debugme

Good job for you dude. Congrats. I m just exploring what than MinGW is right now. Taking my (looong looong) time :smiley:

@Ramphy Scylla anti debug helps. And then a few nops like I mentioned above.

@will135 Scylla didn’t seem to help - it still throws an exception when it returns to an illegal address from ntdll - is there some magic to getting scylla to work? How far should it execute when it is working?

Type your comment> @will135 said:

@Ramphy Scylla anti debug helps. And then a few nops like I mentioned above.

Yep, it helped a lot. I used x32dbg+ScyllaHide + passed one not-catched simple anti-debug block manually in debugger (via registers). After that just… debugging and reading fun message %))) No nops/patches.

@CyberMnemosyne Yea that happenned a few times. Ignore the callbacks… they just are meant to throw us off i think. Rather, break on the first thing you see on a normal entrypoint.

I get Scylla but i’m totally blocked. Any tips for helping ?

Type your comment> @YanTayga said:

Nice! Thanx @Malfurion !
IDA & python are only things you need to solve that challenge…

Python is not necessary for this challenge - there is a small bug in string decoding assembly, once it is fixed, the flag appears nicely in memory.

Maybe someone could help me with the following question - some peace of assembly code “magically” appears/changes during some kind of initialization. There was a certain peace of assembly code where I wanted to apply a patch, but that code is there only during debugging, once certain initialization has been run. If I look at the same address just after loading the executable, I cannot find that code which I see during debugging (there is a different non-sence code in that address).

Maybe someone would be so nice to explain what is going on there?

Thanks!

Spoiler Removed

Is this in any way solvable with only a Linux box, without winedbg etc.?

I think one needs to debug to solve this riddle (static analysis would be too complicated) - so, maybe try wine + windows debugger?

Hello there,

I confirm that I have followed the r2 + python path to solve this. You do not need anything else. Just to confirm my analysis and because I was curious about debugging PE32 binaries with winedbg on my Debian workstation, I debugged the program using winedbg and it worked like a charm.

There are 3 well-known anti debugging techniques, so a couple of NOPs here and there should do the trick.

Cheers,

radare2 and python or just r2 if your a skilled debugger

I was trying to install ScyllaHide as a plugin to OllyDbg, but it doesn’t seem to have the configuration files mentioned in the instructions. :neutral:

or I could do the r2 + python way, but what exactly does one use python for here? String decoding analysis?

Vanilla Ollydbg in Kali Linux was what I used. No extra plugins needed.

Well, nice job. I’m not a Guru though. XD more of a n00b. I’ll keep bashing my head against the wall with it, though. I kind of like it.

Finally got it! x32dbg + ScyllaHide, and I placed a NOP in one spot, after a lot of trial and error and following interesting looking things. Very clever & fun!

■■■ I cracked it !
After 3 weeks of battles :smiley:
Hint: All you need to do this is IDA 7.0 free. No more tool needed for me.

Ugh, that one was hard. Pretty new to reversing but slogged through it. I only used x32dbg (comes with scylla, I guess).

Good reading that helped me through it: http://pferrie.host22.com/papers/antidebug.pdf