🎯 What is a Crackme?
A Crackme is a program created specifically for RE practice. The goal: find the correct password or bypass the authorization check.
This is a common practice in the RE community and there are thousands of crackmes at various difficulty levels.
📥 Where to Find Crackmes
- crackmes.one - The most popular site
- reversing.kr - Advanced challenges
- challenges.re - Wide variety
⚠️ Warning
Always download crackmes only from trusted sources!
It's recommended to run in a VM in case someone hid malware.
🔬 Example Crackme
Let's analyze the following pseudo-code (the code you'll see in Ghidra):
int main() {
char input[32];
printf("Enter password: ");
scanf("%s", input);
if (check_password(input)) {
printf("Access Granted!\n");
} else {
printf("Wrong password!\n");
}
return 0;
}
int check_password(char* password) {
if (strlen(password) != 8) return 0;
if (password[0] != 'S') return 0;
if (password[1] != 'E') return 0;
if (password[2] != 'C') return 0;
if (password[3] != 'R') return 0;
if (password[4] != 'E') return 0;
if (password[5] != 'T') return 0;
if (password[6] != '1') return 0;
if (password[7] != '2') return 0;
return 1;
}
Task: Find the Password!
What is the correct password?
💡 Show Answer
The password is:
SECRET12
🔍 Approaches to Solving Crackmes
Approach 1: Static Analysis (Ghidra)
- Open the file in Ghidra
- Find
mainor the Entry Point - Search for calls to
strcmp,memcmp - Search for interesting strings ("password", "correct"...)
- Follow the logic of the password check
Approach 2: Dynamic Analysis (x64dbg)
- Open the file in x64dbg
- Set BP on comparison functions:
bp strcmp bp memcmp bp lstrcmpA
- Run (F9) and enter any password
- When stopped at BP, check the parameters on the Stack
- The correct password will be in one of the parameters!
Approach 3: Patching
Instead of finding the password, you can modify the code:
; before patch
cmp eax, 0
jne wrong_password ; JNE = 0x75
; after patch - always succeeds
cmp eax, 0
je wrong_password ; JE = 0x74
; or:
nop ; NOP = 0x90
nop
📝 Practical Exercise
Exercise: Analyze the Assembly Below
This is real check_password code. What is the password?
check_password:
push ebp
mov ebp, esp
mov eax, [ebp+8] ; EAX = password pointer
; Check length
push eax
call strlen
add esp, 4
cmp eax, 4
jne fail
; Check char 0
mov eax, [ebp+8]
movzx eax, byte [eax]
cmp al, 0x41 ; 'A' = 0x41
jne fail
; Check char 1
mov eax, [ebp+8]
movzx eax, byte [eax+1]
cmp al, 0x42 ; 'B' = 0x42
jne fail
; Check char 2
mov eax, [ebp+8]
movzx eax, byte [eax+2]
cmp al, 0x43 ; 'C' = 0x43
jne fail
; Check char 3
mov eax, [ebp+8]
movzx eax, byte [eax+3]
cmp al, 0x44 ; 'D' = 0x44
jne fail
mov eax, 1 ; success
jmp done
fail:
mov eax, 0
done:
pop ebp
ret
💡 Hint 1 - ASCII Table
0x41 = 'A', 0x42 = 'B', 0x43 = 'C', 0x44 = 'D'
💡 Answer
The password is:
Length 4, and the characters are A, B, C, D in order.
ABCDLength 4, and the characters are A, B, C, D in order.
🎯 Bonus Task
Challenge: Download and Solve a Real Crackme
- Go to
crackmes.one - Search for a crackme with rating 1-2 (easy)
- Download and analyze
- Find the password or bypass the check
Recommended crackmes for beginners:
- Search for "easy" or "beginner" in the description
- Start with Windows crackmes (PE)
- 32-bit is better to start with
📋 Tips for Solving Crackmes
💡 General Strategy
- Search for Strings - "wrong", "correct", "password"
- Search for Imports - strcmp, MessageBox
- Find the decision point - where does the code decide to succeed or fail
- Trace backwards - where does the checked value come from?
- Set BP - on comparison functions and input checking