Brainfuck... The language of champions (and those who just have way too much time on their hands). As the NFO for this crackme states, brainfuck has just 8 simple operators. These operators are:


   +   increase current variable
   -   decrease current variable
   >   move to next variable
   <   move to previous variable
   ,   read a character of input
   .   output a character
   [   start of a loop, which skips to the end of the loop if the current
         variable is zero
   ]   end of a loop, which goes back to the start of the loop for a (possible)
         next iteration

But Kwazy was nice and gave us one additional function... the # debug operator. This operator can be placed strategically to let us know what things are doing.

Lets look at some of the 'common patterns' used in the crackme.

[-] sets variable to 0
[<] seek beginning of text
[>] seek end of text.

also, the neat thing about [], is they can be used as if statements. If the current variable is 0, then it will skip the entire bracket!

So, to give an example:

when we get text input, assuming we already calculated its length, we could do this to determine if the length is greater then say... 3 by doing:


[-[-[-[<[-]+>]]]]


to break this down, I go back to my previous statement... if a var is 0 when it hits a [, it will skip everything until it meets the matching ], so essentially, unless the number in the current var is greater then three, in this case, it will not execute the last statement (<[-]+>), which sets var-1 to 1.

Now enough about how BrainFuck works, lets see it in action.


Upon first look, the crackme looks like nonsense, just a bunch of digits, and codes scrawled down in notepad, but lets look at the start:
++++++++++++++++
[>++>+++>++++>++++++<<<<-]

this first set of instructions sets up an array of numbers. Basically lookup codes, so you can print out characters easier on the screen. If you add a # after this, it will print the following to the screen:

Debug information:
------------------

variable[0]*     = ' ' (0x0)
variable[1]      = ' ' (0x20)
variable[2]      = '0' (0x30)
variable[3]      = '@' (0x40)
variable[4]      = '`' (0x60)
------------------

Since brainfuck only allows increments of 1 number at a time, this makes it a LOT easier to print data to the screen... An example for this would be... to type out this:

Hi.

You'd have to do this in BrainFuck:
[-] zero out var
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++. print H
+++++++++++++++++++++++++++++++++. print i
-----------------------------------------------------------. print period
[-] reset var to zero again

With this array, this is much simpler and looks more like:
>>>++++++++. print H
   -------- reset lookup
>+++++++++. print i
 --------- reset lookup
<<--. print period
  ++  reset lookup
[<] seek back to var0 again

so compare... which would you rather type out by hand?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++.-----------------------------------------------------------.
or...
>>>++++++++.-------->+++++++++.---------<<--.++[<]

using the lookup table not only saves space, but also a LOT of typing.

So onward and upward we go!

The next statement:
++++++++++.>>>++++++.>+++++++++++++++++++++.------------------.++++++++.------<+++++++.-->.---<<<.>>>.+++++++++++++++++++++++.------------------------<<<.>>.++++++++++++.<<.>>++++.---------.-------------.+++++++++++++++.+++++++++.---------------<<<..---------->>>.-------------->.++++++++++++.--------.-----<<++++++++++.----------<.>>>>>

simply displays the text to the screen, nothing fancy, just says:

FuckMe by KW [RET]

Name:

So lets move on... of course when the program runs, we know what comes after the "Name: "... it asks you to input something! the operator in brainfuck to do an input is the comma, so in our next 'phrase' we see:
+[>,>[-]>[-]<<[->+>+<<]>>[-<<+>>]<[----------<---------->[[<]>+[>]<<++++++++++>[-]]]<]<<

the comma! Now this complex mumbo jumbo, if we break it down, really all it does, is makes a char array of your inputted text like so:

if I input "Tigerheart", then the array looks like:
0x0B,"Tigerheart",0

the 0x0B being the length of my name (plus one). This length will be used later as we will see.

now since the result from that input gave us one more then we wanted... we need to subtract one from it so we:
[<]> seek to the next 0 var (one before our array) and go to the length offset OF the array
-    and subtract one from it.

so our new name is now:
0x0A,"Tigerheart",0

now we come to a really interesting pattern!
<[-]>[-[-[-[-[-[<[-]+>[-]]]]]]]<

going back to my examples ;) I showed you what an if statement may look like, and here it is in its glory!

if you count the [-'s you will see we're checking if the length is greater then 5. If not, then our current var is going to be set to 0 after the loop, so the rest of the program will be skipped, save for that nasty 'Please enter more then blah blah characters' error message at the end.

now that we have a rhythm going here I'm going to skip just a bit down and show you where the real magic takes place!

>>[<[-]>[[-<+>[-<+>[-<+>[-<+>[-<+>[-<+>[-<+>[-<+>[-<+>[-<+>[<[-]]]]]]]]]]]]>]<[-]]<[<]

this is one nasty looking line, but it's very similar in construction to an if statement. Essentially what this is doing is subtracting 10 from the serial until you cannot subtract ten any longer. What does this sound like? any operators you can think of? No? let me give an example..

if you ran the number 52 through this... it would give you 2 as a result. Yep you guessed it, its the modulus operator. This is essentially doing a mod 10 to every one of the entered letters in your name.

So our serial algorythm so far looks like:

nameChar[x] = nameChar[x] % 10;

now lets move on.

after doing another input, we get to this set of code:
<[<]>>[----------------------------------------------->]<<[<]>

what does this do? well... lets count the -'s... to save you trouble, there are a total of 47 of them, or 0x2F in hex. So to read this whole pattern, here is its counterpart in pseudocode:

serialChar[x] = serialChar - 0x2f

finally we come to the almighty comparison of these inputted strings:
[-]<<[>>>[<<<->>>-]<<<[>[-]+<[-]]>[-<+>]>>>[[-<<+>>]>]<<<[<]<<]>>>[<<[-]+>>[-]]<<[-<+>]>[-<+>]<[-]

Decyphering of this is best left as an excersize to the reader, but suffice it to say that this about what its high level counterpart would look like:

GoodSerialFlag = 0;
for(x=1;x<len(nameChar);x++){
	if(nameChar[x]==serialChar[len(serialChar)-x]){
		GoodSerialFlag = 1;
	}else{
		GoodSerialFlag = 0;
	}
}

What this means, is our final serial algo can be summed up as:

for(x=1;x<len(nameChar);x++){
	serialChar[len(nameChar)-x] = (nameChar[x] % 10) + 2F;
}

to break this down a bit, into words, it is taking each letter and running it through this algo:

serialChar = (nameChar % 10) + 0x2F

and then reversing the entire serialChar array for the correct serial.

To see what this nasty file looks like commented, please see the attached "FM-Commented.BF" file which has been neatly spaced out and commented for your perusal :).
I have also attached a keygen for this as well, in "FM-Solved.BF".

Thanks for this great idea for a crackme kw! I love new challenges. Keep up the good work!

~TigerHeart~