Ali Al Balushi

Ali Al Balushi

10 minute read

# winapiadmin (Array) - Target:

  • Name: Array
  • Author: winapiadmin
  • Platform: Windows
  • Architecture: x86-64
  • Language: C / C++
  • Difficulty: 2.0 (Beginner) 🟡

Quality: 4.0 ⭐
Upload Date: 2023-11-13

  • Description: Some array crackmes with anti-debugging.

First, I start by running the target

It asks for username and password!

Now let's move to the IDA Pro and decompile the main() function as shown below:

  • we can notice that the Buffer holds the username :

  • And the String variable hold the password that the user entered:

We can see that v5 holds the user-entered password, but it converts the string to a 64-bit integer (to be more accurate, it is not converted, it reads the 64-bit as an integer).

This is the most important lines of code in this target. This if block determines if the password is valid or not, so we need to reverse-engineer the condition.

So we know that the password when presented as a 64-bit integer should be equal to this
v8.m128i_i64[Buffer[0] % 2] % 64 to be a valid password.

# what is v8:

  • v8 hold a value located at xmmword_140002320 and that value is 6F6C6C654821646C726F57202Ch which is 128-bit (16-Byte).

We can see the value length is just 13 Bytes, which means another 3 Bytes are missed, we are going to cast the missing bytes with zero, so it will be 6F6C6C654821646C726F57202C000000h

  • let's look again into the v8 in if block:

The m128i_i64 will seprate the 128-bit into 2 * 64-bit. so we got this:

As we know that Buffer variable hold the username of user, so it will take the first index of the username (the first letter represented in ascii) and checks if the ascii value odd or even, so if the value odd then it will be v8[1] because as you know that for example7 % 2 = 1, and if the ascii number is even, it will be v8[0].

more visual explaining:

Going back to the if block, only the % 64 left for us to analyze. The % 64 means take only the last 6 bits from the least significant bit. Let's do that, and suppose the user input starts with letter B, which is represented by the number 66, which is even, and even means 8[0], so for now, let's extract the least significant 6 bits:

So we got 101100, which in decimal can be presented as 44, so now let's enter any username, his first letter corresponds to ascii letter that is even (for example "B"):

And yeah we did it!

Thanks for following the writeup.