BitShifted's Runtime (Windows) (x64)

Author:
BitShifted

Language:
C/C++

Upload:
2025-09-09 10:05

Download

Platform:
Windows

Difficulty:
3.7

Quality:
5.0

Arch:
x86-64

Downloads:
12

Size:
51.50 KB

Writeups:
0

Comments:
12

Description

I designed this in such a way that it should only be possible to get the key at runtime. Static analysis is purposefully very difficult, not through obfuscation, but through some other **interesting** methods. You are welcome to stab at it with static, but just know that there's quite a few decoys if you do go that route. Good luck!

Comments (12)
Writeups (0)

You must be logged in to post a comment

trendcrusher on 2025-09-10 09:43: [Click to reveal]

trendcrusher on 2025-09-10 09:46: It's not certain that there is anything, but just in case) Need to check carefully.

BitShifted on 2025-09-10 17:25: @trendcrusher, yes indeed. Theres a reason it passed review though. It doesn't do anything harmful, if you just threw it into VT, check out the behavior: No network requests, no disk writes, nothing like that. Its just because of the way I packed it, and the runtime encryption.

dsfsdfsdfsd on 2025-09-10 19:25: [Click to reveal]

dsfsdfsdfsd on 2025-09-10 19:30: must took a great effort to write the PIC loader, noice

BitShifted on 2025-09-10 20:43: @dsfsdfsdfsd, nice job man! The loader wasnt bad, but I have to ask if it did its job: were you able to dump the PE from memory, or did you have to dump PIC and reassemble it? Also, did the challenge succeed in making you debug/dynamically work with the file, or were you able to do it mostly statically?

dsfsdfsdfsd on 2025-09-10 22:51: soo, started with debugging it, BUT with the suspended cmd process thing u did, I had to attach the newly created process to the debugger every time I needed to reloaded the exe for setting the BPs so it was a no go (because each time it was a new Process the BPs were gone).Then decided to extract the whole shellcode and wrote a simple shellcode executioner to debug it. Last step was to extract the final exe from memory to analyse it.The last step could have been for sure "only runtime" but I think extracting the exe and analyse it static was easier.For the first part, analysing it only in memory would take ages.There are still suspended cmd process xD

dsfsdfsdfsd on 2025-09-10 22:53: Overall yes I think the challenge did each job "mostly debbugging" because the shellcode on each own was quite complex so I literally went step-by-step on it.

dsfsdfsdfsd on 2025-09-10 22:58: One last thing I have to ask, the loader was PIC C/C++ code with custom gcc/vc options or handwritten asm? the push rcx {i think it was rcx} pop rcx to get the encrypted data's address was nice

BitShifted on 2025-09-10 23:13: @dsfsdfsdfsd I leaned on some existing tooling for the part of the loader that encrypted/decrypted the actual payload, along with resolving the imports, before executing it in memory I modified it a bit to try to make it harder to dump from, and also the way it handled the RWX section it maps into. But its is all in C/C++

dsfsdfsdfsd on 2025-09-11 00:18: nice, I think it was as "runtime" as it is possible

jeffli6789 on 2026-01-04 06:25: This crackme had been reviewed when it was originally approved and is likely safe. Crackmes often get flagged by antivirus software, EDR systems, or VirusTotal because they may use the same protection techniques found in malware (packers, anti-debugging, self-modifying code, etc.), or simply a false positive. This does NOT mean the crackme is actually malicious. The only way to confirm whether something is truly malware is to reverse engineer it and find proof of malicious code and/or malicious behavior. If you still believe this is actual malware, please report it to us via email: crackmesone@gmail.com. **We encourage everyone to run crackmes in a VM (virtual machine) and exercise caution when executing unknown binaries.** *Disclaimer: We do our best to review submissions, but mistakes can happen. The administrators and crackmes.one cannot be held liable for any damages or losses resulting from the use of files downloaded from this site. Always exercise caution and use a sandboxed environment.*

Show all spoilers

You must be logged in to submit a writeup