| thisisverysecret
I thought it would be something like malware packed and launched in memory, but it's just string obfuscator. You should've manually resolved imports through IAT or EAT for the functions which are used to find the presense of a debugger and it should've been in some form of a thread creation, combined it would be harder to reverse this.
I didn't quite get the custom Crypto algorithm, I don't even know what is it, AES maybe ? I saw two buffers get filled up on each iteration of call to a GPR and one where a wordlist was getting constructed. It's very annoying because there are many iterations before it gets constructed and some strings decrypted but I haven't found the buffer where the password was getting filled (it appears later in two of the registers, manually constructing byte by byte).
Four calls to different functions are getting filled up, which are then getting called through registers. This is where those weird buffers of wordlists and blocks of data appear.
In general after you've bypassed debugger checks you can manipulate RIP in some points to get through if you understand that the program will close and at some
point you will get the password which doesn't have 'spaces' I guess it just typecasting issue somewhere in code with crypto algorithm ?
Also notably, there probably is something with VM detection which isn't implemented ? I've used unmodified hypervisor which should've triggered the VM detection.
Good stuff, took 2.2 hrs of blind debugging session in x64dbg. |
==> |