## Snake
We were given a 32-bit executable VMProtected file. Debugging VMProtected is difficult and OllyDbg was detected and after wasting a lot of time on debugging ‘snake.exe', I was frustrated.

I double checked the file and found this string:

`Number of foods= number of used bytes in windows drive.`

I hadn't noticed it before, I don't know why but I couldn't solve my problem with OllyDbg and other debuggers stuck on protections inside VMProtect so I decided to debug my VMWare with WinDbg and it was just another pain in the neck, because it was detected too, therefore I thought maybe I had to hook some API , but my friend suggested API Monitor's breakpoint feature. I tried it and it was very straightforward.
'Snake.exe' uses ‘RtlDosPathNameToNtPathName_U' to get Windows directory path and ‘NtQueryVolumeInformationFile' to calculate Windows drive size, so I tried to change ‘RtlDosPathNameToNtPathName_U' path to another drive with API Monitor and the rounds changed, before trying to write any code I changed it to a non-existent drive and ta-da-...!

Problem solved without any further ado.


Seems easy, right? :D

Original writeup (https://github.com/irGeeks/ctf/tree/master/2016-SharifCTF7/Reverse/snake).