Showing posts from April, 2018

Write-up of the monkey_.exe_1 crackme

This is a write-up of monkey_.exe_1, a crackme written by monkey and published on, now available at
To get an idea of what the program does, we first run it normally. We see two message boxes:

Now that we know what we need to do, let's start running it in x64dbg. Once we get to the entry point, we see:
00401000movedi,monkey-exe1.401014edi:EntryPoint00401005movecx,47ecx:EntryPoint, 47:'G'0040100Amoval,byte ptrds:[edi]edi:EntryPoint0040100Cxoral,11

This is a loop where the bytes following 0x00401014 are decrypted into the instructions that will actually be executed by XOR-ing them with 0x11. To see what this code is, we can place a breakpoint at 0x00401014 and then let the loop finish by allowing execution to continue.

We see another decryption routine, and some code which creates a message box:
00401020moval,byte ptrds:[edi]