alexisreen0 on 2:20 PM 03/31/2023: its hard, sprinkle some hints please
expl0itr on 10:59 AM 04/02/2023: Sure, @alexisreen0. The binary is statically linked with stripped symbols. Hence, it would make sense to identify some libc functions first (printf, puts, strcmp etc.) using signatures, for example, and work backwards from there. As for the anti-debugging measures: There is a separate thread checking whether a debugger is attached. Try to prevent this thread from being started. You should rely on dynamic analysis as much as possible because of the stripped symbols and anti-disassembly measures.
dev0 on 5:12 PM 10/14/2024: @expl0itr This is gold! It took a while to figure out the strcmp but I think it finds the optimal function to replace the thunk with based on processor and features. Static linking makes things a bit different and that took me a bit to untangle. I love the thread that checks for debugging. Question though, does the shell get spawned on INT3 after the syscall or on a debugger trapping?
expl0itr on 7:53 PM 11/05/2024: Thank you so much for the feedback, @dev0! Regarding your question, after the ptrace check, the code executes shellcodec, a function pointer to shellcode. This shellcode includes an INT3 instruction, which could cause the shell to spawn under specific debugging traps if the debugger interrupts on INT3. Check the source code for details: https://github.com/juliangrtz/crackmes/blob/main/sew3rr4t/crackme.c#L180
You must be logged in to submit a writeup
Write a comment
Share how awesome the crack me was or where you struggle to finish it! Stay polite and do not spoil the solution/flag!
Rate the difficulty
How would you rate the difficulty of this crackme ?