-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlevel20.ts
More file actions
31 lines (29 loc) · 4.48 KB
/
level20.ts
File metadata and controls
31 lines (29 loc) · 4.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import { Level } from './types';
export const level20: Level = {
id: 20,
title: "Anti-Analysis: The Obfuscation Layers",
description: "Multi-layer anti-analysis protection system. Four simultaneous checks guard access, all must pass atomically. Layer 1 OPAQUE_XOR: Validates (EAX ^ EAX != 0) - mathematical impossibility, any value XOR itself equals 0, always false. Layer 2 OPAQUE_IDENTITY: Validates ((X * 2) / 2 != X) - identity property violation, multiplication then division by same value returns original, always false. Layer 3 DEBUGGER_CHECK: IsDebuggerPresent() API call, returns 1 if debugger attached (reads PEB.BeingDebugged flag at offset 0x2), 0 otherwise. Layer 4 TIMING_CHECK: RDTSC (Read Time-Stamp Counter) measures CPU cycles between two execution points, delta > 1000 indicates single-stepping/debugger slowdown. Required: Set OPAQUE_XOR_PASS=1, OPAQUE_IDENTITY_PASS=1, DEBUGGER_PRESENT=0, TIMING_DELTA=100 (below threshold). Partial bypass fails - all four checks validate simultaneously each frame.",
requiredSkill: "Multi-Layer Anti-Analysis Bypass & Opaque Predicate Neutralization",
objective: (s) => {
const opaqueXorBypassed = s.health === 1; // OPAQUE_XOR_PASS
const opaqueIdentityBypassed = s.ammo === 1; // OPAQUE_IDENTITY_PASS
const debuggerSpoofed = s.score === 0; // DEBUGGER_PRESENT (0 = not detected)
const timingBypassed = s.sortValue1 <= 1000 && s.sortValue1 > 0; // TIMING_DELTA < threshold
return opaqueXorBypassed && opaqueIdentityBypassed && debuggerSpoofed && timingBypassed;
},
hint: "Four layers. Four bypasses. One system. Use Debugger to analyze opaque predicates. OPAQUE_XOR_PASS=1, OPAQUE_IDENTITY_PASS=1, DEBUGGER_PRESENT=0, TIMING_DELTA=100. Neutralize all checks.",
tutorPersona: "The Deobfuscator: Anti-analysis is layered deception. History: Malware packers (Themida, VMProtect, Enigma Protector) and commercial DRM (Denuvo) pioneered multi-layer protection. Techniques layer together: opaque predicates + anti-debug + timing attacks. Layer 1: Opaque predicate XOR. Code checks 'if (EAX ^ EAX != 0) trigger_alarm()'. Any value XOR itself is zero. Condition always false. But system treats as security check. Set OPAQUE_XOR_PASS=1 to bypass. Layer 2: Identity opaque predicate. Code checks 'if ((value * 2) / 2 != value) fail()'. Mathematical identity - always equal. Another fake check. Set OPAQUE_IDENTITY_PASS=1. Layer 3: Anti-debugger. IsDebuggerPresent() reads PEB.BeingDebugged flag at offset 0x2. Returns 1 if debugger attached. We ARE debugging (using Debugger tool), so real check would detect us. Set DEBUGGER_PRESENT=0 to spoof 'not being debugged'. Layer 4: Timing attack. Code executes RDTSC (Read Time-Stamp Counter) at point A, does work, RDTSC at point B, calculates delta. If delta > 1000 cycles, assumes single-stepping (debugger slowdown). Set TIMING_DELTA to small value like 100 (below threshold). Real-world: VMProtect uses all these techniques. Themida adds hardware breakpoint detection (DR0-DR7 registers). Denuvo combines timing checks with hardware fingerprinting. Malware checks parent process (if debugger launched it), scans for debugger windows (FindWindow 'OllyDbg'), uses anti-disassembly tricks (junk bytes, overlapping instructions). Malware uses opaque predicates to bloat CFG (Control Flow Graph), confuse disassemblers (IDA Pro, Ghidra), defeat symbolic execution (angr, Triton). Open Debugger tab in ExploitWorkshop. See assembly with opaque predicates. Identify XOR EAX,EAX followed by TEST EAX,EAX (always zero). Identify IMUL/IDIV pairs (identity). See IsDebuggerPresent CALL. See RDTSC instructions. Then use Memory Scanner: find check results, set correct values. All four must pass atomically. This is how real analysts defeat protection. Understand obfuscation patterns. Recognize anti-debug. Patch systematically.",
memoryLayout: [
{ key: 'health', label: 'OPAQUE_XOR_PASS', type: 'int', offset: 0x10 },
{ key: 'ammo', label: 'OPAQUE_IDENTITY_PASS', type: 'int', offset: 0x1C },
{ key: 'score', label: 'DEBUGGER_PRESENT', type: 'int', offset: 0x50 },
{ key: 'sortValue1', label: 'TIMING_DELTA', type: 'int', offset: 0xA0 }
],
initialState: {
health: 100, // Repurposed as OPAQUE_XOR_PASS but needs >0 to prevent BSOD (should be 1)
ammo: 0, // OPAQUE_IDENTITY_PASS (should be 1)
score: 1, // DEBUGGER_PRESENT (should be 0)
sortValue1: 5000 // TIMING_DELTA (should be <1000, e.g., 100)
},
platforms: [{ id: 'p1', x: 0, y: 280, width: 800, height: 40, type: 'static' }]
};