potichek on 12:34 PM 05/11/2024: I would like to know what exactly is a victory. Maybe an empty string or "Uh oh....\n"
sporta778 on 10:05 AM 05/14/2024: i do not know, but definitely this crackme do not like debugger...
DeReverser on 7:27 PM 05/15/2024: I think the pass is UAWAVAUATVWSH but typing a wrong pass or correct one close the prog
he doesn't like dbgrs
nnxstnt on 1:48 AM 05/17/2024: The main challenge is the anti-debugging stuff. Winning string will clearly tell you that you got it right. The password as stated in the description is in {}. Due to the nature of the algorithm, it cannot pause after outputing whether you succeded or not, thus you should start it from a console, or discover how it even prints. The uh oh string is triggered by an internal error and is triggered by an internal race condition, however during my tests on a couple machines it occured very rarely :D
sporta778 on 4:24 PM 05/17/2024: this is address of function ;))
sporta778 on 4:24 PM 05/17/2024: UAWAVAUA
sporta778 on 4:28 PM 05/17/2024: sorry begin codes of function...
sporta778 on 8:34 PM 05/17/2024: it is have some VEH , and also i have seen gs:[30] , i learned PEB , but what is this i do not know, here need some learn articles....
sporta778 on 10:09 PM 05/17/2024: gs:[60] it is can be readead in articles, but what is it gs:[30] ?
sporta778 on 2:11 PM 05/18/2024: test dword ptr ds:[r13+BC],800000 what is it?
r13 = gs:[60], in article writed (pNtGlobalFlag & 0x70)(peb+0xbc) for detecting debugger.
sporta778 on 2:20 PM 05/18/2024: mov eax,dword ptr ds:[r13+50] and again r13 = gs:[60] , checking
second bit. Here some specific knowledge. |
sporta778 on 2:27 PM 05/18/2024: ehh sorry i am confused, here system dll
nnxstnt on 4:39 PM 05/18/2024: As a hint on that topic you can read about how GetModuleHandle and GetProcAddress are used and what for. Also you can check out their custom implementation, this will shine some light on the PEB stuff
sporta778 on 7:26 PM 05/21/2024: I'll think about it. Here need some intellectual person;)
This strange thing , when i set breakpoint to AddVectoredExceptionHandler and restart crackme, aplication just flash at EntryPoint and terminated. And yet here present some TLS code, but this seems this is not accroding to things writed in articles...
sporta778 on 12:26 PM 09/26/2024: Hehe i found password, more precisely place where occur comparing with password, but now this crackme work under debugger... What is going on. I remebmer this application freezes under debugger, strange....Maybe i do not understand something. BTW i found method of printing to console;)
nnxstnt on 3:48 PM 09/28/2024: Nice! I am sorry though, this crackme has a nasty race condition, which triggers sometimes, I've fixed it and uploaded the fixed version with a bunch more tricks, however it was not yet approved
nnxstnt on 3:49 PM 09/28/2024: You can dm me on discord if you want any more info: 0xdog
sporta778 on 6:54 PM 09/29/2024: I writed solution, this state is waiting approval. Will look, will be it approved or not.