Crackmes.one The Matrix solution
This crackme has four parts, increasing in difficulty. I’ll solve by analyzing the disassembly displayed as a graph in binary ninja.
Part 1
Notice part one has the strings immediately visible on lines 40121b and 401236. First username and password are requested, then the strings admin and password are requested, presumably for comparison. These credentials pass part one.
Part 2
Part two iterates through ten characters of input, accumulating their ascii values into rbx. Then to pass line 4012e7, rbx == 0x46d (1133) must be true. The ascii values of q and t are 113 and 116 respectively. Nine q’s and a t have the ascii sum 1133, therefore qqqqqqqqqt is a solution for part 2.
Part 3
Part three iterates through the third password given again. The goal is to pass line 4013c1, r13==0x3d8 (984).
Notice again this part iterates through 10 characters of input. In this loop the i’th character of password2 and password3 are summed, shifted right three, then multiplied by 4. The final value is accumulated into r13.
Here’s the math on how I found a password that reached 984:
a=password2=qqqqqqqqqt
b=password3=?
Σ4((a[i] + b[i]) >> 3) == 984
Σ((a[i] + b[i]) >> 3) == 246
9((113 + b1) >> 3) + ((116 + b2) >> 3) == 246
# Note `b1, b2 ∈ [32, 126] = usable ascii characters
# Since the sum of 10 characters is 246, a good b1 value will cause the character function to return 25.
(113 + b1) >> 3 = 25
113 + b1 = 200
b1 = 87 = "W"
# Sub b1 back into the whole equation
9((113 + 87) >> 3) + ((116 + b2) >> 3) = 246
9(200 >> 3) + ((116 + b2) >> 3) = 246
9(25) + ((116 + b2) >> 3) = 246
225 + ((116 + b2) >> 3) = 246
(116 + b2) >> 3 = 21
116 + b2 = 168
b2 = 52 = "4"Therefore a solution for password3 is WWWWWWWWW4
Part 4
To pass part four, r15 == 3 must be true. There are three new password requests, each one capable of incrementing r15, so each must be triggered.
In each loop, the program reads a number x, then checks thatx^3 - 6063x^2 + 12253322x == 8254653240.
If so, r15 is incremented.
Do a binary search for a working input:
def f(x):
return (x**3) + (-6063 * x**2) + (x * 12253322) - 8254653240
M = 1e100
m = -1e100
while True:
x = int((M + m) / 2)
y = f(x)
if y < 0:
m = x
elif y > 0:
M = x
else:
print(x)
break2021
And enter this the three times its asked.
$ ./thematrix
_ _ _ _____
| | | | | | |_ _|
| | | | ___| | ___ ___ _ __ ___ ___ | | ___
| |/\| |/ _ \ |/ __/ _ \| '_ ` _ \ / _ \ | |/ _ \
\ /\ / __/ | (_| (_) | | | | | | __/ | | (_) |
\/ \/ \___|_|\___\___/|_| |_| |_|\___| \_/\___/
_____ _ ___ ___ _ _
|_ _| | | \/ | | | (_)
| | | |__ ___ | . . | __ _| |_ _ __ ___ __
| | | '_ \ / _ \ | |\/| |/ _` | __| '__| \ \/ /
| | | | | | __/ | | | | (_| | |_| | | |> <
\_/ |_| |_|\___| \_| |_/\__,_|\__|_| |_/_/\_\
Sometimes going down the rabbit hole is the only path to the truth
_____________{The Enterance}___________
"Always check the door first!"
Username: admin
Password: password
Correct credentials
_____________{The Opening}___________
RCdgJUBwb0o2fGtXMjd4d0FRPz49cE1ubko3WkdpZ0NDQS8/YT5PXykocnFwdXRtbDJwaWhtbGtqaWhnYCZHXWJhWll9QD9bVFN3UVB0VE1McEpPSGxMLkpJSEdAZEQmQkE6OThcfTU6MzgxVS8uMyxQcSkuJyYlJEgoJyYlJGQieT99X3U7eXh3dm81bXJxamluZ2YsZGNoZ2ZlXl0jW2BZWF1WenlTUlFQVU5yTFFKbk4wL0VEQ2dHRihEQ0JBQDldPTZ8OjNXeDYvLjMsUCopTScsJSQpIkYmZmUjekB+d191dHl4cTdvV3NycXBpL21sa2QqaGdgZV5dI2FaWV5dXFV5WVhXUE9zU1JRSm4xMEZLRGgrQUZFREM8O18/IT08OzozV3gwNS4tLCtPKU1ubSsqKSInfkQx
"Decode the mysteries of nature!"
Input the key: qqqqqqqqqt
Correct key
_____________{The Middlegame}___________
"All roads lead to rome!"
Input a valid key: WWWWWWWWW4
Correct key
_____________{The Endgame}___________
2021
2021
2021
Congradulations, you managed to beat the Matrix!Notes
With the math figured out a keygen would be possible. The author likely had different, more meaningful keys that meant something, opposed to my keys that just fit the shape of the lock. Maybe it’s useful for the string of random text in the opening, I don’t know if that actually means anything.
Author: ThePhilosopher
Challenge Link: https://crackmes.one/crackme/617ec2cb33c5d4329c345422
Description:
Can you beat The Matrix ?!