Showing posts from April, 2018

Write-up of the monkey_.exe_1 crackme

This is a write-up of monkey_.exe_1 , a crackme written by monkey and published on, now available at . To get an idea of what the program does, we first run it normally. We see two message boxes: Now that we know what we need to do, let's start running it in x64dbg . Once we get to the entry point, we see: 00401000 mov edi , monkey-exe1.401014 edi:EntryPoint 00401005 mov ecx , 47 ecx:EntryPoint, 47:'G' 0040100A mov al , byte ptr ds : [ edi ] edi:EntryPoint 0040100C xor al , 11 0040100E stosb 0040100F sub ecx , 1 ecx:EntryPoint 00401012 jne monkey-exe1.40100A This is a loop where the bytes following 0x00401014 are decrypted into the instructions that will actually be executed by XOR-ing them with 0x11. To see what this code is, we can place a breakpoint at 0x00401014 and then let the loop finish by allowing execution to continue. We see another decryption routine, and some code which creates a message box: 00401016 mov