nightxyz on 2025-04-18 18:49:
[Click to reveal]Password : thisisverysecret
In x64dbg, a few lines later, letters are shown vertically. So, your obfuscators doesn't work very well.
kwenma on 2025-04-18 19:28:
nightxyz yes i noticed that, i already fixed it releasing a newer version when i feel like its good enough to release
DozorRage on 2025-04-19 13:45:
[Click to reveal]thisisverysecret
Dokaepi on 2025-04-19 22:13:
I'm new and all but how to get the zip password
Elvis on 2025-04-20 02:02:
@Dokaepi: zip password is "crackmes.one"
811 on 2025-04-21 07:56:
[Click to reveal]thisisverysecret
I thought it would be something like malware packed and launched in memory, but it's just string obfuscator. You should've manually resolved imports through IAT or EAT for the functions which are used to find the presense of a debugger and it should've been in some form of a thread creation, combined it would be harder to reverse this.
I didn't quite get the custom Crypto algorithm, I don't even know what is it, AES maybe ? I saw two buffers get filled up on each iteration of call to a GPR and one where a wordlist was getting constructed. It's very annoying because there are many iterations before it gets constructed and some strings decrypted but I haven't found the buffer where the password was getting filled (it appears later in two of the registers, manually constructing byte by byte).
Four calls to different functions are getting filled up, which are then getting called through registers. This is where those weird buffers of wordlists and blocks of data appear.
In general after you've bypassed debugger checks you can manipulate RIP in some points to get through if you understand that the program will close and at some
point you will get the password which doesn't have 'spaces' I guess it just typecasting issue somewhere in code with crypto algorithm ?
Also notably, there probably is something with VM detection which isn't implemented ? I've used unmodified hypervisor which should've triggered the VM detection.
Good stuff, took 2.2 hrs of blind debugging session in x64dbg.
bernas198YT on 2025-04-23 18:18:
[Click to reveal]First i found the password and then when i got the password "thisisverysecret" I tried to see what happened in the program logic when the key was correct to try to patch it and I succeeded :)