| .. | ||
| patch.1337 | ||
| README.md | ||
CrackMeTwo
-
Same idea as one, just with anti-debugger measures.
-
Uses NtQueryInformationProcess to check debugger state. Note the linked documentation doesn't cover the
ProcessInfoClassoption it uses. Full enumeration is available here. -
Debugger stepping can confirm we are calling this function with
0x1F(ProcessDebugFlags). This anti-debug method is documented here. -
Basically just need to make this function return anything but zero. Bunch of ways to do this (edit eax in breakpoint, modify instructions to mov something in, etc.). A patch is a bit cleaner, we can patch the
call ebxinstruction (the call toNtQueryInformationProcess) withmov eax,ebpor any other instructions with the same length that will give us a non-zeroeax:>crackmeoneb.exe 00001169:FF->89 0000116A:D3->E8 -
Now we've patched this, we can get to the input dialog. However, trying to enter anything and hit ok gives us another exception.
-
Inspecting the exception seems we are dividing by zero on purpose, unconditionally, which throws an exception.
-
Looking at the instructions above, we can see calls to
UnhandledExceptionFilter(). This means we are encountering another anti-debug technique, documented here. -
We can inspect the exception handler that would be registered if not debugging, and see that it is adding 2 to the
eipand returningEXCEPTION_CONTINUE_EXECUTION. This just skips thedivinstruction. -
Just fill the
divinstruction withnops and everything works great under the debugger again. -
Use the same method as CrackMeOne to find the password
Solution
Password: zoq98m