Cruehead CrackMe v2.0 - Local Download (3k).
Another Cruehead CrackMe (this time v2.0), which yet again demonstrates the use of the XOR logic operation. Launch the CrackMe and enter a password, I used CrackZ, as with CrackMe v1.0 you should easily trace to the following code, just >bpx GetDlgItemTextA or Hmemcpy and step (the pattern is almost identical to CrackMe v1.0):
:00401228 PUSH 0040217E <-- Password entered pushed to stack.
:0040122D CALL 00401365 <-- Trace this.
:00401232 PUSH 0040217E <-- Result of XOR-ing password entered.
:00401237 CALL 004013B8 <-- Trace this. (Compare XOR results).
:0040123C ADD ESP,04 <-- Tidy stack.
:0040123F TEST CL,CL <-- CX-low test for 0.
:00401241 JZ 0040124A <-- Jump_good_password.
Tracing the first part of 00401365 will take you through the same uppercasing
routine which we saw in CrackMe v1.0. At address 00401390 each character in
our entered password will be XOR-ed with the string Messing_in_bytes, this
should immediately tell you that our good password must be the same length as
the XOR key i.e. 16. The result of Xor-ing our entered password is then placed
at address 0040217E before being compared with the correct XOR result in
function 004013B8.
So you should be able to read from the data window the desired XOR result which we should get when we XOR the correct password with Messing_in_bytes. Therefore you should deduce that to work out the correct password we need to XOR Messing_in_bytes with the desired result which we read from EDI in function call 004013B8. I've shown the method below.
Messing_in_bytes = 4D 65 73 73 69 6E 67 5F 69 6E 5F 62 79 74 65 73
Correct password XOR result = 1F 2C 37 36 3B 3D 28 19 3D 26 1A 31 2D 3B 37 3E
So the first letter of the good password would be:
4D XOR 1F
0100 1101 <-- 4D
0001 1111 <-- 1F
0101 0010 <-- 52 = R
If you continue to XOR the remaining 15 characters you'll find that the good password is RIDERSOFTHESTORM and as we know the program will uppercase the password before XOR-ing, it is not case-sensitive.