4 minutes read

According to Wikipedia, a crackme is a small program designed to test a programmer's reverse engineering skills.

Today I want to write about a medium level crackme from crackmes.de archive called: Imagination

SHA1: C052CDAD49297F854E832208AFB7CAB8D637C870

Okay, there is no username/password pair, we need to satisfy its requests.

After clicking the Unlock Me button, the function at 0x0401470 executes, it tries to open the ohmygod.bmp file from the current directory of the crackeme

NOTE : Ange Albertini’s poster about BMP is very helpful if you don’t know anything about BMP file structure like me.

After successfully opening the file it calls the function at 0x0401040 (renamed by me as parse_header_0x0401040 )

It reads 14 bytes and 40 bytes from the file via calling ReadFile two times, according to MSDN , 14 bytes is the size of a BITMAPFILEHEADER structure and 40 bytes is the size of a BITMAPINFOHEADER structure:

After that there are several checks of fields: btType , biBitCount , bfSize and biCompression :

It also checks biHeight , biWidth , biPlanes and biSize . From the checks we can calculate that biHeight is 0x49 and biWidth is 0x19c , according to MSDN , biPlanes ’s value must be set to 1, biSize is the size of BITMAPINFOHEADER so it’s 0x28

Now we know what values it expects from the headers of ohmygod.bmp file.

After that it sets the pointer to 0x36 (which is the sum of headers size) from the beginning of the file, it reads 4 bytes and writes the sum of the the first 3 bytes to the buffer, repeating this proces 9 times, for example, if the data is 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 , the buffer would be 0x3 0x3 0x3 0x3 0x3 0x3 0x3 0x3 0x3

Same happens with the next 20 bytes:

It decreases the first five bytes of the first buffer:

…and compares it to the second one:

After successfully checking all aforementioned fields it tries to open the file:

After opening the file it prints a congratulation message:

The MessageBox uses the first 9 bytes as your name, so you can set whichever name you want, but you should adjust the next 5 bytes accordingly to satisfy requests, in case of _qaz_qaz :

Almost done, what we need to do now is to download some valid bmp file from the Internet, change header values, change the first 0x3A bytes of data and that’s all!

NOTE : We should remove the RGBQUAD structure and append BITMAPLINE directly after headers, 010 Editor ’s BMP template is very useful

You can download the crackme and solution from here

Any feedback would be greatly appreciated.

Twitter: @_qaz_qaz