Easy Crackme

Writeup for Easy Crackme from Reversing.kr

Overview

Hola Amigos!!

Today I am trying the first crackme from reversing.kr marked as 100 points. It's a simple window crackme that uses some string comparisons to check and validate the input string.

Here is my little attempt to solve the first challenge.

I will be just using IDA freeware coz I am too broke to use IDA Pro. So, IDA Free all the way !!!!

Walkthrough

So, First thing first. I am going to run this executable to check its functionality.

On executing, it gives us an dialog box which contains an input field to enter a string.

Let's input some gibberish string to check.

So, It seems like a password checker. Alright, now we know we have to enter a password, And if the password is wrong, it will give us a pop-up "Incorrect Password".

So, let's open this binary in IDA Freeware. We already know the executable create dialog box. So, I am going to trace the call for the DialogBoxParam(WIN32 API to Creates a modal dialog box) in IDA.

Inspecting the file with IDA

On opening the file in IDA. We can see the call to the DialogBoxParam with the field lpDialogFunc having the function name DialogFunc. This function seems like it can help us and might be responsible for the input validation.

Inspecting DialogFunc

On opening the DialogFunc in the graph, we can see a branch loc40105E calling the EndDialog API which will invoke when the Dialog box closes. So, we dont wanna go there.

The other branch loc4041049 could be our main functionality as it makes a call to another function sub_401080 which seems interesting as it pushes Dlg(handle of the dialog box) just before it.

Inspecting function sub_401080

On inspecting the function sub_401080 we see a call to GetDlgItemText which implies that it takes the input from the dialog box and put it into a string. And if we will just look at the stack variable on top, we have four variables string, var_63, var_62 and var_60.

These variables are kind of too close to each other with respect to their offset. So, it seems like the variable string is the first part of the password, var_63 is one byte down from string. So, var_63 must be string[1] and same with var_62 and var_60. So, we can conclude :

var_ 63 = string[1]

var62 = string[2]

var60 = string[3]

So, we can assume that our password is the concatenation of 4 variables.

password = string + string[1] + string[2] + string[3]

I am going to rename these variables in IDA for ease and we will move ahead.

So, Just after the call to GetDlgItemText, we see a comparison of the byte stored in string[1] with 61h(ASCII Value = 'a'), If the check succeeds we move further in our code else it gives us a pop-up "Incorrect Password". Now we have our initial finding that our second variable contains 'a'.

Moving on to the next branch we see, our string[2] is pushed as parameter followed by a string "5y", and then it calls to function sub_401150, which basically checks if our string[2] is equal to "5y" or not.

Hence, we got the value of our third variable which is "5y".

So, far we have:

password = *a5y* (* = wildcard)

In the next branch, we see a string "R3versing" is passed into esi and our string[4] is passed into eax, which further goes into string comparison loop which checks each character of string[4] matches with "R3versing" or not. Hence, we got the last part of our password too. Now, we are left with the first part.

password = *a5yR3versing (* = wildcard)

Lets move forward,

Finally, we are checking the first character ot string with 45h(ASCII = 'E'). If they are not equal we get a pop-up of "Incorrect Password", else we get the "Congratulation !!" message.