I have researched a ton about anti debug techniques and have stepped through different paths in the program with ollydbg... but still not seeing anything. I have tried patching the initial j** as the t** c*****cks don't seem to matter, but the binary broke. There also seems to be a x** l*** in there but it doesn't seem to do anything. I'm assuming based on the output of the program that the flag should appear easily with my debugger (let me know if this is a spoiler, but that becomes clear when running the program), but I'm getting nowhere. Anyone has any suggestions?

Thanks in advance




  • edited June 2019

    Solved it! Out of all the reversing challenges I have done (all of them but pseudo), this is by far the hardest one. It is in no way easy... not sure if other solvers have magic reversing skills or are just trolling. I needed 3 patches and had to reload olly multiple times to find the correct changes in the binary (it has multiple different ways of changing I believe). Thank you so much to all those who helped me too!


  • Good job for you dude. Congrats. I m just exploring what than MinGW is right now. Taking my (looong looong) time :smiley:

  • @Ramphy Scylla anti debug helps. And then a few nops like I mentioned above.


  • @will135 Scylla didn't seem to help - it still throws an exception when it returns to an illegal address from ntdll - is there some magic to getting scylla to work? How far should it execute when it is working?

  • Type your comment> @will135 said:

    @Ramphy Scylla anti debug helps. And then a few nops like I mentioned above.

    Yep, it helped a lot. I used x32dbg+ScyllaHide + passed one not-catched simple anti-debug block manually in debugger (via registers). After that just... debugging and reading fun message %))) No nops/patches.

  • @oztechmuse Yea that happenned a few times. Ignore the callbacks... they just are meant to throw us off i think. Rather, break on the first thing you see on a normal entrypoint.


  • edited July 2019

    Nice! Thanx @Malfurion !
    IDA & python are only things you need to solve that challenge…

  • I get Scylla but i'm totally blocked. Any tips for helping ?


  • edited July 2019


  • Type your comment> @YanTayga said:

    Nice! Thanx @Malfurion !
    IDA & python are only things you need to solve that challenge…

    Python is not necessary for this challenge - there is a small bug in string decoding assembly, once it is fixed, the flag appears nicely in memory.

  • edited July 2019

    Maybe someone could help me with the following question - some peace of assembly code "magically" appears/changes during some kind of initialization. There was a certain peace of assembly code where I wanted to apply a patch, but that code is there only during debugging, once certain initialization has been run. If I look at the same address just after loading the executable, I cannot find that code which I see during debugging (there is a different non-sence code in that address).

    Maybe someone would be so nice to explain what is going on there?


  • Spoiler Removed

  • Is this in any way solvable with only a Linux box, without winedbg etc.?

    Hack The Box

  • I think one needs to debug to solve this riddle (static analysis would be too complicated) - so, maybe try wine + windows debugger?

  • Wine+IDA+Python would be enough. But very slow…

  • Hello there,

    I confirm that I have followed the r2 + python path to solve this. You do not need anything else. Just to confirm my analysis and because I was curious about debugging PE32 binaries with winedbg on my Debian workstation, I debugged the program using winedbg and it worked like a charm.

    There are 3 well-known anti debugging techniques, so a couple of NOPs here and there should do the trick.



  • radare2 and python or just r2 if your a skilled debugger

  • I was trying to install ScyllaHide as a plugin to OllyDbg, but it doesn't seem to have the configuration files mentioned in the instructions. :neutral:

    or I could do the r2 + python way, but what exactly does one use python for here? String decoding analysis?

  • Vanilla Ollydbg in Kali Linux was what I used. No extra plugins needed.

    Write-ups | Discord - limbernie#0386

  • Well, nice job. I'm not a Guru though. XD more of a n00b. I'll keep bashing my head against the wall with it, though. I kind of like it.

  • Finally got it! x32dbg + ScyllaHide, and I placed a NOP in one spot, after a lot of trial and error and following interesting looking things. Very clever & fun!

  • Omg I cracked it !
    After 3 weeks of battles :D
    Hint: All you need to do this is IDA 7.0 free. No more tool needed for me.

  • edited October 2019

    Ugh, that one was hard. Pretty new to reversing but slogged through it. I only used x32dbg (comes with scylla, I guess).

    Good reading that helped me through it:

  • I used x32dbg. Not sure if the Scylla hide feature was needed but I checked several boxes anyway.

    Hint: Find the beginning of the actual program and JUMP there... The rest is basic RE analysis.


    OSCP | GREM | CEH | Sec+ | Linux+

  • In my experience with using OllyDBG, after dealing with the anti-debugging techniques some instructions were not being displayed correctly which hindered my RE analysis and got me stuck. Tried x32dbg and managed to solve it from there.

    Hope someone finds that helpful!

  • Think i found the decryption of the flag before the program exits, but it decrypting rubish ... using x32dbg and scylla hide

    Check out my blog
    Always happy to help! but please consider dropping some respect. ^^

  • I've been struggling with this challenge for several days. Learned quite a lot about anti-debugging techniques on the way. I've used IDA 7.0 Free to complete the challenge.

    Hack The Box

  • Just completed today morning. Nice challenge. It did not make my hair white like "find the secret flag" did, but I really enjoyed. Now only heavy reverse stuff left to complete, so real headache is just before me -:)


  • Someone please reach out and help me. I'm completely lost. Trying to use Suylla but again, super lost.

  • I'm truing patch binary with modificated sym._main I'm repite decrypt as it done in this programm but my new file raise exception by address 0x401722
    Could somebody give tips into PM about it?


Sign In to comment.