActiveCfg = Release|x64
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Release|Any CPU.Build.0 = Release|x64
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Release|x64.ActiveCfg = Release|x64
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Release|x64.Build.0 = Release|x64
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Release|x86.ActiveCfg = Release|Win32
{E3604156-7DF2-4B5F-AECA-64786B92F38C}.Release|x86.Build.0 = Release|Win32
{A5A24406-1296-457B-91A3-60E67511D807}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{A5A24406-1296-457B-91A3-60E67511D807}.Debug|Any CPU.Build.0 = Debug|Any CPU
{A5A24406-1296-457B-91A3-60E67511D807}.Debug|x64.ActiveCfg = Debug|Any CPU
{A5A24406-1296-457B-91A3-60E67511D807}.Debug|x64.Build.0 = Debug|Any CPU
{A5A24406-1296-457B-91A3-60E67511D807}.Debug|x86.ActiveCfg = Debug|Any CPU
{A5A24406-1296-457B-91A3-60E67511D807}.Debug|x86.Build.0 = Debug|Any CPU
{A5A24406-1296-457B-91A3-60E67511D807}.Release|Any CPU.ActiveCfg = Release|Any CPU
{A5A24406-1296-457B-91A3-60E67511D807}.Release|Any CPU.Build.0 = Release|Any CPU
{A5A24406-1296-457B-91A3-60E67511D807}.Release|x64.ActiveCfg = Release|x64
{A5A24406-1296-457B-91A3-60E67511D807}.Release|x64.Build.0 = Release|x64
{A5A24406-1296-457B-91A3-60E67511D807}.Release|x86.ActiveCfg = Release|x86
{A5A24406-1296-457B-91A3-60E67511D807}.Release|x86.Build.0 = Release|x86
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Debug|Any CPU.ActiveCfg = Debug|x64
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Debug|Any CPU.Build.0 = Debug|x64
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Debug|x64.ActiveCfg = Debug|x64
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Debug|x64.Build.0 = Debug|x64
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Debug|x86.ActiveCfg = Debug|Win32
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Debug|x86.Build.0 = Debug|Win32
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Release|Any CPU.ActiveCfg = Release|x64
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Release|Any CPU.Build.0 = Release|x64
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Release|x64.ActiveCfg = Release|x64
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Release|x64.Build.0 = Release|x64
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Release|x86.ActiveCfg = Release|Win32
{85044A5C-C4A3-4C79-9AD5-6895F61F8515}.Release|x86.Build.0 = Release|Win32
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Debug|Any CPU.Build.0 = Debug|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Debug|x64.ActiveCfg = Debug|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Debug|x64.Build.0 = Debug|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Debug|x86.ActiveCfg = Debug|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Debug|x86.Build.0 = Debug|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Release|Any CPU.ActiveCfg = Release|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Release|Any CPU.Build.0 = Release|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Release|x64.ActiveCfg = Release|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Release|x64.Build.0 = Release|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Release|x86.ActiveCfg = Release|Any CPU
{7B2D3886-A213-4F99-89F7-D0D7DDAA97D9}.Release|x86.Build.0 = Release|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Debug|Any CPU.Build.0 = Debug|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Debug|x64.ActiveCfg = Debug|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Debug|x64.Build.0 = Debug|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Debug|x86.ActiveCfg = Debug|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Debug|x86.Build.0 = Debug|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Release|Any CPU.ActiveCfg = Release|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Release|Any CPU.Build.0 = Release|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Release|x64.ActiveCfg = Release|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Release|x64.Build.0 = Release|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Release|x86.ActiveCfg = Release|Any CPU
{6BE1ED72-6CA9-4442-B529-C867A9D6904C}.Release|x86.Build.0 = Release|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Debug|Any CPU.Build.0 = Debug|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Debug|x64.ActiveCfg = Debug|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Debug|x64.Build.0 = Debug|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Debug|x86.ActiveCfg = Debug|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Debug|x86.Build.0 = Debug|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Release|Any CPU.ActiveCfg = Release|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Release|Any CPU.Build.0 = Release|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Release|x64.ActiveCfg = Release|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Release|x64.Build.0 = Release|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Release|x86.ActiveCfg = Release|Any CPU
{D5E3C871-EA87-48E7-9287-E96B8410EB18}.Release|x86.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {01ED3EE8-E89A-4A27-AF68-EF2490CB6BD7}
EndGlobalSection
EndGlobal