| Pandora VM |
mmm this is assemlby not c++ 100%, those things can only be written in asm |
2026-04-03 13:24 |
| Observer's Paradox |
@niko122 and i broke your crack me, so what are you gonna do about it? Op said it right SKID |
2026-04-03 10:10 |
| niko's vm final!! :) |
VM DISPATCHER IS AT 0x3EA0 |
2026-04-02 15:53 |
| niko's vm final!! :) |
The exact comparison of character per caracter happens at 0x6092, i broke down all VM handlers which are these: .rdata:000000000000E320 funcs_140004731 dq offset LoadImmHandler32_4D30
.rdata:000000000000E320 ; DATA XREF: sub_3B10+16↑r
.rdata:000000000000E320 ; VMDispatcher_3EA0+34↑o ...
.rdata:000000000000E328 dq offset AddHandler_4E10
.rdata:000000000000E330 dq offset SubHandler_4E70
.rdata:000000000000E338 dq offset MultiplicationHandler_4ED0
.rdata:000000000000E340 dq offset DivisionHandler_4F30
.rdata:000000000000E348 dq offset DIVMODHAndler_4FB0
.rdata:000000000000E350 dq offset XorHandler_5030
.rdata:000000000000E358 dq offset AndHandler_5090
.rdata:000000000000E360 dq offset OrHandler_50F0
.rdata:000000000000E368 dq offset NotHandler_5150
.rdata:000000000000E370 dq offset ShiftLeftHandler_5180
.rdata:000000000000E378 dq offset ShiftRightHandler_51E0
.rdata:000000000000E380 dq offset MovHandler_4DB0
.rdata:000000000000E388 dq offset CMP_EQ_5240
.rdata:000000000000E390 dq offset JmpHandler_52A0
.rdata:000000000000E398 dq offset JmpIfFlag_52E0
.rdata:000000000000E3A0 dq offset JNZ_5320
.rdata:000000000000E3A8 dq offset PUSHIMM_5360
.rdata:000000000000E3B0 dq offset POP_IMM_53B0
.rdata:000000000000E3B8 dq offset Call_5410
.rdata:000000000000E3C0 dq offset Ret_5470
.rdata:000000000000E3C8 dq offset _guard_check_icall_nop
.rdata:000000000000E3D0 dq offset PrintReg_54C0
.rdata:000000000000E3D8 dq offset PRINT_VM_55C0
.rdata:000000000000E3E0 dq offset ApiDispatcher_5870
.rdata:000000000000E3E8 dq offset sub_5890
.rdata:000000000000E3F0 dq offset MemcpyVM_5A10
.rdata:000000000000E3F8 dq offset VMERROR_54B0
.rdata:000000000000E400 dq offset StackChyper_5B00
.rdata:000000000000E408 dq offset ReadInputVM_5B40
.rdata:000000000000E410 dq offset RealCheckPasswordVM_5DA0
.rdata:000000000000E418 dq offset sub_5B20 but the only necessary is the RealCheckPasswordVM: and the password is: HELLO! - HELLO! - I HOPE YOU ENJOY THIS CRACK ME IT TOOK ME A WHILE - !@#$%^&*()_+-=, just put a bp on that address and annotate on notepad, could be better but its not that bad |
2026-04-02 15:44 |
| BobxReal You Can't do it V2 ;) |
👍is there an actual password or is it like that we need to salve an alghoritm? Because I saw you did tons of matematic operations, thanks, maybe tomorrow ill go a bit deeper |
2026-02-21 18:53 |
| BobxReal You Can't do it V2 ;) |
if ( KILL_30B61 || KILL_30B60 && (v32 = NtCurrentPeb()) != 0LL && v32->BeingDebugged || sub_15E0() || sub_1A00() ) example of what i mean, this is too easy to understand |
2026-02-21 18:24 |
| BobxReal You Can't do it V2 ;) |
It is't too hard to understand what the program is doing also the anti debug is pretty easy to understand, also the checks with an if is too weak, you should make it state dependent, meaning for example the program automatically breaks if something changes. you could have added Hash checks to prevent software bp and also hardware bp by for example occupying them and using them as state,good one anyway |
2026-02-21 18:22 |
| BobxReal You Can't do it V2 ;) |
Since the author didn't specify i patched and now the program prints "correct!" |
2026-02-21 18:17 |
| puzzle |
Good job and stay tuned for a really hard challenge next time, cause i f up haha |
2025-11-21 11:15 |
| puzzle |
And how did you do it? I already know the mistake but still at least i learned from it |
2025-11-20 21:32 |
| puzzle |
Yes i made a mistake i will fix in the next... what message you got on the console? |
2025-11-20 21:21 |
| puzzle |
The password of the zip is still crackmes.one |
2025-11-20 19:51 |
| puzzle |
I just noticed i made some mistakes that could have been avoided but that will be for the next version🥲 |
2025-11-20 19:32 |