Download Anti-debug / Anti-cheat CrackMe

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
22,668
47
Sup GH,

I like a lot of you guys are pretty tired of all the lack luster posting that's been going on.

So I decided to fix it.

Presenting: timb3r's anti-debug / anti-cheat CrackMe series!

Stay up to date on the series: https://guidedhacking.com/threads/doomguy-crackme-series.13283


Something that I hope will go for a number of months and keep people relatively entertained. If you've never attempted a CrackMe before don't worry it wont be anything too complex too quickly. (If you can complete Cheat Engine's tutorial you're over qualified for now).

If I get good feedback and decent participation I'll keep releasing them. The plan is to a new one every month or so (depending on time).

Consider this first one a BETA / Prototype as I'll be refining it as I go along. This one is 100% targeted at newbs and I doubt anyone with any decent amount of RE experience would struggle with this at all.

However I still want to collect as much feedback as possible so I can make as fun as possible.

Let me know what you guys think!

NB - Oh and I guess the first person to post the flag in this thread might get a reward or something I don't know I'll have to ask @Rake about putting some badges or something up.

UPDATE:

Version 1.1:

- Fixed issue where flag would be encrypted /decrypted in a loop. Flag will only be dropped once now.
- Fixed a few other minor bugs.
- Added some additional detection methods.
- Updated Tutorial level to Tutorial+ (it's slightly more difficult now) have fun!

Virus Total Scan
 

Attachments

Last edited by a moderator:

Butch

Butch đẹp trai
Meme Tier VIP
Fleep Tier Donator
Jun 27, 2019
10
493
1
Thanks for your work, look forward to the next part.

I look at FLAG FILE and see its content change back and forth

this is file
[~~!] Congrats you did it!
[+] Flag: 0x0001.
†££ü€ýž²³º¯¼©®ý¤²¨ý¹´¹ý´©ü׆ö€ý›±¼ºçýí¥íííìó
 
Last edited by a moderator:

Lukor

ded
Meme Tier VIP
Fleep Tier Donator
Dec 13, 2013
441
3,978
24
Should we go for a convertion for posting flags?
It is a little sad if you get spoilers on the process or the flag itself.

Steps should be in a named spoiler container.
Maybe hash the flag with your forum name?
Flag: FoundMe1234 -> sha265("LukorFoundMe1234")
This way everyone that has the flag can check if you are right, without spoilering others (or giving the opportunity at all :D)
 

Lukor

ded
Meme Tier VIP
Fleep Tier Donator
Dec 13, 2013
441
3,978
24
Never really did this before... Without Ida i wouldn't have found some of it...


There is some strange problem after closing the crackme. Some times it corrupts the textfile.

9161285848e9a3465c7b3cc9795e3733b7206e3fe76af58c3be57f465323c939
I found 2 ways.
1: nop check thread creation and stack cleanup @0005BAE2
2: change the "bad program" strings @94A20
 
Last edited by a moderator:

Boboo99

Scrub
Dank Tier VIP
Fleep Tier Donator
Feb 20, 2016
459
9,578
44
Aight, done it.

JavaScript:
console.alloc();

console.log("Loaded...");

let dropFlag = asm.initializeCall(0x0045BCD2, callingConvention.cdecl,"int","none");

dropFlag.call();

console.log("Done...");

[~~!] Congrats you did it!
[+] Flag: 0x0001.
 
  • Wow
Reactions: Lukor

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
22,668
47
Aight, done it.

JavaScript:
console.alloc();

console.log("Loaded...");

let dropFlag = asm.initializeCall(0x0045BCD2, callingConvention.cdecl,"int","none");

dropFlag.call();

console.log("Done...");

[~~!] Congrats you did it!
[+] Flag: 0x0001.
I figured someone would just call the method directly (was kinda hoping actually it's a clever solution).

Also thanks for the bug reports / feedback.

EDIT - It would be really cool if someone could do a vid (or write up) of them solving the CrackMe with minimal editing so other people can see it in real time. I mean @Rake would probably let you put it on the channel which would be nice.
 
Last edited:

Lukor

ded
Meme Tier VIP
Fleep Tier Donator
Dec 13, 2013
441
3,978
24
1.1 Flag is the same
The program does not close instantly now, it registers your debugger / bad program and prints "[-FAIL] Debugger detected." instead of the flag.
If you hardcode the health value to be != 100 on the first loop, you loose, too.
There is protection against patching the first "You busted champ" print. There are actually 2 checks to patch or you wont get the flag.
 

BDKPlayer

No hack no life
Dank Tier VIP
Dank Tier Donator
Oct 31, 2013
341
10,363
31
Cool stuff. Looking forward to that series mate.

I approached this challenge like most CTF ones I did and recreated your decoding algorithm. I hope you will force me to learn something about anti debugging in the upcomming challenges :D

Some feedback:
I know this is entry level but I think there are just so many symbols etc. left in the binary. I slapped that thing in IDA and could tell that you named your decoding function "encode" :p

C++:
#include <Windows.h>
#include <iostream>


const char messageLength = 44;
char encoded[messageLength] = {0x86, 0xA3, 0xA3, 0xFC, 0x80, 0xFD, 0x9E, 0xB2, 0xB3, 0xBA, 0xAF, 0xBC, 0xA9, 0xAE, 0xFD, 0xA4, 0xB2, 0xA8, 0xFD, 0xB9, 0xB4, 0xB9, 0xFD, 0xB4, 0xA9, 0xFC, 0xD7, 0x86, 0xF6, 0x80, 0xFD, 0x9B, 0xB1, 0xBC, 0xBA, 0xE7, 0xFD, 0xED, 0xA5, 0xED, 0xED, 0xED, 0xEC, 0xF3};


void main()
{
    char* decoded = new char[messageLength];
    for (int i = 0; i < messageLength; i++)
    {
        decoded[i] = encoded[i] ^ 0xdd;
    }

    printf("%s\n", decoded);

    system("pause");
}

Edit: the program closes for me after like 0.5 secs without attaching any debugger or anything.
 
Last edited:

Boboo99

Scrub
Dank Tier VIP
Fleep Tier Donator
Feb 20, 2016
459
9,578
44
I figured someone would just call the method directly (was kinda hoping actually it's a clever solution).

Also thanks for the bug reports / feedback.

EDIT - It would be really cool if someone could do a vid (or write up) of them solving the CrackMe with minimal editing so other people can see it in real time. I mean @Rake would probably let you put it on the channel which would be nice.
Recorded it really quick, totally not trynna flex with OhBoi.
 

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
22,668
47
Recorded it really quick, totally not trynna flex with OhBoi.
You know you can hit escape to close it right? Also Cutter looks awesome can you analyse win pe on Linux? Going to try it today.
 

Boboo99

Scrub
Dank Tier VIP
Fleep Tier Donator
Feb 20, 2016
459
9,578
44
You know you can hit escape to close it right? Also Cutter looks awesome can you analyse win pe on Linux? Going to try it today.
Oh okay, did not know that, thanks :')

Cutter is kinda cool, always happy to introduce some new tools :))
 

Icew0lf

Software Ninjaneer
Dank Tier VIP
Fleep Tier Donator
Aug 20, 2013
578
13,688
44
Oh okay, did not know that, thanks :')

Cutter is kinda cool, always happy to introduce some new tools :))
what is OhBoi?
is it a tool you made? whats its job?
 

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
22,668
47
Cool stuff. Looking forward to that series mate.

I approached this challenge like most CTF ones I did and recreated your decoding algorithm. I hope you will force me to learn something about anti debugging in the upcomming challenges :D

Some feedback:
I know this is entry level but I think there are just so many symbols etc. left in the binary. I slapped that thing in IDA and could tell that you named your decoding function "encode" :p

C++:
#include <Windows.h>
#include <iostream>


const char messageLength = 44;
char encoded[messageLength] = {0x86, 0xA3, 0xA3, 0xFC, 0x80, 0xFD, 0x9E, 0xB2, 0xB3, 0xBA, 0xAF, 0xBC, 0xA9, 0xAE, 0xFD, 0xA4, 0xB2, 0xA8, 0xFD, 0xB9, 0xB4, 0xB9, 0xFD, 0xB4, 0xA9, 0xFC, 0xD7, 0x86, 0xF6, 0x80, 0xFD, 0x9B, 0xB1, 0xBC, 0xBA, 0xE7, 0xFD, 0xED, 0xA5, 0xED, 0xED, 0xED, 0xEC, 0xF3};


void main()
{
    char* decoded = new char[messageLength];
    for (int i = 0; i < messageLength; i++)
    {
        decoded[i] = encoded[i] ^ 0xdd;
    }

    printf("%s\n", decoded);

    system("pause");
}

Edit: the program closes for me after like 0.5 secs without attaching any debugger or anything.
Sooner or later I figured someone would bring up how static analysis is OP for entry level CrackMes. The next one will be more difficult and I'll make an effort to make static analysis painful for people so they'll be more tempted to DO IT LIVE.

 
  • Like
Reactions: Rake and BDKPlayer

Boboo99

Scrub
Dank Tier VIP
Fleep Tier Donator
Feb 20, 2016
459
9,578
44
what is OhBoi?
is it a tool you made? whats its job?
Yep, allows you to execute Javascript in remote processes, with my own exported API. Allowing you to hook, call functions, do some memory io and whatnot.
It's not finished yet, so there is no actual release or anything.
 

catalinqs

Dank Tier Donator
Nobleman
Aug 2, 2019
59
543
2
Yep, allows you to execute Javascript in remote processes, with my own exported API. Allowing you to hook, call functions, do some memory io and whatnot.
It's not finished yet, so there is no actual release or anything.
when i saw in your video that you ran js for memory i didn't knew if i a comercial appeard or that was a troll, technology ¯\_(ツ)_/¯
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,537
78,998
2,310
This is awesome, I'm so glad people are digging this. I will talk to @timb3r about prizes and stuff.

In the meantime, everyone who posted a solution is getting their account upgraded 1 level, including timb3r!
@Lukor @BDKPlayer @Butch @Boboo99 @Icew0lf cheers dudes
 
Last edited:
  • Like
Reactions: Boboo99

CyanideByte

Newbie
May 31, 2012
12
348
0
Looking forward to more of these, I think the difficulty was about right for the first one.

-Patched IsDebuggerPresent to return 0
-Patched CreateToolhelp32Snapshot to return INVALID_HANDLE_VALUE
-Patched JG -> JMP to go past the 255 array loop where you compare the health to the array values

-Finally I simply wrote 1337.f to 0x004A0B7C (health)

Hash: f50801cdafd82dfd6d49cb666ff3d84206921ad4e4a419208f9ccc5029eafc0b

PS: I think you've got a memory leak, the mem usage keeps rising over time consistently.
 
Last edited:

errcr4044

Silenced
Dec 14, 2019
8
22
0
Sup GH,

I like a lot of you guys are pretty tired of all the lack luster posting that's been going on.

So I decided to fix it.

Presenting: timb3r's anti-debug / anti-cheat CrackMe series!

Stay up to date on the series: Discuss - Doomguy CrackMe Series


Something that I hope will go for a number of months and keep people relatively entertained. If you've never attempted a CrackMe before don't worry it wont be anything too complex too quickly. (If you can complete Cheat Engine's tutorial you're over qualified for now).

If I get good feedback and decent participation I'll keep releasing them. The plan is to a new one every month or so (depending on time).

Considere este primeiro um BETA / Prototype, pois eu o refino à medida que avanças. Este é 100% direcionado para os newbs e duvido que alguém com uma quantidade decente de experiência em ER sofra com isso.

No entanto, ainda quero coletar o máximo de feedback possível para que eu possa tirar o máximo de diversão possível.

Deixe-me saber o que vocês pensam!

NB - Ah, e eu acho que a primeira pessoa a postar a bandeira neste tópico pode receber uma recompensa ou algo que eu não sei, vou ter que perguntar [USER = 26782] @Rake [/ USER] sobre colocar alguns crachás ou algo assim acima.

ATUALIZAR:

Versão 1.1:

- Corrigido o problema em que o sinalizador seria criptografado / decodificado em um loop. A bandeira será descartada apenas uma vez agora.
- Corrigido alguns outros erros menores.
- Adicionados alguns métodos de detecção adicionais.
- Nível de Tutorial atualizado para Tutorial + (agora é um pouco mais difícil) divirta-se!

Verificação Total de Vírus
[/CITAR]

Test in Free Fire?
 

Dark_Bull

Full Member
Jan 21, 2020
5
108
0
Hello! CrackMe turned out to be not hard. I was also able to change the health value, but for some reason the file was not created( I Had to do it differently. If you get strange letters in the file, then you have not removed the encryption cycle of the secret message. The flag at the end. I suggest [Video-Solution]
 
  • Like
Reactions: Rake
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts