skip to content
secrary[dot]com

Reversing Imagination Crackme by kratorius

/

reverse-engineering , crackme , ida-pro

Overview

Imagination is a medium-difficulty crackme challenge from the crackmes.de archive designed to test a researcher’s reverse engineering skills.

Challenge Details

  • Name: Imagination
  • Author: kratorius
  • Difficulty: Medium
  • Platform: Windows
  • SHA1: C052CDAD49297F854E832208AFB7CAB8D637C870
2

Initial Analysis

The crackme presents a simple GUI interface without traditional username/password fields:

4

Behavior

When clicking “Unlock Me”, the program:

  1. Attempts to open ohmygod.bmp from the current directory.
  2. Performs specific file checks and manipulations.
  3. Validates the result against internal criteria.

After clicking the Unlock Me button, the function at 0x0401470 executes. It tries to open the ohmygod.bmp file from the current directory of the crackme.

5

NOTE: Ange Albertini’s poster about BMP is very helpful if you don’t know anything about the BMP file structure like me.

10

After successfully opening the file, it calls the function at 0x0401040 (renamed by me as parse_header_0x0401040).

6

It reads 14 bytes and 40 bytes from the file via calling ReadFile two times. According to MSDN, 14 bytes is the size of a BITMAPFILEHEADER structure and 40 bytes is the size of a BITMAPINFOHEADER structure.

7

After that, there are several checks of fields: btType, biBitCount, bfSize, and biCompression.

8

It also checks biHeight, biWidth, biPlanes, and biSize. From the checks, we can calculate that biHeight is 0x49 and biWidth is 0x19c. According to MSDN, biPlanes’s value must be set to 1, and biSize is the size of BITMAPINFOHEADER, so it’s 0x28.

9

Now we know what values it expects from the headers of the ohmygod.bmp file.

After that, it sets the pointer to 0x36 (which is the sum of the headers’ size) from the beginning of the file. It reads 4 bytes and writes the sum of the first 3 bytes to the buffer, repeating this process 9 times. For example, if the data is 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1, the buffer would be 0x3 0x3 0x3 0x3 0x3 0x3 0x3 0x3 0x3.

11

The same happens with the next 20 bytes.

12

It decreases the first five bytes of the first buffer:

13

…and compares it to the second one:

14

After successfully checking all aforementioned fields, it tries to open the file:

15

After opening the file, it prints a congratulation message:

16

The MessageBox uses the first 9 bytes as your name, so you can set whichever name you want, but you should adjust the next 5 bytes accordingly to satisfy requests, in case of _qaz_qaz:

17

Almost done, what we need to do now is to download some valid bmp file from the Internet, change header values, change the first 0x3A bytes of data and that’s all!

18

NOTE: We should remove the RGBQUAD structure and append BITMAPLINE directly after headers, 010 Editor’s BMP template is very useful

19

You can download the crackme and solution from here