Share how awesome the crackme was or where you struggle to finish it! Stay polite and do not spoil the solution/flag!
Please keep the comments section English-only.
Author:
deo
Language:
C/C++
Upload:
2026-05-18 05:25
Platform:
Windows
Difficulty:
3.0
Quality:
4.0
Arch:
x86-64
Downloads:
68
Size:
4.57 MB
Writeups:
0
Comments:
0
Description
## [!] Overview This is a dual-stage reversing challenge designed to test both your system-level unpacking skills and your cryptographic analysis capabilities. To solve this challenge, you must bypass a highly aggressive user-mode runtime protection engine, dump the clean target, and reverse a completely custom, multi-layered cryptographic pipeline to decrypt the payload. No decryption logic is present in the binary. A static memory dump or naive patching will fail due to dynamic key protection. --- ## [🎯] Main Objectives To successfully solve this challenge, you must complete both phases: 1. **The Unpack Phase:** Bypass the runtime guard engine, defeat the anti-analysis protections, and retrieve a clean, analyzable dump of the target code or reconstruct the execution flow. 2. **The Decrypt Phase:** Analyze the custom cryptographic pipeline, extract the dynamically derived runtime key, and write an offline decryptor to recover the plaintext flag from `decryptme.txt`. --- ## [🛡️] Stage 1: The Protector (Runtime Engine) The binary is protected by a custom Ring-3 guard that implements several stealth features: * **Direct Syscall Execution:** The engine bypasses API monitoring and user-mode hooks by dynamically building its own syscall stubs from clean on-disk modules. * **Aggressive Anti-Analysis:** Coordinated multi-thread watchdogs with irregular sleep intervals, monitoring thread states, hardware breakpoints, and exception dispatch integrity. * **Polymorphic Page Fault JIT:** Code pages are kept in an encrypted state and only decrypted transiently upon execution, combined with runtime page-tamper scans. * **Self-Healing Patches:** Critical debug-related API entries are persistently monitored and re-patched back to a secured state. --- ## [🔑] Stage 2: The Cryptography (The Cipher) Once you bypass the execution guards, you will encounter the cryptographic layer. * **Dynamic Key Derivation:** The cipher derives a 64-byte key material at runtime using a multi-pass non-linear mixing loop. * **Multi-Layered Pipeline:** The payload is processed through 8 distinct, key-dependent cryptographic transformations. ### Minimal Hints: * **Bijectivity:** Every single transformation in the 8-layered pipeline is fully bijective. If you map the forward execution flow, the exact mathematical inverse exists for each layer. * **State & Diffusion:** The pipeline combines key-dependent byte permutations, dynamic substitution tables, columnar diffusion passes, and complex block mixing networks. * **Feedback Loops:** Watch out for layers that implement chaining dependencies where a byte's transformation relies directly on previous cipher states or alternating directional sweeps. --- ## [📥] Submission Requirements Your solution writeup must include: 1. The exact decrypted plaintext flag retrieved from `decryptme.txt`. 2. A clean offline decryption script (Python/C++/Rust) that reproduces the inverse pipeline. 3. A brief explanation/writeup of your unpacking strategy (how you bypassed the watchdogs/JIT to analyze the cipher). Note: Sorry for AI desc.