skip to content
secrary[dot]com

Mastermind Crackme by Spider

/

reverse engineering , crackme , assembly , keygen , malware analysis , debugging

Mastermind Crackme Analysis

Introduction

This article explores the solution to a challenging crackme created by Spider. Our goal is to create a keygen and discover three hidden easter eggs. Instead of developing a traditional keygen, we’ll take a more unconventional approach to solve this challenge.

Prerequisites

  • Basic understanding of x86 assembly
  • Familiarity with reverse engineering concepts
  • A Windows environment for running the crackme

Getting Started

Download the crackme from here.

Analysis Phase

1. Name Input Analysis

The CrackMe is created by Spider and seems challenging to solve. We should create a keygen and find three hidden easter eggs. As you will see, my solution does not involve creating a normal keygen, but rather a more lazy and hacky way to solve the crackme.

1

At 0x0406486, it retrieves the name string from a user, calculates a dword value, and writes it to the loc_4066B2+1 location, overwriting 0xCCCCCCCC:

2

Click here for a larger version.

3

2. Serial Verification Process

After receiving a serial from a user, it checks the serial’s length, which must be 26 bytes, and only contain the following characters: 0 1 2 3 4 5 6 7 8 9 A B C D E F. It then converts the serial into hexadecimal form. For example, 123456789ABCDEFABCDE123456 becomes 0x12 0x34 0x56 0x78 0x9A 0xBC 0xDE 0xFA 0xBC 0xDE 0x12 0x34 0x56:

4

3. Opcode Checking Mechanism

At 0x0406557, it calls the checkOpcode function, which is essentially a large switch statement. The arguments are the hex version of the serial and the start_of_some_DISASM_struct structure.

5

I spent most of my time analyzing and guessing what this large function does. It modifies the start_of_some_DISASM_struct structure based on values from the serial.

I found that inside the sub_406622 function, it interprets the serial as code and calls it. I suspect that the checkOpcode function is some kind of assembly instruction parser or disassembler. It retrieves opcodes, modifies the start_of_some_DISASM_struct structure, and returns a value via the eax register.

For example, the mov eax, 0x12345678 instruction in hex form is B878563412. In the case of the B8 instruction, the function adds 5 to the serial to move to the next instruction:

6

After that, it checks if an opcode is allowed:

7

The following opcodes are allowed in our serial:

8

It checks if the number of operands is more than zero and verifies if the operands are epb or esp (there is also a check for the lea instruction, etc.). If so, it proceeds to the bad_boy message.

9 10

After that, it calls the masterMind_mainCheck_406622 function, where the serial checks occur:

11

0xCCCCCCCC will be overwritten by a value derived from a name:

12

4. Solution Implementation

masterMind_mainCheck_406622 is where the checks happen and, at first glance, it seems challenging. It calls a user-controlled serial as a function, so I tried to hijack execution and jump to the good_boy message. However, this was not easy, as many useful instructions like push, pop, mov ebp, ..., mov [esp], ..., etc., are not allowed, and the length must be equal to or less than 13 bytes.

Nevertheless, we can still find useful instructions. I changed the return value ([esp]) to point to the good_boy message and set ebp to a valid window handle:

untitled vs_asm

Now we have the universal key: 8B442408958B0424047E870424 and a "keygen" if you wish :)

13 universal_key

Easter Eggs Discovery

Easter Egg #1: The HOLE

If a user presses any button on the main window, execution jumps to the 0x04060AD location.

1

We control the 0x12345678 value. If we press a and b, it becomes 0x56784142 (a == 41, b == 42).

2

To jump to the 0x04060DE block, we need to solve a simple equation:

3

We need to type HOLE while focused on the main window:

hole

Easter Egg #2: Mouse Trap

The second easter egg is located in the about window’s dialog box procedure.

If we click the right mouse button twice in the about window area, it confines the cursor to the about window (to release the cursor, we should right-click the mouse button twice again).

1 easter_egg2

Easter Egg #3: Einstein’s Cursor

If the name is einstein, it changes the cursor shape to an image of Einstein.

easter_egg_3 easter_egg3

Conclusion

Thank you for your time. This crackme demonstrates sophisticated anti-debugging techniques and creative easter egg implementations, making it an excellent learning resource for reverse engineers.