I've promised to post a solution, so here it is
the crackme does some simple checking first
len(name)>=5
len(key)>=0xA
then it loads an elf file from resources, which doesn't have anything linux-specific except for the file format, so the parts of it used runs fine on windows
it calls 2 routines from it
the first routine hashes the username, identified by the genius cryptographist dcoder as cubehash
this hash is then fed into a big macro laden routine
it looks big, however when you look at the individual parts it's not that complicated
inside the big loop:
the first macros reverses the bits of a 64 bit var
the next few calls another macro 32 times, we can simplify it to this
esi=bitset(local_134,63)?5043443f1755df4d:0
ecx=bitset(local_134,62)?5043443f1755df4d:0
ecx:edi^((esi:ebx^(local_138:local_134<<1))<<1)
simplifying further, it actually calls one macro twice
n=((n>>63)?0x5043443f1755df4d:0)^(n<<1), where n is a 64 bit number
the last few macros reverse the bits of n again
this looks very much like crc, in fact, it is a crc64 with a starting value of:
0x3537000000003735
and a polynomial of:
0xb2fbaae8fc22c20a (this is the bit reversed 0x5043443f1755df4d)
the final value is xored with:
0x6b3e997a6008e054
a constant string and our key is fed into this routine, then compared with the hash
to reverse this, we simply reverse the crc
most of eset's crackmes so far needs a certain crc to be reversed, so you better get used to it if you do more :)
No comments:
Post a Comment