Crackmes.one

My write-ups for challenges from the Crackmes.one platform. Updates will follow as I solve more challenges.

Dry Tau Mac KeygenMe One

Desc: The algorithm is deterministic—same name always produces the same key. Magic constants are used in the hash calculation. The name is converted to uppercase before processing. Both key value and checksum depend on the name. Look for hexadecimal constants like 0x1337BEEF, 0x85EBCA6B, 0xDEADBEEF.

We've given the macho x64 binary

And we open the binary to see what's going on:

We know to get the valid one, it needs 2 correct input, the name and license key. So, we can open up our decompiler apps, in this case Im using IDA.

From that, I can find the main validation logic is located inside AppDelegate.validateKey(_:for:).

Swift::Bool __swiftcall AppDelegate.validateKey(_:for:)(Swift::String _, Swift::String a2)
{
  signed __int64 v2; // rcx
  void *v3; // rsp
  void *v4; // rsp
  void *v5; // rsp
  void *v6; // rsp
  __int64 v7; // r15
  __int64 v8; // rdx
  __int64 v9; // rbx
  __int64 v10; // rsi
  Swift::String v11; // rax
  __int64 v12; // r13
  unsigned __int64 v13; // r14
  __int64 v14; // rsi
  char v15; // cl
  char v16; // r15
  void (__fastcall *v17)(_QWORD *, __int64); // r13
  __int64 v18; // rbx
  __int64 v19; // rax
  __int64 v20; // rbx
  __int64 v21; // r15
  __int64 v22; // rax
  char v23; // dl
  __int64 v24; // rsi
  __int64 v25; // r13
  __int64 v26; // rdx
  __int64 v27; // r12
  __int64 v28; // rcx
  __int64 v29; // r15
  __int64 v30; // r8
  __int64 v31; // rbx
  __int64 v32; // r14
  unsigned __int64 v33; // rdx
  unsigned __int64 v34; // r15
  __int64 v35; // rsi
  __int64 v36; // rcx
  __int64 v37; // rdi
  __int64 v38; // r12
  char v39; // bl
  Swift::String v40; // rax
  unsigned __int64 v41; // r13
  bool v42; // bl
  unsigned __int64 v43; // rdi
  __int64 v44; // r8
  __int64 v45; // r9
  __int64 v46; // rcx
  unsigned __int64 v47; // r12
  unsigned __int64 v48; // r15
  unsigned __int64 v49; // rax
  unsigned __int64 v50; // rbx
  __int64 v51; // rax
  unsigned __int8 v52; // r14
  int v53; // r15d
  __int64 v54; // rbx
  __int64 v55; // rax
  unsigned int v56; // r14d
  __int64 v57; // rbx
  int v58; // r14d
  __int64 v59; // rbx
  unsigned __int8 v60; // al
  int v61; // r15d
  __int64 v62; // rbx
  __int64 v63; // rax
  __int64 v64; // r14
  __int64 v65; // r12
  unsigned __int64 v66; // rbx
  __int64 v67; // r13
  __int64 v68; // r15
  unsigned __int64 v69; // rax
  char v70; // dl
  __int64 v71; // rsi
  unsigned __int64 v72; // rdi
  __int64 v73; // r13
  __int64 v74; // rdx
  __int64 v75; // r14
  __int64 v76; // rcx
  __int64 v77; // r15
  __int64 v78; // r8
  __int64 v79; // rbx
  __int64 v80; // rsi
  __int64 v81; // r14
  unsigned __int64 v82; // rdx
  unsigned __int64 v83; // r15
  __int64 v84; // rsi
  __int64 v85; // rcx
  __int64 v86; // rax
  Swift::String *v87; // rdi
  __int64 v88; // r13
  Swift::String v89; // rax
  void *v90; // rbx
  void *v91; // rsi
  __int64 v92; // r14
  __int64 v93; // rdi
  __int64 v94; // r8
  int v95; // r14d
  int v96; // r12d
  _QWORD *v97; // rbx
  void (__fastcall *v98)(_QWORD *, __int64); // r15
  __int64 v99; // r10
  unsigned __int8 *v100; // rsi
  int v101; // r15d
  __int64 v102; // r10
  unsigned __int64 v103; // rdi
  int v104; // eax
  int v105; // edx
  int v106; // r14d
  __int64 v107; // rsi
  unsigned __int64 v109; // rdi
  __int64 v110; // rdx
  __int64 v111; // rdx
  _QWORD v112[2]; // [rsp+0h] [rbp-E0h] BYREF
  void *v113; // [rsp+10h] [rbp-D0h]
  __int64 v114; // [rsp+18h] [rbp-C8h]
  __int64 v115; // [rsp+20h] [rbp-C0h]
  __int64 v116; // [rsp+28h] [rbp-B8h]
  __int64 v117; // [rsp+30h] [rbp-B0h]
  __int64 v118; // [rsp+38h] [rbp-A8h]
  void *object; // [rsp+40h] [rbp-A0h]
  __int64 countAndFlagsBits; // [rsp+48h] [rbp-98h]
  __int64 v121; // [rsp+50h] [rbp-90h]
  unsigned __int64 v122; // [rsp+58h] [rbp-88h]
  _QWORD v123[2]; // [rsp+60h] [rbp-80h] BYREF
  void (__fastcall *v124)(_QWORD *, __int64); // [rsp+70h] [rbp-70h]
  __int64 v125; // [rsp+78h] [rbp-68h]
  __int64 v126; // [rsp+80h] [rbp-60h]
  _QWORD *v127; // [rsp+88h] [rbp-58h]
  Swift::String v128; // [rsp+90h] [rbp-50h] BYREF
  unsigned __int64 v129; // [rsp+A0h] [rbp-40h]
  int v130; // [rsp+ACh] [rbp-34h]
  __int64 v131; // [rsp+B0h] [rbp-30h]

  object = a2._object;
  countAndFlagsBits = a2._countAndFlagsBits;
  v125 = type metadata accessor for CharacterSet(0);
  v131 = *(_QWORD *)(v125 - 8);
  v2 = *(_QWORD *)(v131 + 64);
  v3 = alloca(v2);
  v4 = alloca(v2);
  v5 = alloca(v2);
  v6 = alloca(v2);
  v127 = v112;
  v128 = _;
  v123[0] = 45;
  v123[1] = 0xE100000000000000LL;
  v112[0] = 0;
  v112[1] = 0xE000000000000000LL;
  v7 = lazy protocol witness table accessor for type String and conformance String(0, _._object);
  StringProtocol.replacingOccurrences<A, B>(of:with:options:range:)(
    v123,
    v112,
    0,
    0,
    0,
    1,
    &type metadata for String,
    &type metadata for String,
    &type metadata for String,
    v7,
    v7,
    v7);
  v9 = v8;
  v10 = v8;
  v11 = String.uppercased()();
  v12 = v11._countAndFlagsBits;
  v13 = (unsigned __int64)v11._object;
  swift_bridgeObjectRelease(v9, v10);
  v14 = v13;
  if ( String.count.getter(v12, v13) != 16 )
    goto LABEL_68;
  CharacterSet.init(charactersIn:)(0xD000000000000010LL, "Please enter your name." + 0x8000000000000000LL);
  v128._countAndFlagsBits = v12;
  v128._object = (void *)v13;
  v121 = v12;
  CharacterSet.inverted.getter();
  StringProtocol.rangeOfCharacter(from:options:range:)(v112, 0, 0, 0, 1, &type metadata for String, v7);
  v16 = v15;
  v17 = *(void (__fastcall **)(_QWORD *, __int64))(v131 + 8);
  v18 = v125;
  v17(v112, v125);
  if ( (v16 & 1) == 0 )
  {
    v14 = v18;
    v17(v127, v18);
LABEL_68:
    v109 = v13;
LABEL_69:
    swift_bridgeObjectRelease(v109, v14);
    return 0;
  }
  v124 = v17;
  v19 = HIBYTE(v13) & 0xF;
  v20 = v121;
  if ( (v13 & 0x2000000000000000LL) == 0 )
    v19 = v121;
  v115 = v19;
  v21 = (v19 << 16) + 4 * ((v13 >> 60) & ((v121 & 0x800000000000000LL) == 0)) + 7;
  swift_bridgeObjectRetain(v13);
  v22 = String.index(_:offsetBy:limitedBy:)(15, 8, v21, v20, v13);
  v116 = v21;
  if ( (v23 & 1) != 0 )
    v22 = v21;
  v24 = v22;
  v25 = String.subscript.getter(15, v22, v20, v13);
  v27 = v26;
  v29 = v28;
  v31 = v30;
  v129 = v13;
  swift_bridgeObjectRelease(v13, v24);
  v32 = static String._fromSubstring(_:)(v25, v27, v29, v31);
  v34 = v33;
  swift_bridgeObjectRelease(v31, v27);
  v35 = v32 & 0xFFFFFFFFFFFFLL;
  v36 = HIBYTE(v34) & 0xF;
  if ( (v34 & 0x2000000000000000LL) == 0 )
    v36 = v32 & 0xFFFFFFFFFFFFLL;
  if ( !v36 )
  {
    swift_bridgeObjectRelease(v34, v35);
    v13 = v129;
    goto LABEL_67;
  }
  if ( (v34 & 0x1000000000000000LL) != 0 )
  {
    v38 = specialized _parseInteger<A, B>(ascii:radix:)(v32, v34, 16);
    swift_bridgeObjectRelease(v34, v34);
    v13 = v129;
    if ( ((unsigned __int64)&_mh_execute_header & v38) == 0 )
      goto LABEL_18;
LABEL_67:
    v14 = v125;
    v124(v127, v125);
    goto LABEL_68;
  }
  if ( (v34 & 0x2000000000000000LL) != 0 )
  {
    v128._countAndFlagsBits = v32;
    v128._object = (void *)(v34 & 0xFFFFFFFFFFFFFFLL);
    v35 = HIBYTE(v34) & 0xF;
    v38 = specialized _parseInteger<A>(ascii:radix:)(&v128, v35, 16);
    LOBYTE(v123[0]) = ((unsigned __int64)&_mh_execute_header & v38) != 0;
    v13 = v129;
  }
  else
  {
    if ( (v32 & 0x1000000000000000LL) != 0 )
    {
      v37 = (v34 & 0xFFFFFFFFFFFFFFFLL) + 32;
    }
    else
    {
      v37 = _StringObject.sharedUTF8.getter(v32, v34, 0x2000000000000000LL);
      v35 = v110;
    }
    v13 = v129;
    v38 = specialized _parseInteger<A>(ascii:radix:)(v37, v35, 16);
    LOBYTE(v123[0]) = ((unsigned __int64)&_mh_execute_header & v38) != 0;
  }
  v39 = v123[0];
  swift_bridgeObjectRelease(v34, v35);
  if ( (v39 & 1) != 0 )
    goto LABEL_67;
LABEL_18:
  v117 = v38;
  v40 = String.uppercased()();
  v41 = (unsigned __int64)v40._object;
  v43 = HIBYTE(v40._object) & 0xF;
  if ( ((__int64)v40._object & 0x2000000000000000LL) == 0 )
    v43 = v40._countAndFlagsBits & 0xFFFFFFFFFFFFLL;
  v131 = v40._countAndFlagsBits;
  v42 = ((__int64)v40._object & 0x1000000000000000LL) == 0;
  v44 = 4LL << (v42 | (unsigned __int8)((v40._countAndFlagsBits & 0x800000000000000LL) != 0));
  v118 = 0xFFFFFFFFFFFFFFFLL;
  if ( v43 )
  {
    v45 = 4 * v43;
    v113 = (void *)((__int64)v40._object & 0xFFFFFFFFFFFFFFLL);
    v114 = ((__int64)v40._object & 0xFFFFFFFFFFFFFFFLL) + 32;
    v46 = 322420463;
    v47 = 15;
    v122 = v43;
    v126 = 4LL << (v42 | (unsigned __int8)((v40._countAndFlagsBits & 0x800000000000000LL) != 0));
    while ( 1 )
    {
      v48 = v47 & 0xC;
      v49 = v47;
      if ( v48 == v44 )
      {
        v56 = v46;
        v57 = v45;
        v49 = _StringGuts._slowEnsureMatchingEncoding(_:)(v47, v131, v41);
        v45 = v57;
        v44 = v126;
        v43 = v122;
        v46 = v56;
      }
      v50 = v49 >> 16;
      if ( v49 >> 16 >= v43 )
        BUG();
      if ( (v41 & 0x1000000000000000LL) != 0 )
      {
        v58 = v46;
        v59 = v45;
        v60 = String.UTF8View._foreignSubscript(position:)(v49, v131, v41, v46, v44);
        v45 = v59;
        v44 = v126;
        LODWORD(v46) = v58;
        v52 = v60;
        if ( v48 == v126 )
          goto LABEL_38;
      }
      else
      {
        if ( (v41 & 0x2000000000000000LL) == 0 )
        {
          v51 = v114;
          if ( (v131 & 0x1000000000000000LL) == 0 )
          {
            v130 = v46;
            v64 = v45;
            v51 = _StringObject.sharedUTF8.getter(v131, v41, 0x2000000000000000LL);
            v45 = v64;
            v44 = v126;
            LODWORD(v46) = v130;
          }
          v52 = *(_BYTE *)(v51 + v50);
          if ( v48 != v44 )
            goto LABEL_34;
LABEL_38:
          v61 = v46;
          v62 = v45;
          v63 = _StringGuts._slowEnsureMatchingEncoding(_:)(v47, v131, v41);
          v45 = v62;
          v44 = v126;
          LODWORD(v46) = v61;
          v47 = v63;
          goto LABEL_34;
        }
        v128._countAndFlagsBits = v131;
        v128._object = v113;
        v52 = *((_BYTE *)&v128._countAndFlagsBits + v50);
        if ( v48 == v44 )
          goto LABEL_38;
      }
LABEL_34:
      v43 = v122;
      if ( (v41 & 0x1000000000000000LL) != 0 )
      {
        if ( v47 >> 16 >= v122 )
          BUG();
        v53 = v46;
        v54 = v45;
        v55 = String.UTF8View._foreignIndex(after:)(v47, v131, v41);
        v45 = v54;
        v44 = v126;
        v43 = v122;
        LODWORD(v46) = v53;
        v47 = v55;
      }
      else
      {
        v47 = (v47 + 0x10000) & 0xFFFFFFFFFFFF0000LL | 4;
      }
      v46 = -2048144789 * ((31 * (_DWORD)v46 + v52) ^ ((31 * (_DWORD)v46 + (unsigned int)v52) >> 16));
      if ( v47 >> 14 == v45 )
      {
        v130 = v46 & 0x7FFFFFFF;
        goto LABEL_41;
      }
    }
  }
  v130 = 322420463;
LABEL_41:
  v65 = v125;
  swift_bridgeObjectRelease(v41, 0x1000000000000000LL);
  v66 = v129;
  swift_bridgeObjectRetain(v129);
  v67 = v116;
  v68 = v121;
  v69 = String.index(_:offsetBy:limitedBy:)(v116, -8, 15, v121, v66);
  if ( (v70 & 1) != 0 )
    v69 = 15;
  if ( ((4 * v115) & 0x3FFFFFFFFFFFCuLL) < v69 >> 14 )
    BUG();
  v71 = v67;
  v72 = v66;
  v73 = String.subscript.getter(v69, v67, v68, v66);
  v75 = v74;
  v77 = v76;
  v79 = v78;
  swift_bridgeObjectRelease(v72, v71);
  v80 = v75;
  v81 = static String._fromSubstring(_:)(v73, v75, v77, v79);
  v83 = v82;
  swift_bridgeObjectRelease(v79, v80);
  v84 = HIBYTE(v83) & 0xF;
  v85 = v81 & 0xFFFFFFFFFFFFLL;
  v86 = v84;
  if ( (v83 & 0x2000000000000000LL) == 0 )
    v86 = v81 & 0xFFFFFFFFFFFFLL;
  if ( !v86 )
  {
    swift_bridgeObjectRelease(v83, v84);
    goto LABEL_74;
  }
  if ( (v83 & 0x1000000000000000LL) != 0 )
  {
    v88 = specialized _parseInteger<A, B>(ascii:radix:)(v81, v83, 16);
    swift_bridgeObjectRelease(v83, v83);
    if ( ((unsigned __int64)&_mh_execute_header & v88) == 0 )
      goto LABEL_54;
LABEL_74:
    v14 = v65;
    v124(v127, v65);
    v109 = v129;
    goto LABEL_69;
  }
  if ( (v83 & 0x2000000000000000LL) != 0 )
  {
    v128._countAndFlagsBits = v81;
    v128._object = (void *)(v83 & 0xFFFFFFFFFFFFFFLL);
    v87 = &v128;
  }
  else
  {
    if ( (v81 & 0x1000000000000000LL) != 0 )
    {
      v87 = (Swift::String *)((v118 & v83) + 32);
    }
    else
    {
      v87 = (Swift::String *)_StringObject.sharedUTF8.getter(v81, v83, 0x2000000000000000LL);
      v85 = v111;
    }
    v84 = v85;
  }
  v88 = specialized _parseInteger<A>(ascii:radix:)(v87, v84, 16);
  LOBYTE(v123[0]) = ((unsigned __int64)&_mh_execute_header & v88) != 0;
  swift_bridgeObjectRelease(v83, v84);
  if ( ((unsigned __int64)&_mh_execute_header & v88) != 0 )
    goto LABEL_74;
LABEL_54:
  v89 = String.uppercased()();
  v90 = v89._object;
  v91 = v89._object;
  v92 = specialized _copyCollectionToContiguousArray<A>(_:)(v89._countAndFlagsBits, v89._object);
  swift_bridgeObjectRelease(v90, v91);
  v93 = v92;
  v94 = *(_QWORD *)(v92 + 16);
  v95 = v130;
  v96 = v130;
  v97 = v127;
  v98 = v124;
  if ( v94 )
  {
    if ( v94 == 1 )
    {
      v99 = 0;
      v96 = v130;
    }
    else
    {
      v131 = v93;
      v100 = (unsigned __int8 *)(v93 + 33);
      v101 = 1;
      v102 = 0;
      v96 = v130;
      v103 = 0;
      do
      {
        v104 = v101 - 24 * (v103 / 0x18);
        v105 = 1103515245 * (v96 ^ (*(v100 - 1) << (v103 % 0x18))) + 12345;
        v103 += 2LL;
        v96 = 1103515245 * (v105 ^ (*v100 << v104)) + 12345;
        v100 += 2;
        v101 += 2;
        v102 -= 2;
      }
      while ( -(__int64)(v94 & 0xFFFFFFFFFFFFFFFELL) != v102 );
      v99 = -v102;
      v97 = v127;
      v98 = v124;
      v95 = v130;
      v93 = v131;
    }
    if ( (v94 & 1) != 0 )
      v96 = 1103515245
          * (v96
           ^ (*(unsigned __int8 *)(v93 + v99 + 32) << (v99 - 3
           * (((unsigned int)((0xAAAAAAAAAAAAAAABLL * (unsigned __int128)(unsigned __int64)v99) >> 64) >> 1)& 0xF8))))
          + 12345;
  }
  v106 = v117 ^ v95;
  swift_release(v93);
  v107 = v125;
  v98(v97, v125);
  swift_bridgeObjectRelease(v129, v107);
  return (v106 | (unsigned int)v88 ^ v96 ^ 0xDEADBEEF) == 0;
}

This function receives:

• The license key as the first argument

• The name as the second argument

This function returns a boolean value, indicating whether the key is valid or not.

From the decompiled Swift code, the following checks are applied:

• The license key is converted to uppercase

• All - characters are removed

• The key must be exactly 16 characters

• The key must contain only hexadecimal characters (0–9, A–F)

If any of these checks fail, the function immediately returns false. After passing the initial validation, the license key is split into two parts:

KEY = AAAAAAAA BBBBBBBB
       part1     part2

Each part:

• Is exactly 8 hexadecimal characters

• Is parsed as a 32-bit integer (base 16)

Before any computation:

• The name is converted to uppercase

• The UTF-8 bytes of the name are processed sequentially

This means the license key is fully name-dependent.

First Part

The first hash uses a custom rolling hash with magic constants. Initial value:

hash = 322420463

For each byte c of the uppercased name:

x = (31 * hash + c) & 0xFFFFFFFF
hash = (-2048144789 * (x ^ (x >> 16))) & 0xFFFFFFFF

After processing all characters:

hash = hash & 0x7FFFFFFF

This value is stored as:

v130

The result of the first hash is then mixed again using a Linear Congruential Generator. The algorithm iterates over the name bytes and applies:

hash = (1103515245 * (hash ^ (byte << shift)) + 12345) & 0xFFFFFFFF

This stage produces:

v96

This step is similar to the rand() implementation used in libc. Classic PRNG vibes.

Second Part

At the second stage, the application validates the key using this equation:

(part1 ^ v130) | (part2 ^ v96 ^ 0xDEADBEEF) == 0

Rearranging the equation gives:

part2 = part1 ^ v130 ^ v96 ^ 0xDEADBEEF

This shows that:

• part1 can be chosen freely

• part2 is fully determined by the name and part1

This makes the algorithm reversible and allows us to generate valid keys.

Solver

And this one is to recompute the algorithm to find the license key based on the username.

def name_hash(name: str) -> int:
    h = 322420463
    for c in name.upper().encode():
        x = (31 * h + c) & 0xFFFFFFFF
        h = (-2048144789 * (x ^ (x >> 16))) & 0xFFFFFFFF
    return h & 0x7FFFFFFF

def lcg_mix(name: str, seed: int) -> int:
    h = seed
    data = name.upper().encode()
    i = 0
    while i + 1 < len(data):
        shift = i - 3 * ((i // 3) & 0xF8)
        h = (1103515245 * (h ^ (data[i] << shift)) + 12345) & 0xFFFFFFFF
        h = (1103515245 * (h ^ (data[i + 1] << (shift + 1))) + 12345) & 0xFFFFFFFF
        i += 2
    if len(data) % 2:
        shift = i - 3 * ((i // 3) & 0xF8)
        h = (1103515245 * (h ^ (data[-1] << shift)) + 12345) & 0xFFFFFFFF
    return h

def generate_key(name: str) -> str:
    v130 = name_hash(name)
    v96 = lcg_mix(name, v130)
    part1 = v130
    part2 = part1 ^ v130 ^ v96 ^ 0xDEADBEEF
    return f"{part1:08X}{part2 & 0xFFFFFFFF:08X}"

Conclusion

The license algorithm is deterministic and fully reversible. The key is strictly bound to the user name and uses multiple hash stages with magic constants to obscure the logic. No cryptographic primitives are used, only arithmetic operations and PRNG-style mixing. This makes the challenge suitable for keygen creation once the validation logic is fully understood.