debugme

@CyberMnemosyne Yea that happenned a few times. Ignore the callbacks… they just are meant to throw us off i think. Rather, break on the first thing you see on a normal entrypoint.

I get Scylla but i’m totally blocked. Any tips for helping ?

Type your comment> @YanTayga said:

Nice! Thanx @Malfurion !
IDA & python are only things you need to solve that challenge…

Python is not necessary for this challenge - there is a small bug in string decoding assembly, once it is fixed, the flag appears nicely in memory.

Maybe someone could help me with the following question - some peace of assembly code “magically” appears/changes during some kind of initialization. There was a certain peace of assembly code where I wanted to apply a patch, but that code is there only during debugging, once certain initialization has been run. If I look at the same address just after loading the executable, I cannot find that code which I see during debugging (there is a different non-sence code in that address).

Maybe someone would be so nice to explain what is going on there?

Thanks!

Spoiler Removed

Is this in any way solvable with only a Linux box, without winedbg etc.?

I think one needs to debug to solve this riddle (static analysis would be too complicated) - so, maybe try wine + windows debugger?

Hello there,

I confirm that I have followed the r2 + python path to solve this. You do not need anything else. Just to confirm my analysis and because I was curious about debugging PE32 binaries with winedbg on my Debian workstation, I debugged the program using winedbg and it worked like a charm.

There are 3 well-known anti debugging techniques, so a couple of NOPs here and there should do the trick.

Cheers,

radare2 and python or just r2 if your a skilled debugger

I was trying to install ScyllaHide as a plugin to OllyDbg, but it doesn’t seem to have the configuration files mentioned in the instructions. :neutral:

or I could do the r2 + python way, but what exactly does one use python for here? String decoding analysis?

Vanilla Ollydbg in Kali Linux was what I used. No extra plugins needed.

Well, nice job. I’m not a Guru though. XD more of a n00b. I’ll keep bashing my head against the wall with it, though. I kind of like it.

Finally got it! x32dbg + ScyllaHide, and I placed a NOP in one spot, after a lot of trial and error and following interesting looking things. Very clever & fun!

■■■ I cracked it !
After 3 weeks of battles :smiley:
Hint: All you need to do this is IDA 7.0 free. No more tool needed for me.

Ugh, that one was hard. Pretty new to reversing but slogged through it. I only used x32dbg (comes with scylla, I guess).

Good reading that helped me through it: http://pferrie.host22.com/papers/antidebug.pdf

I used x32dbg. Not sure if the Scylla hide feature was needed but I checked several boxes anyway.

Hint: Find the beginning of the actual program and JUMP there… The rest is basic RE analysis.

In my experience with using OllyDBG, after dealing with the anti-debugging techniques some instructions were not being displayed correctly which hindered my RE analysis and got me stuck. Tried x32dbg and managed to solve it from there.

Hope someone finds that helpful!

Think i found the decryption of the flag before the program exits, but it decrypting rubish … using x32dbg and scylla hide

I’ve been struggling with this challenge for several days. Learned quite a lot about anti-debugging techniques on the way. I’ve used IDA 7.0 Free to complete the challenge.