downloadbrowselilcw's simple xor encryption #2

Download crackem2.zip, 5 kb (password: crackmes.de)
Browse contents of crackem2.zip

well how to solve it?

1st of all you will have to dasm it
to take the decrypting engine
and to bruteforce the correct password which is a combination of lowercase letters and numbers (9 chars this time ;)
after that you will have the main decrypting routine that will decrypt the main app.

since ppl said #1 was too easy here i go with the real algo thats used and not the testing one

again no encryption of the main code or any antidebugging stuff in there! just plain code inside of it =]

the encrypted programm again is a simple msgbox.

Difficulty: 4 - Needs special knowledge
Platform: Windows
Language: Assembler

Published: 19. Oct, 2007
Downloads: 502

Rating

Waiting for at least 3 votes
(we have only 2).

Rate this crackme:

Send a message to lilcw »

View profile of lilcw »

Solutions

Solution by Rain [Cls], published 16. feb, 2012; download (5 kb), password: crackmes.de or browse.

Rain [Cls] has rated this crackme as quite nice.

Submit your solution »

Discussion and comments

lilcw
Author
24. Oct 2007		no solution yet?
:/
simpleuser
27. Oct 2007		tried several stuff. no success yet.
sounds like bruteforcing will be the only solution...
just MsgBox + ExitProcess calls into such a big buffer, it could be anything...
not as fun as #1.
MR.HAANDI
29. Oct 2007		indeed, this can only be broken knowing how the protector deals with the input. (only then you don't need to bruteforce at this crackme). - I only could solve it with this knowledge, maybe the author should give some more help ;)
lilcw
Author
30. Oct 2007		well
the decryptor for the main app is hiding in the encrypted area ;]
Lightning
30. Oct 2010		I took a look at this crackme. In theory it could be broken by giving non-standard characters into the input but then you are only rewriting the code that is ran.

In an attempt to get the encrypted area to reveal the password I did a search for any number of characters that when xor'd against lower case and numbers would reveal normal text. Assuming that the end character is null, only 1 spot in the encrypted text showed up. Sadly, xor'ing a value into the last character to get a null then backing up 9 characters (based on above info) results in untypable characters.

Either the decrypted portion contains no strings or the decrypted portion does another decryption internally resulting in no point of reference to determine the original password used.
andrewl.us
Moderator
16. Feb 2012		CONGRATS to RAIN - this is a long-standing crackme that had many minds against it!

I don't understand why choosing the first 9 characters of the crypted buffer
as a trial password (and replacing non-printable characters with dash '-') is
useful, but here it reveals (via luck??) that loop instruction at 405461 and
405481. MANY password could have put an 0xE2 opcode somewhere in the buffer.
Maybe Rain just has that cracker ZEN!
0xFFh
18. Feb 2012		Excellente tutorial Rain.

;)
lilcw
Author
13. Apr 2012		now im finaly impressed

well done Rain [Cls] =]

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.