# StillAching's CrackMe :::info Author: StillAching Language: .NET Difficulty: 5.0 Quality: 5.5 [Link](https://crackmes.one/crackme/66f46d5110703232965559ae) ::: ## Execute  ## Analyze First check whether this program has **packer or protecter** by `Detect It Easy`.  The main idea is: Open with IDA and I want to find out where does the text print out and where to get user input. After finding user input we can follow the flow to find the ==password encypt method== or ==password compare function==. ### Finding Where Text Print Out And Get User Input Set the breakpoint at the **start** of program.  Start debugger and keep pressing `F8` to step over untill we find out which call function print out the text. So we can find that function is call `sub_7FF60C62A210()` and we need to set another breakpoint on this function and restart the debugger.  This time we use `F7` to step into function `sub_7FF60C62A210()` and do the same thing by using `F8` step over until find the function that print out the text.  By repeat doing the same thing until we find the real function that print out the text. The real function is call `sub_7FF60C5D74A0()`.  In this function after calling the `WriteFile` it will print out the text.  From the document we can see the second `lpBuffer` store the pointer to what to print out.  Checking what `v12` store we can get the text. So we can first rename function `sub_7FF60C5D74A0()` to `Print`.  Keep finding where user can input by using `F8`. Then I the program let user input at the function `sub_7FF60C5D7970()`. I found something interest here. Before calling the function `sub_7FF60C5D7970()` has another function `sub_7FF60C5D7990()`.  By repeat running debugger I find out after calling function `sub_7FF60C5D7990()` it will print out the text and I start wondering what is the parameter for this function. After clicking the `unk_7FF60C63EEB8` I find the text under it. And this is exactly what print after calling this function.  We can see in this function it call many `sub_7FF60C5D7990()`. So I keep changing those word start by `unk` to what it will actual print and changing the `sub_7FF60C5D7990()` to `Output()`.   ### Finding Password Checker Function After we changing the name of function we can focus on the `Line32 - 36`. If `sub_7FF60C5DD8D0(v1, v9)` return **0** then this is condition will be ==ture== (due to it has `!` at the bdgin) and print the `invalid password`. So we must let function `sub_7FF60C5DD8D0(v1, v9)` return ==1== to print the `correct password`. Before starting we can change the name of this function to `password_checker`.  Start analyzer `password checker`. We can find out it is pretty easy, if `a1 == a2` then it will return ==1== which is we hope.  ## Solve Run the debugger again and then check what is inside the `a1` and `a2` in `password_checker(a1, a2)`. `a1` is user input.  `a2` is the ==password==.  Check is this password correct.  ## Password `StillAching@CrackMes.one` ## Extra Finding I have a interest finding that there is function for delete the space at the `start` and `end` (Line19).  We can verify by add the space at the start and end when we input the password and is still print the `correct`.  ## Note [WriteFile document](https://learn.microsoft.com/zh-tw/windows/win32/api/fileapi/nf-fileapi-writefile)