Welcome to the first post in a series about solving various crackme’s. This first post will feature a Crackme solution aimed for beginners. Since this is the first post, I decided to start off with an easy challenge. This crackme is taken from crackmes.one. Here is some information about the challenge:
- Category/Difficulty: Very easy
- Challenge name: Very Easy Very Simple C Code
- Platform: Windows
- Programmed in: C/C++
Opening up the binary
The first thing I chose to do was opening it up in IDA and we are thereafter met with the following main function.
We quickly spot something interesting, but to make it a bit more interesting, we’re trying to see if we can understand the structure of the program first, before we assume that the HEX above is the password.
Here the stack is set up in the beginning of the function, thereafter some bytes are push into a DWORD ptr. Here we see the brackets[] around esp+38 which means we’re putting some values onto the stack.
We’re met with a welcoming message, and we have a jmp instruction which looks like so:
First we go into a small basic block that depending on a value will either terminate the program which we will see later, or continue into it. Since we earlier had a value of 1 added onto the stack, I decided this was some sort of checker for number of tries left.
If it is less than or equal to 5, we go into the next block that prompts for a password. We see that it moves a dword pointer that the printf function takes as an argument.
Examining the scanf function
The tricky part here is to understand how the scanf function works. In some programs we see that arguments to the scanf function are pushed onto the stack, or placed in specific registers. An example is putting the format string “%s” in RDI and the variable itself in RSI. Here it seems like it depends on the values stored on the stack. Because we know that values are pushed in reverse order, from right to left, we know that %s is the first argument, and the char * the second. The next step is to find out what data is going into which variable.
We know that the scanf uses the esp+4 as an argument, and we know that this value is esp+1Ah. This means that the user supplied string is taken from esp+1Ah. Remember that this is not the variable that is used, but what variable is it then? In the beginning of the program we had two variables that were interesting.
We had:
If we then notice the string comparrison later, we compare:
esp+50+var_36 and esp+50+var_18
If we then go into an online hex calculator and try to subtract 36h from 50h, we get the following:
*initiate drumroll*… 1A!!
So we now know that the variable var_36, is actually OUR string, and it is compared to another string at
This value seems familiar, if we go back and look at the weird things being pushed onto the stack earlier, we see the following:
Our 38h is the beginning of the string it is being compared against, and as it looks obviously like hex, we can use IDA to help us out and translate it in an easy way. (Press R when marking it, or right click and find it)
The result is password123, because of endianness it is pushed in reverse order.
Password entered – What happens next?
When the password has been entered and compared against what we found out above, it is interesting to uncover the logic of the next parts.
As we can see here there is a rather straight forward brancing. If the strcmp from earlier returns something other than 0, it jumps to the left, where we notice that a hardcoded value of 5 is put into eax right after the puts instruction. We then take the value of 4Ch which we know earlier in the code was set to 1 initially. We subtract eax and this value and store it inside esp+44h. In the last part of the “wrong” block, we see a comparrison to 0, which means if the subtraction above equal 0, that is if 4Ch is 5. Then we are told we are out of guesses, and 4Ch is increased by 1. If we look at the jump we end up at:
As such, we can conclude we’re dealing with a for loop. This 4Ch is simply the counter value, which starts at 1 and ends at 6, giving us 5 tries. It simply knows when to print the “out of guesses” based on the subtraction.
To show what the actual program looks like, I have taken a screenshot of the program in action, displaying our findings.
Final thoughts
In general I believe the crackme was interesting enough, but that was not based on the challenge behind finding out the password. It used a very generic password, and it was not really hidden. I do believe the fun parts consisted of trying to understand what variable corresponded to what kind of data, and to uncover that we were dealing with a for loop construction. The level was rated as “Very easy” so I won’t give the author a hard time for that. It could have been done even easier, with hardcoded variables, that would be easily found with tools such as “strings” etc. It was an alright challenge and we learned something about how to spot loops and variables. Stay tuned for more writeups.