Bobx's Very hard antidebug +10 antisystem

Author:
Bobx

Language:
C/C++

Upload:
2025-11-06 17:31

Download

Platform:
Windows

Difficulty:
1.9

Quality:
3.2

Arch:
x86-64

Downloads:
61

Size:
69.45 KB

Writeups:
0

Comments:
10

Description

Good Luck and Have A Lot Of Fun ;)

Comments (10)
Writeups (0)

You must be logged in to post a comment

ilkiNUR on 2025-11-07 09:10: [Click to reveal]

ilkiNUR on 2025-11-07 09:11: you use any xor process in GetPassword function but don't use them in real password ;)

Bobx on 2025-11-08 10:08: thanks for using the bug to correct it

PL45M4 on 2025-11-08 16:15: As ilkiNUR stated, the correct password is in plaintext which made trying to circumvent the anti-debugging checks unnecessary. Here's my writeup: https://bobbyhillreverseengineering.blogspot.com/2025/11/crackme-bobxs-very-hard-antidebug-10.html Thank you for the challenge.

Lilsan44444 on 2025-11-08 19:05: [Click to reveal]

Bobx on 2025-11-09 00:33: Okay, I'm preparing version v2, which is not so easy anymore

OmarDecryptX on 2025-11-10 18:13: [Click to reveal]

pavler on 2025-11-12 14:45: Bro next time u should compile it in release mode not debug if you want make it harder.

cter78 on 2025-11-13 15:02: I implemented a dll based on the following program: #define _CRT_SECURE_NO_WARNINGS #include #include #include const DWORD GETPASSWORD_OFFSET = 0x1dc1; const unsigned char ENCODED_DATA[25] = { 0x72, 0x70, 0x72, 0x76, 0x71, 0xb8, 0x76, 0xa0, 0x84, 0xbc, 0xbd, 0xb5, 0x87, 0x76, 0xbc, 0xb4, 0x73, 0x77, 0x75, 0xbc, 0x83, 0xa0, 0x76, 0x81, 0xa3 }; void* GetAddress(DWORD offset) { return (void*)((DWORD_PTR)GetModuleHandleA(nullptr) + offset); } void CalculateRealPassword(char* outputBuffer) { unsigned char buffer[75] = { 0 }; int idx = 0; // Собираем буфер из зашифрованных данных (как в оригинале) for (int i = 0; i (8 - shift)) | (temp shift); buffer[i] = dynamicKey ^ buffer[i]; } strncpy_s(outputBuffer, 64, (char*)buffer, 64); } void PatchGetPassword() { BYTE* funcAddr = (BYTE*)GetAddress(GETPASSWORD_OFFSET); DWORD oldProtect; VirtualProtect(funcAddr, 200, PAGE_EXECUTE_READWRITE, &oldProtect); BYTE newCode[] = { 0x55, 0x48, 0x89, 0xE5, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x89, 0x4D, 0x10, 0x48, 0x8B, 0x4D, 0x10, 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x28, 0x5D, 0xC3 }; *(void**)(newCode + 19) = (void*)CalculateRealPassword; memcpy(funcAddr, newCode, sizeof(newCode)); VirtualProtect(funcAddr, 200, oldProtect, &oldProtect); } void Initialize() { PatchGetPassword(); } void ShowPasswordInConsole() { Sleep(1000); char password[64]; CalculateRealPassword(password); if (!GetConsoleWindow()) { AllocConsole(); freopen("CONOUT$", "w", stdout); } printf(password); } DWORD WINAPI AutoInputThread(LPVOID lpParam) { ShowPasswordInConsole(); return 0; } extern "C" __declspec(dllexport) void DummyExport() {} BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) { if (reason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); Initialize(); CreateThread(nullptr, 0, AutoInputThread, nullptr, 0, nullptr); } return TRUE; } I was too bored. Test it out

cter78 on 2025-11-13 19:15: Final: #define _CRT_SECURE_NO_WARNINGS #include #include #include const DWORD GETPASSWORD_OFFSET = 0x1dc1; const unsigned char ENCODED_DATA[25] = { 0x72, 0x70, 0x72, 0x76, 0x71, 0xb8, 0x76, 0xa0, 0x84, 0xbc, 0xbd, 0xb5, 0x87, 0x76, 0xbc, 0xb4, 0x73, 0x77, 0x75, 0xbc, 0x83, 0xa0, 0x76, 0x81, 0xa3 }; void* GetAddress(DWORD offset) { return (void*)((DWORD_PTR)GetModuleHandleA(nullptr) + offset); } void CalculateRealPassword(char* outputBuffer) { unsigned char buffer[75] = { 0 }; int idx = 0; for (int i = 0; i (8 - shift)) | (temp shift); buffer[i] = dynamicKey ^ buffer[i]; } strncpy_s(outputBuffer, 64, (char*)buffer, 64); } void PatchGetPassword() { BYTE* funcAddr = (BYTE*)GetAddress(GETPASSWORD_OFFSET); DWORD oldProtect; VirtualProtect(funcAddr, 200, PAGE_EXECUTE_READWRITE, &oldProtect); BYTE newCode[] = { 0x55, 0x48, 0x89, 0xE5, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x89, 0x4D, 0x10, 0x48, 0x8B, 0x4D, 0x10, 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x28, 0x5D, 0xC3 }; *(void**)(newCode + 19) = (void*)CalculateRealPassword; memcpy(funcAddr, newCode, sizeof(newCode)); VirtualProtect(funcAddr, 200, oldProtect, &oldProtect); } // Функция для показа пасхалки Bobx DWORD WINAPI ShowBobxEasterEgg(LPVOID lpParam) { if (!GetConsoleWindow()) { AllocConsole(); freopen("CONOUT$", "w", stdout); } system("cls"); printf("\n\n"); printf("===============================================\n"); printf(" BOBX SECRET EASTER EGG ACTIVATED!\n"); printf("===============================================\n"); const char* asciiArt = "BBBB OOO BBBB XX XX\n" "B B O O B B XXXX \n" "BBBB O O BBBB XX \n" "B B O O B B XXXX \n" "BBBB OOO BBBB XX XX\n"; printf("%s\n", asciiArt); const char* messages[] = { "Shoutout to Bobx!", "For Bobx ??? do not crack too fast ;)", "Respect, Bobx!", "Bobx detected? Maybe..." }; srand(GetTickCount()); int randomIndex = rand() % 4; printf(" %s\n", messages[randomIndex]); printf("\n"); printf(" Secret message unlocked!\n"); printf(" But the real challenge continues...\n"); printf("===============================================\n\n"); printf("Press ENTER to return to crackme..."); getchar(); // Восстанавливаем консоль system("cls"); printf("===============================================\n"); printf(" SECURE CRACKME CHALLENGE - ULTRA HARD\n"); printf(" BY BOBX\n"); printf("===============================================\n\n"); printf("[*] Security checks passed.\n"); printf("[*] System integrity verified.\n\n"); printf("[*] Enter password (or type 'about'): "); return 0; } HHOOK keyboardHook = nullptr; LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) { if (nCode = 0 && wParam == WM_KEYDOWN) { KBDLLHOOKSTRUCT* kbdStruct = (KBDLLHOOKSTRUCT*)lParam; // F1 if (kbdStruct-vkCode == VK_F1) { CreateThread(nullptr, 0, ShowBobxEasterEgg, nullptr, 0, nullptr); return 1; } // F2 else if (kbdStruct-vkCode == VK_F2) { char password[64]; CalculateRealPassword(password); if (!GetConsoleWindow()) { AllocConsole(); freopen("CONOUT$", "w", stdout); } printf("\nCurrent Password: %s\n", password); return 1; } // Ctrl+Shift+B else if (kbdStruct-vkCode == 0x42 && // B GetAsyncKeyState(VK_CONTROL) & 0x8000 && GetAsyncKeyState(VK_SHIFT) & 0x8000) { CreateThread(nullptr, 0, ShowBobxEasterEgg, nullptr, 0, nullptr); return 1; } } return CallNextHookEx(keyboardHook, nCode, wParam, lParam); } DWORD WINAPI HookThread(LPVOID lpParam) { Sleep(1000); keyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardProc, GetModuleHandle(nullptr), 0); MSG msg; while (GetMessage(&msg, nullptr, 0, 0)) { TranslateMessage(&msg); DispatchMessage(&msg); } return 0; } void Initialize() { PatchGetPassword(); } extern "C" __declspec(dllexport) void DummyExport() {} BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) { if (reason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); Initialize(); CreateThread(nullptr, 0, HookThread, nullptr, 0, nullptr); } else if (reason == DLL_PROCESS_DETACH) { if (keyboardHook) { UnhookWindowsHookEx(keyboardHook); } } return TRUE; }

Show all spoilers

You must be logged in to submit a writeup

crackmes.one

crackmes.one

Bobx's Very hard antidebug +10 antisystem