debugme

Solved it! Out of all the reversing challenges I have done (all of them but pseudo), this is by far the hardest one. It is in no way easy… not sure if other solvers have magic reversing skills or are just trolling. I needed 3 patches and had to reload olly multiple times to find the correct changes in the binary (it has multiple different ways of changing I believe). Thank you so much to all those who helped me too!

Good job for you dude. Congrats. I m just exploring what than MinGW is right now. Taking my (looong looong) time :smiley:

@Ramphy Scylla anti debug helps. And then a few nops like I mentioned above.

@will135 Scylla didn’t seem to help - it still throws an exception when it returns to an illegal address from ntdll - is there some magic to getting scylla to work? How far should it execute when it is working?

Type your comment> @will135 said:

@Ramphy Scylla anti debug helps. And then a few nops like I mentioned above.

Yep, it helped a lot. I used x32dbg+ScyllaHide + passed one not-catched simple anti-debug block manually in debugger (via registers). After that just… debugging and reading fun message %))) No nops/patches.

@CyberMnemosyne Yea that happenned a few times. Ignore the callbacks… they just are meant to throw us off i think. Rather, break on the first thing you see on a normal entrypoint.

I get Scylla but i’m totally blocked. Any tips for helping ?

Type your comment> @YanTayga said:

Nice! Thanx @Malfurion !
IDA & python are only things you need to solve that challenge…

Python is not necessary for this challenge - there is a small bug in string decoding assembly, once it is fixed, the flag appears nicely in memory.

Maybe someone could help me with the following question - some peace of assembly code “magically” appears/changes during some kind of initialization. There was a certain peace of assembly code where I wanted to apply a patch, but that code is there only during debugging, once certain initialization has been run. If I look at the same address just after loading the executable, I cannot find that code which I see during debugging (there is a different non-sence code in that address).

Maybe someone would be so nice to explain what is going on there?

Thanks!

Spoiler Removed

Is this in any way solvable with only a Linux box, without winedbg etc.?

I think one needs to debug to solve this riddle (static analysis would be too complicated) - so, maybe try wine + windows debugger?

Hello there,

I confirm that I have followed the r2 + python path to solve this. You do not need anything else. Just to confirm my analysis and because I was curious about debugging PE32 binaries with winedbg on my Debian workstation, I debugged the program using winedbg and it worked like a charm.

There are 3 well-known anti debugging techniques, so a couple of NOPs here and there should do the trick.

Cheers,

radare2 and python or just r2 if your a skilled debugger

I was trying to install ScyllaHide as a plugin to OllyDbg, but it doesn’t seem to have the configuration files mentioned in the instructions. :neutral:

or I could do the r2 + python way, but what exactly does one use python for here? String decoding analysis?

Vanilla Ollydbg in Kali Linux was what I used. No extra plugins needed.

Well, nice job. I’m not a Guru though. XD more of a n00b. I’ll keep bashing my head against the wall with it, though. I kind of like it.

Finally got it! x32dbg + ScyllaHide, and I placed a NOP in one spot, after a lot of trial and error and following interesting looking things. Very clever & fun!

■■■ I cracked it !
After 3 weeks of battles :smiley:
Hint: All you need to do this is IDA 7.0 free. No more tool needed for me.