Chains of Trust

All the algorithms/etc for the crackme are executed on the client side, however
not all of the client side is there to be executed initially.

Initially the client side is a thin network client which is used to fetch the
code from the server and execute it. It's pretty simple to analyze.

The fetched code is executed in read+write+exec memory and has access to some
simple API that allows some typical C functions to be called + network comm
with the server.

The fetched code can be split into two categories:
1. The actual functionality which asks for the password and verifies it.
2. Anti-debugging / anti-re snippets which try to verify that the binary is not
debugged, nor modified, etc.

So the general idea is that the binary asks for password and checks it, and in
the mean time runs all sorts of checks on the binary and the system.

The server-side is never revealed to the client, but that doesn't really matter
as the server-side doesn't do anything surprising. Apart from sending the code
chunks, it also stores/replays some values from the client (pointers to memory
regions - this is due to aslr) and checks if some simple math operations were
indeed performed on the client (either as 'proof-of-work' or as a way to check
if all the sent chunks were executed).

The transmitted code is obfuscated and is self-deobfuscating at runtime.
Actually each code chunk has 1000 variants of randomly generated obfuscation and
the server picks a variant at random.

The server leads the client through several stages of code chunks. Some of the
stages consist of just one code chunk (again, in 1000 obfuscated variants), and
others are a random selection of multiple anti-debugging code pieces.

Expected master host and port:
chains.of.trust.felinae.pl:7679



