TellIsHow's Intermediate Anti-Debug and Runtime Dynamic Password Challenge

Author:
TellIsHow

Language:
C/C++

Upload:
2025-10-18 16:37

Download

Platform:
Windows

Difficulty:
5.0

Quality:
4.0

Arch:
x86

Downloads:
36

Size:
68.70 KB

Writeups:
0

Comments:
7

Description

If you bypass the anti-debug checks correctly and enter the correct input, the program will respond accordingly. When bypassed and solved, the program will indicate success.

Comments (7)
Writeups (0)

You must be logged in to post a comment

ultrazvukoff on 2025-10-20 13:37: Are the library and entry point errors your fault, or am I having library problems?

TellIsHow on 2025-10-20 17:44: It works fine for me. Probably you're having library problems.

TellIsHow on 2025-10-20 17:49: What kind of error are you encountering?

ultrazvukoff on 2025-10-20 18:54: TECHNICAL CRACKME ANALYSIS REPORT Solution via Three Patches Patch 1: Bypassing checkDebugger (Address 0x401E9A) Original bytes: 55 (push ebp) Patched bytes: C3 (ret) The checkDebugger() function is invoked multiple times throughout execution. Each invocation internally calls mt19937(), thereby altering the internal state (and seed) of the Mersenne Twister PRNG. By patching the function to return immediately, we prevent both the anti-debug checks and the unintended RNG state corruption. Protection mechanism: The author exploits a side effect—every call to checkDebugger() advances the MT19937 generator, making the correct password unpredictable under a debugger due to divergent RNG states. Patch 2: Bypassing Password Validation (Address 0x402359) Original bytes: 0F 85 1A 02 00 00 (jne 0x402579) Patched bytes: E9 FB FD FF FF (jmp 0x40235F) Validation logic: At 0x402162: the correct password hash (computed by MixValues) is stored at [ebp-1430]. At 0x4021F2–0x402200: user input is read into [ebp-1440]. At 0x40231A: hash of the user-supplied password is computed. At 0x402331–0x402357: the two hashes are compared via XOR. At 0x402359: a conditional jump (jne) redirects execution to the "Incorrect Password" handler if hashes differ. Patch effect: The conditional jump is replaced with an unconditional jump directly to the success path (0x40235F), effectively skipping validation. Patch 3: Forcing "Congrats!" Message (Address 0x4023C6) Original bytes: 0F 84 A1 00 00 00 (je 0x40246D) Patched bytes: 0F 85 A1 00 00 00 (jne 0x40246D) Issue: Even after successful password validation, the program performs a final anti-debug check: 0x402394–0x4023B6: four anti-debug techniques are used (IsDebuggerPresent, PEB flags, NtGlobalFlag, etc.). 0x4023C4: result is tested via test al, al. 0x4023C6: if no debugger is detected (je), execution skips the congratulatory message and proceeds to a timer loop. 0x4023CC–0x4023FA: block responsible for printing "Congrats!" and flushing output. 0x402468: call ExitProcess. Patch effect: The jump condition is inverted (je → jne), so when no debugger is present (the normal case), the program now displays "Congrats!" instead of entering the timer routine. Protection Architecture Overview Password Generation Logic: c 1 correctPassword = MixValues(mt19937(), combined, cpuHash, mt19937()); 0x4020E1: first mt19937() call 0x402123: second mt19937() call 0x40215D: call MixValues — computes the reference hash 0x402162: result stored at [ebp-1430] Author’s Trick: Because checkDebugger() (at 0x401E9A) invokes mt19937() each time it runs, the RNG state diverges between debugged and non-debugged executions. Consequently, the generated password differs when analyzed under a debugger, effectively thwarting dynamic analysis—unless the debugger checks are neutralized, as done in Patch 1. p.s this wirte AI because i am busy

TellIsHow on 2025-10-20 20:05: ultrazvukoff For Patch 3: The "Congrats!" message is intended to fool analysts who scan the binary for strings to infer program logic. I still consider that a valid solution because I deliberately didn’t specify exactly what “indicates success.” By “indicates success” I meant that the program should print the generated password and not exit. I haven’t verified the other two patches you posted in detail, but your logic looks correct. I didn’t state precisely what “indicates success” because I didn’t want to give hints for the solution. Good job!

TellIsHow on 2025-10-20 20:18: If you're interested I can share the source code via Discord with you so you can understand more and deeper your understanding. Contact if you're interested Discord: wabi._sabi

realreal on 2025-10-23 16:23: please,static link libs

You must be logged in to submit a writeup

crackmes.one

crackmes.one

TellIsHow's Intermediate Anti-Debug and Runtime Dynamic Password Challenge