# CrackMeTwo

- Same idea as one, just with anti-debugger measures.

- Uses [NtQueryInformationProcess](https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess) to check debugger state. Note the linked documentation doesn't cover the `ProcessInfoClass` option it uses. [Full enumeration is available here](https://www.pinvoke.net/default.aspx/ntdll/PROCESSINFOCLASS.html).

- Debugger stepping can confirm we are calling this function with `0x1F` (`ProcessDebugFlags`). This anti-debug method is documented [here](https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugflags).

- Basically just need to make this function return anything but zero. Bunch of ways to do this (edit eax in breakpoint, modify instructions to mov something in, etc.). 
  A patch is a bit cleaner, we can patch the `call ebx` instruction (the call to `NtQueryInformationProcess`) with `mov eax,ebp` or any other instructions with the same length that will give us a non-zero `eax`:
  
  ```patch
  >crackmeoneb.exe
  00001169:FF->89
  0000116A:D3->E8
  ```

- Now we've patched this, we can get to the input dialog. However, trying to enter anything and hit ok gives us another exception.

- Inspecting the exception seems we are dividing by zero on purpose, unconditionally, which throws an exception.

- Looking at the instructions above, we can see calls to `UnhandledExceptionFilter()`. This means we are encountering [another anti-debug technique, documented here](https://anti-debug.checkpoint.com/techniques/exceptions.html#unhandledexceptionfilter).

- We can inspect the exception handler that would be registered if not debugging, and see that it is adding 2 to the `eip` and returning `EXCEPTION_CONTINUE_EXECUTION`. This just skips the `div` instruction.

- Just fill the `div` instruction with `nop`s and everything works great under the debugger again.

- Use the same method as CrackMeOne to find the password

## 

## Solution

Password: `zoq98m`