<p>probably the single most &quot;i am about to give up&quot; moment was me concluding that i need to do a first preimage attack on a cryptographic function with nontrivial diffusion properties (flipping one bit anywhere changes basically the entire 16 byte output), i went to study and found out that basically no serious hash function has ever had a practical first preimage attack executed on it</p>

<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@ed_blackburn" class="u-url mention">@<span>ed_blackburn</span></a></span> heh, you&#39;re welcome ^^</p>

<p>if you want a really good crackme try <a href="https://crackmes.one/crackme/67f9bdc38f555589f3530a85" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">crackmes.one/crackme/67f9bdc38</span><span class="invisible">f555589f3530a85</span></a></p>

<p>im also pleased to report that lifting the VM code to Amaranth and using SMTBMC went better than using angr or KLEE. i&#39;m inexperienced with the latter two but someone else also tried it and didn&#39;t get far</p><p>yay for hardware tools?</p>

<p>i was emotionally obliterated when i thought that i&#39;m insufficiently good at cryptanalyzing this scrambling function (with my approach being an SMT solver but it never terminating), i looked up how they broke MD4, and it was &quot;hook it up to an SMT solver&quot;</p><p>well, it turns out that works if you implement the ISA right</p>

<p>i spent two out of three days chasing down a single bit (i thought the comparison operation has &quot;equal&quot;, &quot;not equal&quot;, and &quot;less than&quot; flags, but it has &quot;equal&quot;, &quot;not equal and not less than&quot;, and &quot;less than&quot; flags). since the input to the scrambling function is 128-bit, every time i would feed the execution trace into the SMT solver it would attempt to enumerate every 128-bit integer to prove me wrong, which doesn&#39;t work</p>

<p>finally solved a crackme that was rated &quot;medium&quot; by, i think, its author, by extracting a cryptographic algorithm from an embedded virtual machine i had to reverse-engineer the ISA spec for, reimplementing it in Amaranth and then feeding it into yosys-smtbmc to invert the fairly complex scrambling function with XOR diffusion, various permutations, etc</p><p>im terrified to consider what would be rated &quot;hard&quot;</p>

<p><span class="h-card" translate="no"><a href="https://graffitiwall.net/@___" class="u-url mention">@<span>___</span></a></span> yes. It has lots of coconuts. Other bibingkas are like bread.</p>

<p>Array indices start at 0 in C, but start at 32 in F.</p>