Upload:
4:37 PM 10/18/2025
Description
If you bypass the anti-debug checks correctly and enter the correct input, the program will respond accordingly. When bypassed and solved, the program will indicate success.
You must be logged in to post a comment
ultrazvukoff on 1:37 PM 10/20/2025: Are the library and entry point errors your fault, or am I having library problems?
TellIsHow on 5:44 PM 10/20/2025: It works fine for me. Probably you're having library problems.
TellIsHow on 5:49 PM 10/20/2025: What kind of error are you encountering?
ultrazvukoff on 6:54 PM 10/20/2025: TECHNICAL CRACKME ANALYSIS REPORT
Solution via Three Patches
Patch 1: Bypassing checkDebugger (Address 0x401E9A)
Original bytes: 55 (push ebp)
Patched bytes: C3 (ret)
The checkDebugger() function is invoked multiple times throughout execution. Each invocation internally calls mt19937(), thereby altering the internal state (and seed) of the Mersenne Twister PRNG. By patching the function to return immediately, we prevent both the anti-debug checks and the unintended RNG state corruption.
Protection mechanism: The author exploits a side effect—every call to checkDebugger() advances the MT19937 generator, making the correct password unpredictable under a debugger due to divergent RNG states.
Patch 2: Bypassing Password Validation (Address 0x402359)
Original bytes: 0F 85 1A 02 00 00 (jne 0x402579)
Patched bytes: E9 FB FD FF FF (jmp 0x40235F)
Validation logic:
At 0x402162: the correct password hash (computed by MixValues) is stored at [ebp-1430].
At 0x4021F2–0x402200: user input is read into [ebp-1440].
At 0x40231A: hash of the user-supplied password is computed.
At 0x402331–0x402357: the two hashes are compared via XOR.
At 0x402359: a conditional jump (jne) redirects execution to the "Incorrect Password" handler if hashes differ.
Patch effect: The conditional jump is replaced with an unconditional jump directly to the success path (0x40235F), effectively skipping validation.
Patch 3: Forcing "Congrats!" Message (Address 0x4023C6)
Original bytes: 0F 84 A1 00 00 00 (je 0x40246D)
Patched bytes: 0F 85 A1 00 00 00 (jne 0x40246D)
Issue: Even after successful password validation, the program performs a final anti-debug check:
0x402394–0x4023B6: four anti-debug techniques are used (IsDebuggerPresent, PEB flags, NtGlobalFlag, etc.).
0x4023C4: result is tested via test al, al.
0x4023C6: if no debugger is detected (je), execution skips the congratulatory message and proceeds to a timer loop.
0x4023CC–0x4023FA: block responsible for printing "Congrats!" and flushing output.
0x402468: call ExitProcess.
Patch effect: The jump condition is inverted (je → jne), so when no debugger is present (the normal case), the program now displays "Congrats!" instead of entering the timer routine.
Protection Architecture Overview
Password Generation Logic:
c
1
correctPassword = MixValues(mt19937(), combined, cpuHash, mt19937());
0x4020E1: first mt19937() call
0x402123: second mt19937() call
0x40215D: call MixValues — computes the reference hash
0x402162: result stored at [ebp-1430]
Author’s Trick: Because checkDebugger() (at 0x401E9A) invokes mt19937() each time it runs, the RNG state diverges between debugged and non-debugged executions. Consequently, the generated password differs when analyzed under a debugger, effectively thwarting dynamic analysis—unless the debugger checks are neutralized, as done in Patch 1.
p.s this wirte AI because i am busy
TellIsHow on 8:05 PM 10/20/2025: ultrazvukoff For Patch 3: The "Congrats!" message is intended to fool analysts who scan the binary for strings to infer program logic. I still consider that a valid solution because I deliberately didn’t specify exactly what “indicates success.” By “indicates success” I meant that the program should print the generated password and not exit. I haven’t verified the other two patches you posted in detail, but your logic looks correct. I didn’t state precisely what “indicates success” because I didn’t want to give hints for the solution. Good job!
TellIsHow on 8:18 PM 10/20/2025: If you're interested I can share the source code via Discord with you so you can understand more and deeper your understanding. Contact if you're interested Discord: wabi._sabi
realreal on 4:23 PM 10/23/2025: please,static link libs
You must be logged in to submit a writeup