Programista on 2024-04-02 18:21:
Hello everyone.
I started playing with this crackme today and read about Control Flow Flattening to understand what it’s all about. It’s a method of obfuscating code by making a big switch (in this case, as many as 13 cases). But all I’ve tracked down is that during the execution of the program, it operates at the location of the executing program. And at the beginning, “uncrackable3.ex” appears on the stack, which reminds me very much of an executable file (probably because of the .ex ending where the ‘e’ comes to mind :D ). Could I ask for some guidance, direction, etc.?
acep on 2024-04-11 18:33:
This works only in cmd.exe. Other launchers send full path in argv[0]
ngxdtv on 2024-04-18 16:48:
As Programista already mentioned, one can infer the following from the jumps.
debug032:00A35F47 00000012 C uncrackable3.exe
Personally, I seem to be too dumb for it, but here's an idea.
uncrackable3.exe consists of 16 characters, and the query to get to "It's not hard actually\n" is:
if (pcVar19 == (char *)0x10) {
So here 0x10 → 16 is compared with pcVar19. pcVar19 is likely "uncrackable3.exe".
I have 200 lines of explanation on my PC, but I can't figure out the solution. Unfortunately, I'm still relatively new to this field.
loc_10019CE:
add esp, 0Ch
; } // starts at 10015F7
; try {
mov byte ptr [ebp+var_4], 1
cmp esi, 10h
jnz short loc_1001A4A
Of course, one could probably just change jnz and also have a different solution, but that wouldn't be the goal.