> Let's Dance: analyzing stoopid's dance crackme

(12/17/2025), 1 minute read ⏰

Note: these are just my markdown notes, but a bit cleaned up. The original sample link is there too! Feel free to check out the original notes here!

This crackme is a 64-bit ELF Linux binary. It's not all too hard to figure out (this took like 3 days). I never actually ended up solving it, but rather got a fairly solid idea at its functionality. What you (and I) would label myself is a total noob and lazy bum, and I fully agree.

Regardless, I had lots of fun with crackme; I got some help from THE Josh Reynolds in the Invoke RE Discord with fixing up some broken syscall logic. A friend of mine later swooped in to assist with cleaning up the disassembly. Overall, I am very happy with the end result.

The complete markdown note for my analysis can be found here, containing a LOT more dialogue from what I'll be going over here.

With all that being said, I will quickly summarize the functionality of this program!

The program takes a string flag as input and exits if no flag is read. The program will fork itself. If this fork succeeded, then a new file descriptor is made. This file descriptor is actually loaded with shellcode that is decrypted at runtime.

Once the shellcode is written, dlopen and dlsym are used to basically open up the file descriptor (fd) as a shared object (to run code!). The flag we give is either an address relative to the code in the fd OR a function name that is invoked w/ dlsym. Either way, the point is that the analyst is supposed to decrypt (or simply debug) the contents written to the fd and find the write function to call.

That is my analysis of this crackme. I didn't check any sort of writeups to verify my solution (if mine is wrong, then DM me on Discord, or through some other contact method).

Thanks for reading, and have a good rest of your day!