Get Matrice from crackmes.one Matrice.

Note i have already uploaded my solution so if you don’t want to follow along you don’t need to. From here on you will need a basic understanding in assembly.

First Run.

When you first run the program this is what you see. Click yes or no and get message saying Bye! or Not that way. Debugging Time… Well that tells us nothing, no where to enter a password or anything, lets open it with x32dbg [ x64dbg.com ] This debugger is free to use so i have chosen to use this and not IDA Pro tho i will be using this in other projects. Sorry for the image being small you should be at the Entry Point 0x00401000 . Here straight away you can see call <matrice.IsDebuggerPresent> Now we can either patch this with nop’s or change the Zero Flag to 0x1 . we will patch this with nop’s. Double Click 00401007 | 75 7C | jne matrice.401085 | Now type in nop make sure Fill with NOP’s is ticked to keep the same size. Now the jne will not be taken now we can keep stepping by pressing F8. It now shows the dialog again. We click No and we break at 00401028 | A3 0C 37 44 00 | mov dword ptr ds:[44370C] ,eax keep stepping till you get to : 0040104B | 81 3D 0C 37 44 00 74 45 | cmp dword ptr ds:[44370C],11144574 |If we keep stepping we get to 00401055 | 75 1B | jne matrice.401072 which will make us jump to the Bye! Dialog which we don’t want. Going back to 0040104B | 81 3D 0C 37 44 00 74 45 | cmp dword ptr ds:[44370C] ,11144574 we need to go to the dump view and press Ctrl+G and enter address 0044370C. We can see that HEX[ 11144574 ] is compared with what is at address 0x0044370C . Now enter 74 45 14 11 at address 0x0044370C [Note] We enter it backwards. Select 8 bytes from 0x0044370C , press Ctrl+E. Change this to 74 45 14 11 .

Keep stepping and now we have the dialog we was looking for. From here we are better to go back to 0040104B | 81 3D 0C 37 44 00 74 45 | cmp dword ptr ds:[44370C] , 11144574 and edit so we always get this dialog when we click No. This way we can now patch the file to always bring up the dialog when we click NO. Press Ctrl+P [NOTE] 74 45 14 11 Don't need patching as it is reset at the start to 0x07 that's why we changed the compare too 0x07 . Now just click patch file and save it to what ever you want, now you can test the patched version by running it then pressing no and you should see the dialog. Cracking The Password….

I always enter 4 0s [0000] to test. Time to set breakpoints, go to Handles Tab press F5 to refresh.

Right Click Check, Choose Message Breakpoint and set it to WM_LBUTTONUP .

Now press Check and we now break in user32.dll , so we need to go to Memory Map Tab and right click .text and select memory breakpoint -> Execute ->SingleShoot

Now hit Run you should break at 0x0040108C .

Now from here we do alot of stepping but to keep it short we need to put a breakpoint at 0x004010D4

So we need to step into the call press F7. Now we are inside the main part to look at is :

This is where we get the length of the password 0040119C | E8 B9 00 00 00 | call <matrice.lstrlen> | when it has the string length it

checks if it can divide by 6 : then can it divide by 7 :





simple maths 6×7 = 42 so the password is 42 length. Make sure you still have breakpoint on 0x004010D4 and go to Breakpoint Tab and remove user32.dll breakpoint so you only have 1.

press F9 to run as we have 4 length password. Now enter the new password copy n paste [ 000000000000000000000000000000000000000000 ]42 length of zero’s.When you Click Check you should be at the breakpoint with the call press F7 to step into. We have now passed the too divides and compares, you should be here now:

The address 0x00443054 is where the input is stored, load this in the dump window by Ctrl+G and enter address.