kernelkennel - crackmesA small blog against my writeups, learnings and non-sponsored views on a whole bunch of things around security.Zola2025-07-08T15:00:00+00:00https://kernelkennel.com/tags/crackmes/atom.xmlCrackMe2 by Pride2025-07-08T15:00:00+00:002025-07-08T15:00:00+00:00
noblenote
https://kernelkennel.com/posts/crackme2/<h1 id="crackme2-by-pride">CrackMe2 by Pride<a class="anchor" aria-hidden="true" href="#crackme2-by-pride" hidden="">#</a>
</h1>
<p>2025-07-08</p>
<p>First post! Here is my write up against the CrackMe2 binary by Pride, now kept on crackmes.one, previously *.de.</p>
<p>When opening the program itself, we're greeted with three major prompts and inputs:</p>
<ul>
<li>Asking for your name and inputting (it can take a string),</li>
<li>Asking for a serial (which is asked to be a whole number),</li>
<li>Asking for a master-serial, which seems to be a second stage serial.</li>
</ul>
<p>Couldn't seem to get much further than that when putting in a long string or a large number in either of these prompts and we'll play by the rules and assume the serial needs a number <em>truly</em> before fudging around with it.</p>
<p>Let's open this up in OllyDbg to understand the assembly, the underlying structure of the program we're running!</p>
<h3 id="enter-now">Enter NOW<a class="anchor" aria-hidden="true" href="#enter-now" hidden="">#</a>
</h3>
<p>When attaching OllyDbg as a debugger to the .exe, we have a very quaint start with not much of interest:</p>
<pre><code>PUSH EBP
MOV EBP, ESP
SUB ESP,8
MOV DWORD PTR SS:[ESP], 1
</code></pre>
<p>We're setting up the stack pointer and growing the stack.</p>
<p>Not too much is interesting here and we have a CALLs ahead of us with no idea if we have anything juicy yet or just a bunch of obfuscations, so let's simply <code>step-over</code> to jump out of anything distressing until we can't go any further because the program is pending out input into the buffer.</p>
<p>Let's set a breakpoint after this call (address <code>0x401448</code>) where we enter a name and then <code>step-over</code> to continue.</p>
<p><em>For the rest of this writeup you'll see that simply setting a breakpoint after a call that stops us because the program is pending input is a great initial move to understand what the program is doing.</em></p>
<h3 id="what-is-this-string-up-to">What is this string up to<a class="anchor" aria-hidden="true" href="#what-is-this-string-up-to" hidden="">#</a>
</h3>
<p>If we now <code>step-in</code> a few lines and jump into the CALL on <code>0x401458</code>, and move a bit down the call after inputting our serial, we see that the address <code>0x43C33A</code> is using strlen() and storing this into a DWORD offset from the EBP, interesting... we are getting the length of an inputted string from our <code>name</code> for future use.</p>
<p>On <code>0x40147B</code>, we jump into the CALL for putting in the serial. Let's set a breakpoint on the address <em>after this call to step line by line what we are doing!</em> This is at <code>0x401480</code> of course. Another call up ahead, and we will set another breakpoint after it at <code>0x40148B</code> with <code>ADD EAX, 0CA</code>.</p>
<p>Interesting! When breaking at this address before it runs through the addition, where ADD will do the following in pseudocode:</p>
<p><code>ADD <into this>, <this value></code></p>
<p>We can see that EAX has been populated with the value of strlen()! For me, this was B (decimal 11), and we're adding 0xCA which should go to 0xD5 given 0xB.</p>
<p>The next line is more arithmetic, so let's step-into/continue execution.</p>
<p>The next line is <code>XOR EAX, 3D8D40F</code>, meaning we now need to perform eXclusive OR against register EAX and 0x3D8D40F. eXclusive OR (XOR) is like a <em>not-equality operation</em>, in that the truth table is going to be as such:</p>
<p>A | B | A XOR B
1 | 0 | 1
1 | 1 | 0
0 | 1 | 1
0 | 0 | 0</p>
<p>Since one value (at EAX) is likely going to be way smaller than 0x3D8D40F (64541711), we're going to get something close to this value as all leading bits ahead of our much smaller number will be 0.</p>
<p>Given <code>0xD5</code>, we'll get <code>0x3D8D4DA</code> (64541914).
The next lines are interesting in that it is clear we'll likely be comparing this:</p>
<pre><code>MOV DWORD PTR SS:[EBP-38], EAX ;storing our result
MOV EAX, DWORD PTR SS:[EBP-30] ;getting a value further down the stack to EAX
CMP EAX, DWORD PTR SS:[EBP-38] ;we are comparing the two values!!!!!!!
JNZ SHORT CrackMe#.004014C6 ; the the apsr flags say its not zero(equal), lets jump
; if not, we can continue to "Gratz"!
</code></pre>
<p>Awesome! So the first serial check is solved. In short:</p>
<pre><code>- Enter name, any str
- CrackMe checks strlen(name) and stores somewhere
- We get strlen(name) + 0xCA
- This sum is XOR 0x3D8D40F
- Chcked for equality with stored value in EBP-30, which is a constant value.
</code></pre>
<p>Now we can get back and do the next keygen! Given this, we can get by with knowing the values for further debugging.</p>
<h2 id="master-serial">Master Serial<a class="anchor" aria-hidden="true" href="#master-serial" hidden="">#</a>
</h2>
<p>This one is a lot easier and we can use the same debugging techniques here. Make sure to set a breakpoint on any execution after the address that gets stuck running awaiting input!</p>
<p>We get stuck on <code>0x40152A</code> calls to input the master serial now, and what is interesting without even going in is that we have a very similar set of instructions after we RET from this input call:</p>
<pre><code>MOV EAX, DWORD PTR SS:[EBP-2C] ; we are getting a value from -2C
ADD EAX, DWORD PTR SS:[EBP-38] ; hey... we've seen this guy before....
ADD EAX, 0D75E9 ; add a value to our beautiful EAX
MOV DWORD PTR SS:[EBP-3C], EAX
MOV EAX, DWORD PTR SS:[EBP-34]
CMP EAX DWORD PTR SS:[EBP-3C]
JNZ CrackMe#.00401569
... ; see you space cowboy...
</code></pre>
<p>Hopefully it's a little clearer now what we may be doing with some static analysis and with a warmup from our dynamic searching of the first serial.</p>
<p>We are putting back in our first serial that is correct and adding it to EAX which as a value from <code>EBP-2C</code>. We then <code>ADD 0x0D75E9</code> and put it away into <code>EBP-3C</code> for safekeeping before checking it. When running the program, we can see that EBP-2C at <code>0x40152F</code> is a static value of <code>0x183A0</code> So this means in short:</p>
<pre><code>- MOV 0x183A0 to EAX
- ADD the previous serial to EAX
- ADD 0xD75E9 to EAX
- Put it away for safekeeping
- Pull in EBP-34 which is our 'true' master serial
- Check and jump if not equal!
</code></pre>
<p>Easy enough! This one is a lot more easier since this is just addition and some moving around values in the stack.</p>
<p>Simply get the previous correct serial, add <code>0x183A0</code> (99232) and <code>0xD75E9</code> (882153) and we're in business!</p>
<h3 id="keygen">Keygen<a class="anchor" aria-hidden="true" href="#keygen" hidden="">#</a>
</h3>
<p>Lovely simple keygen for this one, but great fun doing a little easy practice on x86 ASM. Let's put all we know into use now in a tidy script:</p>
<pre><code>def main():
name = input()
nameLen = int(len(name))
serial1 = nameLen + 0xCA
serial1 = serial! ^ 0x3D8D40F
print("First Serial: " + serial1)
serial2 = serial1 + 0x186A0 + 0xD75E9
print("Second Serial" + serial2)
if __name__ == "__main__":
main()
</code></pre>
<p>This was a great little crackme, if a bit simple!</p>