cnathansmith on 11:45 AM 09/13/2023: I almost had to break out the PlayStation controller to solve this one
nightxyz on 6:42 PM 09/13/2023: @cnathansmith Did you solve ? There are antidebugs, obfuscations, self modifiging codes, tlscallbacks, 2 extra threads, cryptos. After getting registry key, i didn't found any location where it uses this information.
cnathansmith on 4:34 AM 09/14/2023: No, sorry... I actually commented on the wrong challenge of his lol.
This was meant for encrypted_box.
I'm still working on this one. Used Pin to track down where the key gets validated. It goes through a loop checking chars against 'A', 'B', 'C', or 'D', then uses the value to calculate an index (through some clever SEH abuse) it compares a byte from to either continue the loop, break out with a specific value, or otherwise fail out through ExitProcess().
I started fuzzing they keys a char at a time and following branches that don't die. There are combos that would let you keep the loop going forever no matter the length (eg. CACACA...) but clearly you want to cause the break condition at some point, so I need to look at what's happening after that to figure out when/how exactly.
cnathansmith on 4:44 AM 09/14/2023: When you instrument with Pin, you still need to hook ZwQueryInformationProcess to hide the debugger checks involving it, but it otherwise flies under the radar
If you hook CryptEncrypt and log the data it affects after, you can patch the exe with the code segments up to whatever point your key causes an exit. (Be mindful it generally gets called on each location twice, once to decrypt then again to re-encrypt.)
Good luck with it. I might not have a chance to work on it for a while.
cnathansmith on 4:47 AM 09/14/2023: It makes static analysis easier. Just note that there's IAT hooking (eg. Sleep() really points to ExitProcess())
Be careful not to get confused by trusting call names in the static disassembly. That's presumably the "illusion" aspect of the challenge.
cnathansmith on 4:52 AM 09/14/2023: 401ffa movzx eax, byte ptr [eax+0x53d040]
*** key_buf read by 401ffa from 53d040
nightxyz on 7:55 AM 09/14/2023: @cnathansmith Thank you for taking the time to share your findings.
You must me logged to submit a solution
Write a comment
Share how awesome the crack me was or where you struggle to finish it! Stay polite and do not spoil the solution/flag!
Rate the difficulty
How would you rate the difficulty of this crackme ?