I have researched a ton about anti debug techniques and have stepped through different paths in the program with ollydbg… but still not seeing anything. I have tried patching the initial j** as the t** ccks don’t seem to matter, but the binary broke. There also seems to be a x l in there but it doesn’t seem to do anything. I’m assuming based on the output of the program that the flag should appear easily with my debugger (let me know if this is a spoiler, but that becomes clear when running the program), but I’m getting nowhere. Anyone has any suggestions?
Solved it! Out of all the reversing challenges I have done (all of them but pseudo), this is by far the hardest one. It is in no way easy… not sure if other solvers have magic reversing skills or are just trolling. I needed 3 patches and had to reload olly multiple times to find the correct changes in the binary (it has multiple different ways of changing I believe). Thank you so much to all those who helped me too!
@will135 Scylla didn’t seem to help - it still throws an exception when it returns to an illegal address from ntdll - is there some magic to getting scylla to work? How far should it execute when it is working?
@Ramphy Scylla anti debug helps. And then a few nops like I mentioned above.
Yep, it helped a lot. I used x32dbg+ScyllaHide + passed one not-catched simple anti-debug block manually in debugger (via registers). After that just… debugging and reading fun message %))) No nops/patches.
@CyberMnemosyne Yea that happenned a few times. Ignore the callbacks… they just are meant to throw us off i think. Rather, break on the first thing you see on a normal entrypoint.
Maybe someone could help me with the following question - some peace of assembly code “magically” appears/changes during some kind of initialization. There was a certain peace of assembly code where I wanted to apply a patch, but that code is there only during debugging, once certain initialization has been run. If I look at the same address just after loading the executable, I cannot find that code which I see during debugging (there is a different non-sence code in that address).
Maybe someone would be so nice to explain what is going on there?
I confirm that I have followed the r2 + python path to solve this. You do not need anything else. Just to confirm my analysis and because I was curious about debugging PE32 binaries with winedbg on my Debian workstation, I debugged the program using winedbg and it worked like a charm.
There are 3 well-known anti debugging techniques, so a couple of NOPs here and there should do the trick.
I was trying to install ScyllaHide as a plugin to OllyDbg, but it doesn’t seem to have the configuration files mentioned in the instructions. :neutral:
or I could do the r2 + python way, but what exactly does one use python for here? String decoding analysis?
Finally got it! x32dbg + ScyllaHide, and I placed a NOP in one spot, after a lot of trial and error and following interesting looking things. Very clever & fun!
