GecisKodu.exe is a "Crack Me" challenge written in Turkish. Unlike the malware samples typically analyzed, this file is a benign puzzle designed to help researchers practice reverse engineering and software cracking techniques.
Filename: GecisKodu.exe
MD5: a97be81ad69ea8656da07042b82a7339
Sample Status: Private / Not Available
Analysis Details
The goal of this program is simple: find the correct registration key to "unlock" the software. In the security community, these programs are essentially Capture The Flag (CTF) exercises for binary analysis.
-
Incorrect Input:
"Yavas ol, once dusun sonra hareket et !!!"
(Translation: Be slow, think first, then move!!!) -
Correct Input:
"Tebrikler, dogru kodu girdiniz yolunuz acik olsun …"
(Translation: Congratulations, you entered the correct code, may your path be clear...)
After reverse engineering the validation logic, the puzzle is solved using the following key:
Key: Fl4g_HSVI_1126
Detection & YARA
Because this file is benign, standard antivirus detection is generally unnecessary. However, if your environment policies flag cracking-related tools as "Potentially Unwanted Programs" (PUP), you can use the following YARA rule to identify the binary based on its success string:
rule GecisKodu {
strings:
// Hex representation of the Turkish success message
$str1 = { 54 65 62 72 69 6B 6C 65 72 2C 20 64 6F 67 72 75 20 6B 6F 64 75 20 67 69 72 64 69 6E 69 7A 20 79 6F 6C 75 6E 75 7A 20 61 63 69 6B 20 6F 6C 73 75 6E 20 2E 2E 2E }
condition:
all of them
}
Conclusion
While GecisKodu.exe is technically associated with software cracking, it poses zero security risk to a host system. It serves as an excellent entry-level sample for anyone looking to learn how hardcoded string comparisons work in assembly.
Happy hunting.