Reverse Engineering Matrice

Get Matrice from crackmes.one Matrice. 

Note i have already uploaded my solution so if you don’t want to follow along you don’t need to. From here on you will need a basic understanding in assembly.

First Run.

When you first run the program this is what you see.

Click yes or no and get message saying Bye! or Not that way.

Debugging Time…

Well that tells us nothing, no where to enter a password or anything, lets open it with x32dbg [x64dbg.com] This debugger is free to use so i have chosen to use this and not IDA Pro tho i will be using this in other projects.

Sorry for the image being small you should be at the Entry Point 0x00401000.

Here straight away you can see call <matrice.IsDebuggerPresent>  Now we can either patch this with nop’s or change the Zero Flag to 0x1. we will patch this with nop’s.

Double Click    00401007 | 75 7C | jne matrice.401085 |

Now type in nop make sure Fill with NOP’s is ticked to keep the same size. 

Now the jne will not be taken now we can keep stepping by pressing F8. It now shows the dialog again.

We click No and we break at 00401028 | A3 0C 37 44 00 | mov dword ptr ds:[44370C],eax keep stepping till you get to : 0040104B | 81 3D 0C 37 44 00 74 45 | cmp dword ptr ds:[44370C],11144574 |If we keep stepping we get to 00401055 | 75 1B | jne matrice.401072 which will make us jump to the Bye! Dialog which we don’t want.

Going back to 0040104B | 81 3D 0C 37 44 00 74 45 | cmp dword ptr ds:[44370C],11144574 we need to go to the dump  view and press Ctrl+G and enter address 0044370C. 

We can see that  HEX[11144574] is compared with what is at address 0x0044370C. Now enter 74 45 14 11 at address 0x0044370C [Note] We enter it backwards. Select 8 bytes from 0x0044370C, press Ctrl+E. Change this to 74 45 14 11.

Keep stepping and now we have the dialog we was looking for. 

From here we are better to go back to 0040104B | 81 3D 0C 37 44 00 74 45 | cmp dword ptr ds:[44370C],11144574 and edit so we always get this  dialog when we click No.

This way we can now patch the file to always bring up the dialog when we click NO. Press Ctrl+P 

[NOTE] 74 45 14 11 Don't need patching as it is reset at the start to 0x07 that's why we changed the compare too 0x07. Now just click patch file and save it to what ever you want, now you can test the patched version by running it then pressing no and you should see the dialog.

Cracking The Password….

I always enter 4 0s [0000] to test. Time to set breakpoints, go to Handles Tab press F5 to refresh.  

Right Click Check, Choose Message Breakpoint and set it to WM_LBUTTONUP.

Now press Check and we now break in user32.dll, so we need to go to Memory Map Tab and right click .text and select memory breakpoint -> Execute ->SingleShoot

Now hit Run you should break at 0x0040108C.

Now from here we do alot of stepping but to keep it short we need to put a breakpoint at 0x004010D4

So we need to step into the call press F7. Now we are inside the main part to look at is :

This is where we get the length of the password 0040119C | E8 B9 00 00 00 | call <matrice.lstrlen> | when it has the string length it 

checks if it can divide by 6 : then can it divide by 7 :

simple maths 6×7 = 42 so the password is 42 length. Make sure you still have breakpoint on 0x004010D4 and go to Breakpoint Tab and remove user32.dll breakpoint so you only have 1.

press F9 to run as we have 4 length password. Now enter the new password copy n paste [ 000000000000000000000000000000000000000000 ]42 length of zero’s.When you Click Check you should be at the breakpoint with the call press F7 to step into.  We have now passed the too divides and compares, you should be here now:

The address 0x00443054 is where the input is stored, load this in the dump window by Ctrl+G and enter address.

cmp bl, 37h

now the first compare is first input to 0x37 if higher then fail, we have 0 which = 0x30

cmp bl, 23h

Compares first input if lower than 0x23 then fail, we have 0 which = 0x30

Now we passed all this we are at the magic point 

The base address from where we start is the most important 0x00403054 so go to this address in the dump window Ctrl+G enter the address.

[NOTE] We will be using the dump window alot so expanding it will help. Scroll down the dump window till you get to address 0x00403663 which equals 01. With offset 0x00403054 been mov to EDX, first and second inputs are multiplied together to make EAX then added to EDX then adds 1 to ECX then compares EDX and ECX.

Use Calc to find the difference from address 0x00403663 and 0x00403054.

00403663 ÷ 00403054

Here you will need a C Compiler to use the code i made to get first and second keys. I used Visual Studio.

when compiled and running 

These Are Decimals for Char’s 47 = / and 33 = ! This is only the first 2 chars.

we know that EAX is the prev char and EBX is the next char then multiplied then added to EDX to point to address that equals whats stored in ECX.

Here we need to find next char from finding the next value which is 0x02 in memory from 0x00403054 onwards when you find it get its address which is 0x00403873.

Repeat For All Keys…..

0x00403873 – 0x00403054 = 

Then compile code below.

[Note] This code will not compile on visual studio plus i only use coding for simple things so it's terrible i used MingW for this.

So after compiling we call it calc.exe for now we use it as calc.exe 33 2079. Using Decimal values for char Google image will help get the char decimals.

Recap.

So now your here you should have 3 chars , you keep using the calculator to find the difference from base address 00403054 and where next value is in memory 04,05 all the way to 2A = 42.