312 words

2 minutes

ionchad's Simple crackme

2025-06-15

CTF Writeup

analysis

/

c

ionchad’s Simple crackme#

Entry Point#

1
int64_t main()          // Binary Ninja
2
void FUN_140001540()    // Ghidra
3
int __fastcall main()   // Hex-Rays

Static Analysis#

The code below displays a message box indicating success or failure based on the value of the flag variable:

1
if (!flag)
2
{
3
    lpCaption = "Error";
4
    lpText = "Invalid License";
5
}
6
else
7
{
8
    lpCaption = "Success";
9
    lpText = "License Accepted!";
10
}
11

12
MessageBoxA(nullptr, lpText, lpCaption, MB_OK);

The variable flag, which is of type bool, is assigned its value in the following section of the code:

1
if (count != possible_code_size)
2
    flag = 0;
3
else if (count)
4
    flag = !memcmp(possible_input_buffer, buffer2, count); // Core comparsion
5
else
6
    flag = 1;

As seen in the code, the variables possible_input_buffer and buffer2 are compared using memcmp() (for readability, the variable names have been renamed).

The code below is responsible for setting the value of possible_input_buffer.

1
int128_t* possible_input_buffer = possible_input_var;

The code below is responsible for setting the value of possible_input_var.

1
int128_t* possible_input_var = sub_140001350(&possible_input_type, &possible_input_char); // Possible input (fgets, gets, etc)

The above function, sub_140001350(), is presumed to be a user input function similar to fgets() or gets(), as it appears to read input from the user.

The code below is responsible for setting the value of buffer2.

1
if (var_80 > 0xf)
2
    buffer2 = moved_code_buffer;

The code below is responsible for setting the value of moved_code_buffer.

1
int128_t* moved_code_buffer = s;

The code below is responsible for setting the value of s.

1
sub_140001220(&s, &possible_code_buffer); // Possible variable data transfer (&possible_code_buffer -> &s)

The above function, sub_140001220(), is presumed to be a variable transfer function, as it appears to move the data inside the variable possible_code_buffer to s.

The code below is responsible for setting the value of possible_code_buffer.

1
strncpy(&possible_code_buffer, "KIWZ", 5);

Therefore, the expected program flag is as follows: KIWZ

Dynamic Analysis#

As expected, the program operates by prompting the user to enter a license, as shown below:

init

After entering KIWZ, a message box appeared confirming that the license was successfully accepted, as shown below.

result

Flag#

Therefore, the final flag of this program is as follows: KIWZ

ionchad's Simple crackme

https://fuwari.vercel.app/posts/ionchads-simple-crackme/

Author

The Rusty

Published at

2025-06-15

License

CC BY-NC-SA 4.0

MarcusHindey's Crackme protect

lovnzb08's zrox's crackme easy

1

ionchad’s Simple crackme