Posts

Showing posts from April, 2018

Write-up of the monkey_.exe_1 crackme

Image
This is a write-up of monkey_.exe_1, a crackme written by monkey and published on crackmes.de, now available at crackmes.one.
To get an idea of what the program does, we first run it normally. We see two message boxes:

Now that we know what we need to do, let's start running it in x64dbg. Once we get to the entry point, we see:
00401000movedi,monkey-exe1.401014edi:EntryPoint00401005movecx,47ecx:EntryPoint, 47:'G'0040100Amoval,byte ptrds:[edi]edi:EntryPoint0040100Cxoral,11
0040100Estosb
0040100Fsubecx,1ecx:EntryPoint00401012jnemonkey-exe1.40100A

This is a loop where the bytes following 0x00401014 are decrypted into the instructions that will actually be executed by XOR-ing them with 0x11. To see what this code is, we can place a breakpoint at 0x00401014 and then let the loop finish by allowing execution to continue.

We see another decryption routine, and some code which creates a message box:
00401016movedi,monkey-exe1.40103F
0040101Bmovecx,1C
00401020moval,byte ptrds:[edi]
00401…