#let post_slug = "crackmes-the-matrix"
#let post_preview_image = "cover.png"
#let post_summary = "Reverse engineering out of the matrix!"
#let post_date = "2026-02-15"


= Crackmes.one The Matrix solution
This crackme has four parts, increasing in difficulty. I'll solve by analyzing the disassembly displayed as a graph in binary ninja.

== Part 1
#image("/static/posts/crackmes-the-matrix/assets/image.png")
Notice part one has the strings immediately visible on lines `40121b` and `401236`. First username and password are requested, then the strings `admin` and `password` are requested, presumably for comparison. These credentials pass part one.

== Part 2
#image("/static/posts/crackmes-the-matrix/assets/image-3.png")
Part two iterates through ten characters of input, accumulating their ascii values into `rbx`. Then to pass line `4012e7`, `rbx == 0x46d (1133)` must be true. The ascii values of `q` and `t` are `113` and `116` respectively. Nine `q`'s and a `t` have the ascii sum `1133`, therefore `qqqqqqqqqt` is a solution for part 2.

== Part 3
#image("/static/posts/crackmes-the-matrix/assets/image-4.png")
Part three iterates through the third password given again. The goal is to pass line `4013c1`, `r13==0x3d8 (984)`.

Notice again this part iterates through 10 characters of input. In this loop the i'th character of password2 and password3 are summed, shifted right three, then multiplied by 4. The final value is accumulated into `r13`.

Here's the math on how I found a password that reached 984:

`a=password2=qqqqqqqqqt`\
`b=password3=?`\
`∑4((a[i] + b[i]) >> 3) == 984`\
`∑((a[i] + b[i]) >> 3) == 246`\
`9((113 + b1) >> 3) + ((116 + b2) >> 3) == 246`\
\# Note `b1, b2 ∈ [32, 126] = usable ascii characters`\
\# Since the sum of 10 characters is 246, a good b1 value will cause the character function to return 25.\
`(113 + b1) >> 3 = 25`\
`113 + b1 = 200`\
`b1 = 87 = "W"`\
\# Sub b1 back into the whole equation\
`9((113 + 87) >> 3) + ((116 + b2) >> 3) = 246`\
`9(200 >> 3) + ((116 + b2) >> 3) = 246`\
`9(25) + ((116 + b2) >> 3) = 246`\
`225 + ((116 + b2) >> 3) = 246`\
`(116 + b2) >> 3 = 21`\
`116 + b2 = 168`\
`b2 = 52 = "4"`\

Therefore a solution for password3 is `WWWWWWWWW4`


== Part 4
#image("/static/posts/crackmes-the-matrix/assets/image-6.png")
To pass part four, `r15 == 3` must be true. There are three new password requests, each one capable of incrementing `r15`, so each must be triggered.

In each loop, the program reads a number `x`, then checks that\
`x^3 - 6063x^2 + 12253322x == 8254653240`.

If so, `r15` is incremented.


Do a binary search for a working input:
```py
def f(x):
    return (x**3) + (-6063 * x**2) + (x * 12253322) - 8254653240

M = 1e100
m = -1e100
while True:
    x = int((M + m) / 2)
    y = f(x)
    if y < 0:
        m = x
    elif y > 0:
        M = x
    else:
        print(x)
        break
```
`2021`

And enter this the three times its asked.

```
$ ./thematrix 
 _    _      _                            _____  
| |  | |    | |                          |_   _| 
| |  | | ___| | ___ ___  _ __ ___   ___    | | ___ 
| |/\| |/ _ \ |/ __/ _ \| '_ ` _ \ / _ \   | |/ _ \  
\  /\  /  __/ | (_| (_) | | | | | |  __/   | | (_) | 
 \/  \/ \___|_|\___\___/|_| |_| |_|\___|   \_/\___/  

 _____ _           ___  ___      _        _
|_   _| |          |  \/  |     | |      (_)
  | | | |__   ___  | .  . | __ _| |_ _ __ ___  __
  | | | '_ \ / _ \ | |\/| |/ _` | __| '__| \ \/ /
  | | | | | |  __/ | |  | | (_| | |_| |  | |>  <
  \_/ |_| |_|\___| \_|  |_/\__,_|\__|_|  |_/_/\_\

Sometimes going down the rabbit hole is the only path to the truth

_____________{The Enterance}___________

"Always check the door first!"

Username: admin
Password: password
Correct credentials
_____________{The Opening}___________

RCdgJUBwb0o2fGtXMjd4d0FRPz49cE1ubko3WkdpZ0NDQS8/YT5PXykocnFwdXRtbDJwaWhtbGtqaWhnYCZHXWJhWll9QD9bVFN3UVB0VE1McEpPSGxMLkpJSEdAZEQmQkE6OThcfTU6MzgxVS8uMyxQcSkuJyYlJEgoJyYlJGQieT99X3U7eXh3dm81bXJxamluZ2YsZGNoZ2ZlXl0jW2BZWF1WenlTUlFQVU5yTFFKbk4wL0VEQ2dHRihEQ0JBQDldPTZ8OjNXeDYvLjMsUCopTScsJSQpIkYmZmUjekB+d191dHl4cTdvV3NycXBpL21sa2QqaGdgZV5dI2FaWV5dXFV5WVhXUE9zU1JRSm4xMEZLRGgrQUZFREM8O18/IT08OzozV3gwNS4tLCtPKU1ubSsqKSInfkQx

"Decode the mysteries of nature!"

Input the key: qqqqqqqqqt
Correct key
_____________{The Middlegame}___________

"All roads lead to rome!"

Input a valid key: WWWWWWWWW4
Correct key
_____________{The Endgame}___________

2021
2021
2021
Congradulations, you managed to beat the Matrix!
```


= Notes
With the math figured out a keygen would be possible. The author likely had different, more meaningful keys that meant something, opposed to my keys that just fit the shape of the lock. Maybe it's useful for the string of random text in the opening, I don't know if that actually means anything.


Author: 
ThePhilosopher\
Challenge Link: https://crackmes.one/crackme/617ec2cb33c5d4329c345422\
Description:\
Can you beat The Matrix ?!