My First Crackme

After earning my GREM and PMRP, I thought of looking for a job that has Reverse Engineering or Malware Research. It's been like 15days already and I received a 1 unfortunately and a lot of no response on all my application. So I thought to myself that, certification is certainly not enough to show how passionate or how much I wanted to be in Reverse Engineering field so I decided to learn Game Hacking from GuidedHacking (again! had to stop since I enrolled on a lot of courses last year and early this year) and also start with Crackmes.

My first crackme was "Simple crackme by ionchad". You can try it or download it here.

Solution:

After downloading and unzipping the file, it contains an exe file named "WinUtilsHelper.exe"

If you run the executable, it will prompt you to enter a license key. Inputting an incorrect value will pop a message that says invalid license.

With that information, I thought of the Windows' API that is used to display an error message and that is the Windows' MessageBox.

I open Ghidra and created a new project for this executable. On Ghidra, I go to "Windows > Symbol References" and Search for "Message".

There will be 3 Location from where the MessageBoxA is referenced. I clicked on the memory address 140001031. Clicking on that Memory Address automatically update the listing view in Ghidra so that you are on that specific Memory Address.

Here we can see that the first Call to MessageBoxA was used to display the message "Debugger Detected" so we know that this executable has its own defense mechanism to prevent it from being debugged. 

Now, we go to the second memory location from where the MessageBoxA was referenced. The memory location is 1400017f2.

As we can see on the Listing View in Ghidra, clicking on that memory location shows the string "Invalid License" which is the string we see upon inputting a string on the executable's enter license key prompt.

I'm no expert in Reverse Engineering so by getting to this specific part of the function I can't easily determine who calls who. So to try to understand it, I scroll up the listing view until I see the beginning of the function.

I saw the banner FUNCTION so I now know that I'm at the beginning of the function. This function accepts the three parameters and a lot of local variables. Like I said, I'm no expert so my thinking is maybe one of this local variable holds or store information about the license key then this value on this variable is used to compare it to user input.

I checked what value is passed on that local variable by clicking on the memory location in the XREF field on the right side of the local variable.

On local_e0 we can see that it was referenced 3 times. I clicked 1400016c0 to go to that memory address.

Here we can see the value that uses or references local_e0. One thing that stood out of the rest is the value 0x5a57494b. So technically, 0x5a57494b is placed on the stack and Ghidra placed the label local_e0 to easily determine on how many bytes it needed to add from RSP to go to that specific address in the stack.

Now if we hover the mouse in that hex value we can see that the character is ZWIK and since the stack is a LIFO structure I concluded that the license key is KIWZ.

I'm not sure if how I solve this is correct or my thought process is correct but that's how I came up with the answer. I'm still learning and I believe I'll improve more on how to reverse engineer stuff!

My First GIAC

 My first GIAC that I acquire is GREM or GIAC Reverse Engineering Malware. I took this exam last March 31, 2025 and passed the exam with 91% score. This course was not sponsored by my current job instead this was self-funded. You might wonder why ? No reason at all, just want to have my first GIAC cert since I have self-funded other certs like OSCP before. 

My background prior taking the exam are not that good in terms of Malware Analysis and Reverse Engineering. Although, I don't have experience with those, I did take the TCM PMRP (Practical Malware Research Professional) prior taking the course and passed that one. My experience in cybersecurity is focus on Application Security, I do perform penetration testing of Web, Mobile and APIs but never I performed Reverse Engineering before. Since I wanted to work as a reverse engineer or have a career in reverse engineering, I decided to follow a path or rather I create a path that I will work on and that is why I enrolled on the course like TCM's PMRP and GREM.

I enrolled on FOR610 course this January 3, 2025. My background with TCM's PMRP do help since I already know the basic of Malware Analysis. Although, I do acquire knowledge from PMRP, the GREMs contain some topics that were never discussed on the PMRP course. Lenny, the course instructor, really do a great job at teaching the topics. I learned a lot. By the way, this is an on-demand course which meant that it is a self paced course and I get to decide when and where I will study.

After doing the course and labs, I took my first practice test on February 2025. I did the practice test with stock knowledge thinking I could easily ace this, oh boy I was wrong. I finished the exam with 63% score 10% below the passing mark of 73%. After taking my first practice test, I realized the importance of indexing. My theoretical skills or knowledge is not good, I easily forget the meaning of something but when it comes to labs / cyberlive there were no big issues at all so my focus was creating a good index and redo everything from the beginning. After a month of reviewing and creating an index, I was able to score 81% on my second practice test which is 1 week prior my exam schedule. I feel confident now and decided that I would go take the exam even though I only score 8% higher than the passing mark. My confidence is mainly because I know that I won't have problem with Cyberlive, only with the theoretical questions. 

During the exam, the first question, a theoretical one, would make my heart sink. I mean that question is something I did not encounter on the practice exam it was way different, the only think I can think of is "Dang, I rushed the exam and have not studied enough". It took me 5-10minutes before I came up with the decision of skipping that haha. After skipping that one, I took a deep breath, calm myself and then continue with the rest of the exam. The exam is harder compare to the practice exam but like I said, cyberlive won't be a problem to me since I also make sure that I am completely familiar with the tools and  how to navigate through them. My only problem is the theoretical one, I just thought of no matter how I index, some questions are just tough. After finishing the cyberlive, I comeback to the question I skipped, I believe that I just guess those since I really don't know anymore. 

The result is 91% way higher than what I thought. I am thankful that I got this score, it was worth it. The FOR610 course is great, it taught me a lot of things I needed to be good in Malware Analysis. I am planning on being great with reverse engineering so I will continue learning whether it is enrolling on some course or reading books.