victordmelo's Fayzer crackme2
| Download Fayzer_crackme.zip, 6 kb (password: crackmes.de) Browse contents of Fayzer_crackme.zip A simple crackme write in C. With a confusing algorithm but easy.
Difficulty: 2 - Needs a little brain (or luck) | Send a message to victordmelo » View profile of victordmelo » |
Solutions
There are no solutions to this crackme yet. Have you solved it? Please write a tutorial and submit it here!
Discussion and comments
| pxor 21. Sep 2013 | .text:0040150E DD 1C 24 fstp qword ptr [esp] ; double .text:00401511 E8 4A 05 00 00 call _round .text:00401516 DB BD F8 FE FF FF fstp [ebp+Float_from_name] ; 80 bit float .text:0040151C C7 04 24 5A 30 40 00 mov dword ptr [esp], offset aWriteTheSerial ; "Write the serial: " .text:00401523 E8 58 06 00 00 call puts .text:00401528 8D 85 14 FF FF FF lea eax, [ebp+Serial] .text:0040152E 89 44 24 04 mov [esp+4], eax .text:00401532 C7 04 24 6D 30 40 00 mov dword ptr [esp], offset aD ; "%d" .text:00401539 E8 02 06 00 00 call scanf .text:0040153E DB 85 14 FF FF FF fild [ebp+Serial] ; 32 bit integer .text:00401544 DB AD F8 FE FF FF fld [ebp+Float_from_name] ; 80 bit float (rounded) .text:0040154A D9 C9 fxch st(1) .text:0040154C DA E9 fucompp .text:0040154E DF E0 fnstsw ax .text:00401550 9E sahf .text:00401551 75 04 jnz short badserial .text:00401553 7A 02 jp short badserial .text:00401555 EB 10 jmp short loc_401567 this crackme is bugged you are trying to compare 80 bit float number to 32 bit integer ... ofc this can work as long as the 80 bit float number is below 2147483648 |
|---|---|
| Marmoto 22. Sep 2013 | I agree with pxor that this crackme could be bugged the computed value to test against is always larger than 3.595e267 (at least on my machine) which is larger than any value a 32 bit int could store. |
| Bargest 01. Oct 2013 | First of all, value .text:0040146C fld [ebp+val_E8] .text:00401472 faddp st(1), st .text:00401474 fstp [ebp+val_E8] was not initialized, so it can contain random data on start. Also, there is a hardcoded value name[2], which produces two bugs: 1) Valid key for any 2-char-length name is equal to 0; 2) If name length is 1 symbol, name[2] contains rubbish, and hash value is unpredictable. At the end of code we add length ^ 25, which gives nearly 10^11, and there is no way to get negative values during count (name bytes are zero extended to words). So there is a plenty of bugs, but one of them makes crackme crackable: just enter any name with length of 2, serial will be equal to 0. |
| Bargest 01. Oct 2013 | Oh, sorry, I forgot to write, that [ebp + val_110] is not initialized too. |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.