jack/crackmes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
main
crackmes/1b/README.md
Jack Bond-Preston e341625a66
initial commit
2023-02-13 15:42:53 +00:00

37 lines
2.0 KiB
Markdown
Raw Permalink Blame History

# CrackMeTwo
- Same idea as one, just with anti-debugger measures.
- Uses [NtQueryInformationProcess](https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess) to check debugger state. Note the linked documentation doesn't cover the `ProcessInfoClass` option it uses. [Full enumeration is available here](https://www.pinvoke.net/default.aspx/ntdll/PROCESSINFOCLASS.html).
- Debugger stepping can confirm we are calling this function with `0x1F` (`ProcessDebugFlags`). This anti-debug method is documented [here](https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugflags).
- Basically just need to make this function return anything but zero. Bunch of ways to do this (edit eax in breakpoint, modify instructions to mov something in, etc.).
A patch is a bit cleaner, we can patch the `call ebx` instruction (the call to `NtQueryInformationProcess`) with `mov eax,ebp` or any other instructions with the same length that will give us a non-zero `eax`:
```patch
>crackmeoneb.exe
00001169:FF->89
0000116A:D3->E8
```
- Now we've patched this, we can get to the input dialog. However, trying to enter anything and hit ok gives us another exception.
- Inspecting the exception seems we are dividing by zero on purpose, unconditionally, which throws an exception.
- Looking at the instructions above, we can see calls to `UnhandledExceptionFilter()`. This means we are encountering [another anti-debug technique, documented here](https://anti-debug.checkpoint.com/techniques/exceptions.html#unhandledexceptionfilter).
- We can inspect the exception handler that would be registered if not debugging, and see that it is adding 2 to the `eip` and returning `EXCEPTION_CONTINUE_EXECUTION`. This just skips the `div` instruction.
- Just fill the `div` instruction with `nop`s and everything works great under the debugger again.
- Use the same method as CrackMeOne to find the password
##
## Solution
Password: `zoq98m`
Reference in New Issue View Git Blame Copy Permalink