Alright, so here we have crackme4. It is going to be the most challenging crackme we have done yet but it should be awesome! We can see that its asking for 4 different things. If we type in any letters the program will crash but the program seems to accept numbers only. This is most probably because the variable type that it is storing the data as is an integer. We cannot put letters in an integer! So in the future if you are working with other crackmes and you experience something like that, then you know whats up! You will want to load up the program in olly, load up the program to where we get output on the screen and then search for strings!
Okay, so I have put the ascii output as yellow and then the blocks of instructions of what happens. Comparing this to the last programs that we looked at, we can see that there are no CMP instructions, and there are no JNZ, JS, JMP, etc instructions. So It would appear at first glance that the program may not be checking the numbers immediately after we enter them. To speed things up a bit, I am not going to set any breakpoints yet however feel free to set them where you like. Lets see what is after the 4th entry at the bottom.
Okay, there is a lot going on here. So lets start with the blue. If you are color blind then im talking about the circular squarish part in the center. So let me step through each of these instructions with my brain and translate what I'm thinking for you. We will start with the top with MOV EDX,DWORD PTR SS:[EBP-20]. You should already be familiar that EBP-20 should be referring to a variable. The value of EBP-20 will be moved to the EDX register. So just to be clear, its not moving the EDX value to EBP-20, its the other way around, sorta backwards. Alright, the next MOV EAX instruction will be placing the value in EBP-24 into EAX. Next we see IMUL EDX,EAX. This is integer multiplication (IMUL). So it is going to multiply the value in EDX with the value in EAX. The final sum or value of this will be stored in EDX. It will repeat this process with moving variables and multiplication until it hits the CMP instruction. It will be comparing the value in EAX to the value in EBP-1C. It will then go to the JNZ instruction which if taken, will go to the FAIL message which is bad! I would recommend, to practice learning whats happening, you can actually see it happen if you enter the numbers 1, 2, 3, and 4 for your 4 values. Remember that any 2 digits are converted to a hexadecimal value. So to make things easier to see, use single digits.
So go ahead and place your breakpoint on this MOV EDX instruction. Im only going to place one breakpoint so that the program flow will be easier and so that we dont have to keep pressing play all the time. You should be familiar with doing that by now! So lets enter values 1, 2, 3, and 4 for our numbers and then we will analyze step by step what happens.
EDX currently has a value of A which is a hex value for 10. We do not really care at all about that, but when we step, EDX will have a new value of 1. Lets step and make sure that happens.
Alright, so the above shot shows us that EDX now has a value of 1, we are now on the MOV EAX instruction which should move our 2nd value into EAX. That value should be 2! Lets step one more time and confirm that 2 goes into EAX.
check out EAX, it has 2 in it now as expected! So now we are at the IMUL instruction. It is going to multiply 1 x 2 and the value of that will go into EDX. 1 x 2 = 2 so we should see the EDX value change to 2 on the next step.
In the above shot we can see EDX has the value 2. We are now on another MOV instruction. The next value that we used was 3. On our next step we should see that EAX will have the value of 3. So far this should be an easy process to follow and understand. If it isn't, practice until you see it!
Alrighty, so now we are on the multiplication bit! 3 x 2 = 6! 6 will now be placed in the EDX register on the next step.
The above shot shows a blue line with our previous instruction. We can see that 6 was moved to EDX. The red line shows that 4 will be moved into EAX which is the last value that we entered. Lets step and see what happens.
As expected, 4 was put into EAX and now we are on our final multiplication of EAX x EDX. 6 x 4 = 24 . The hex value 18 will be placed into EAX but remember, 18 is the hex value of 24 so don't get confused!
Alright, so the hex value 18 is placed into EAX, the math worked out just like we expected and we were able to follow each and every instruction with accuracy and understanding! Now we hit our CMP instruction which it will compare hex 18 to hex 91EC78. Obviously this is going to fail because hex 18 is not equal to hex 91EC78. Here is what I would suggest you do before you proceed. You need to check if that new hex value is going to be the same of if it will change if we say...put in new values. So restart the program, enter something like 5,6,7, and 8, make all the right steps and see if it is comparing to the same exact hex value.
You will find that the number actually stays the same. This is good for us because we have 1 piece of the puzzle to solve this crackme. Convert the hex value 91EC78 to decimal value and you should get 9563256. So lets recap and figure this thing out, but it is important that you reflect on everything that we have learned so far. Lets look at the facts...
#1 - Our values were multiplied against each other and the final final final result of all the multiplication was 24 or hex 18. #2 - Our final value is compared to value 9563256, we can double check the program and this value never changes... #3 - It seems that we need to figure out the correct numbers to multiply to equal the value 9563256 which can be a pain! #4 - We have to input 4 different numbers into the program.
Alright, so if you have no idea of what prime factorization is then here is all you need to know for this lesson. If you multiply all of the numbers it gives you, you will get the end result of the value we need. You can multiply any combination of these numbers as long as you use ALL of the numbers given. However, remember, we need 4 numbers for our program, so all we need to do is use our brain to figure out how to get 4 numbers out of ALL of these numbers by doing some multiplication.
First, lets separate our values: 2 2 2 3 3 317 419
Ok, so Im going to do my thing and you can try different combinations if you want. There are multiple possible numbers that we can use to solve this. If this was a serial key for example, we could have multiple serial keys that would give us a successful result. So lets begin:
2 x 419 = 838
Remaining Numbers: 2 2 3 3 317
317 x 3 = 951
Remaining Numbers: 2 2 3
2 x 3 = 6
Remaining Number: 2
So right now we have the following possible keys or values we can use, we can also use them out of order to have more than one solution. You can also redo the multiplication we did and come up with completely different values as long as they are a total of 4 numbers. There are many more examples but here are just a few that should work:
838,951,6,2 951,838,2,6 2,6,838,951 6,838,2,951
For speed, I am actually going to put olly aside and launch the crackme4 like I would run any program and try the values. The next section is a gallery of the same numbers but in different orders.
To patch this one, I would just NOP out the Jump instruction and it will hit our success message everytime. Please feel free to try it out. You can probably also CMP a register to itself which has been working for us pretty well. Now for the source code!
Hope you guys are having fun! See You Soon!
Scott "R4v3N", co-founder and trainer for Top-Hat-Sec.