I use to browse crackmes.de from time to time when I want a reversing challenge to play with. I have to admit that there are much more interesting crackmes in the past, but today (digging deeper) I’ve found an unusual one; it’s not hard but the idea is really nice! The name of the crackme is “What Is This???”
No exe file this time, the downloaded archive contains a readme file and the above image, nothing else. You can’t interact with an image so you can only load it into your preferred hex editor hoping to understand what’s going on.
It’s pretty easy to understand that something has been added at the end of the file (jpeg file ends with FF D9 bytes sequence):
As you can see, the author appended some bytes at the end of the image. Now, I have to understand what’s behind these unknown bytes and Google will help me. I decided to start with “**TI83F*” which is the only reasonable string to search for. At the end I reach a page at http://merthsoft.com/linkguide/ti83+/fformat.html which enlighten the path to the solution of the crackme: the string “**TI83F” represents a tag used to define a program for a Texas Instruments calculator.
With the file format under your eyes it’s pretty easy to understand each byte:
– 2A 2A 54 49 38 33 46 2A: 8 bytes signature: it’s always “**TI83F*”
– 1A 0A 00: 3-byte, further signature: these three bytes always contain {1Ah, 0Ah, 00h}
– 00..00: 2Ah bytes, comment: it’s either zero-terminated or padded on the right with space characters
– 56 00: 2 bytes, length, in bytes, of the data section of the file
– 0D 00 45 … 2A 3F D4: n bytes, data section: consists of a number of variable entries
– 90 16: 2 bytes, file checksum: lower 16 bits of the sum of all bytes in the data section
Now, the data section:
– 0D 00: 2 bytes, always has a value of 0Bh or 0Dh
– 45 00: 2 bytes, length, in bytes, of the variable data
– 05: 1 byte, variable type ID byte (0x05 = Programs)
– 41 00 00 .. 00: 8 bytes, variable name padded with NULL characters
– 00: 1 byte, version: usually set to 00
– 00: 1 byte, flag: set to 80h if variable is archived, 00h else
– 45 00: 2 bytes, length, in bytes, of the variable data
– 43 00 DC .. 2A 3F D4: n bytes, variable data
Nothing interesting right now, just some definitions. The algo is all inside the variable data, each byte of that block represents a piece of the algo. I won’t explain every single byte definition because I think you can understand it by yourself simply using the table at http://merthsoft.com/linkguide/ti82/tokens.html
To sum-up, the variable data starting with “43 00 DC” bytes sequence can be decoded into this program:
Input A
A->B
0->C
While C<100
A+10*tan(A)->A
C+1->C
End
If A=19911.236
Then
Disp “OK”
Else
Disp “NO”
End
The algo is a TI-83 program, it’s pretty basic and the language is intuitive but if you need help take a look at chapter 16 of TI-83 Guidebook available online. Now that you know what’s going on you only have to solve it, good luck :)