Home » Tutorials

Solving crackmes: part 1 (baby steps)

16 October 2013 No Comment

Hello my friends.

Foreword:
First of all, i have to say i am not the best expert at this, and i used to do a bit of cracking way back before i get into web application security. So i might be a little rusty.

That being said i will try to cover everything or at least point you where to read up more.

I will start from the very start, if you are experienced in this you should skip this and few other parts (and hopefully i actually wrote more parts in the future)

And last but not least i will show you the easiest way i know not the best practice or a typical textbook sometimes we will just take shortcuts that’s useful in some situations but not all.

Our specimen:
You can download it from crackmes, you will have to register but it’s worth it:
-> CrackMeAndGetKeyByWINUNDLIN13

The typical way to do it is to run the specimen in a disassembler and step forward and read the code and see how it calculates the key then reproduce it, but as i said my methods are not totally orthodox since i am lazy i take the shortcuts if it’s worth it.

On crackme’s page it says: Language: .NET
When i saw that i smiled, because i see a shortcut ahead.

There is a nice tool called .NET Reflector it’s $95 but it has a demo version that will do just fine.

Edit: Bran Mac Mufin (@BranMacMufin) mentioned there is two free alternatives for .NET reflector jetbrains’s dotPeek and telerik’s JustDecompile

Download and install it then from the program’s menu go: File -> Open assembly.
Then open our file CrackMeAndGetKey.exe

Believe it or not that’s it, we got all the secrets, we have the right formula now.


(click to enlarge)

# Tested on windows + Python 2.7

public void Button1Click(object sender, EventArgs e) { string name = null; name = MyProject.Computer.Name; name = (name + Conversions.ToString(Strings.Asc(name[0]))) + Conversions.ToString(MyProject.Computer.Clock.LocalTime.Minute) + MyProject.Computer.Clipboard.GetText(); if (this.textBox1.Text == name) { Interaction.MsgBox("You got the pass : D", MsgBoxStyle.ApplicationModal, null); } else { Interaction.MsgBox("Wrong pass, try again", MsgBoxStyle.ApplicationModal, null); } }

That’s how the serial is pass is calculated:
First it gets the computer name

name = MyProject.Computer.Name;

It adds the ASCII equivalent to the first character of the computer name

(name + Conversions.ToString(Strings.Asc(name[0])))

It gets the minutes in the current time

Conversions.ToString(MyProject.Computer.Clock.LocalTime.Minute)

And the tricky part, it gets the clipboard content and concatenate that as well.

MyProject.Computer.Clipboard.GetText()

################## STOP! ##################

If you know any programming or scripting language, i suggest that you try and write the solution yourself now.
It’s easy and very essential in advancing and getting in the zone.

If you wrote your solution and tested it you can scroll down and see my solution, if you didn’t write a solution yourself write it later please!

################### GO! ###################

So lets write the keygen, and since all cool people now write in python i will write them in python unless the solution requires diving very deep down.

#!/usr/bin/env python
import os # We need that to get computer name.
import time # We need that to get time
import math # We need that for rounding the minute count
from Tkinter import Tk # We need that for getting clipboard contents
r = Tk()
r.withdraw()
clipb = r.selection_get(selection = “CLIPBOARD”) # Get clipboard
minutes = math.trunc(time.time() % 3600/60) # Get minutes
solution = os.environ[‘COMPUTERNAME’];
solution += str(ord(os.environ[‘COMPUTERNAME’][0]))
solution += str(minutes)
solution +=clipb
print solution

And if you remember i said before the clipboard is tricky.
If you copy the solution from the command line you will change the right answer so the best way to do it is to copy a random string like “test” then run the solution then after pasting it in the crackme window, go and copy the initial string “test” so they both match.

That’s it for this part.
Next part we will do some actual reversing and disassembling, Stay tuned!

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.