We are given a PE32 file which displays an encrypted flag when you run it.
After analyzing the file with a debugger, it was found that it stores the encrypted flag at 0x00409B10.
It calls the subroutine at 0x004010A6 which will copy the encrypted key from the above memory address to 0x00BB1EA0
After returning from this subroutine, it checks for the presence of a debugger by checking the value of BeingDebugged flag at offset 0x2 in the PEB (Process Environment Block):
If it is being debugged, it jumps to the address, 0x0040106E where it displays the message box with the encrypted flag:
We need to patch the conditional jump right after it checks the BeingDebugged flag. There is also a breakpoint placed after the conditional jump. Binary edit the file to overwrite 0xCC with 0x90
Now, we reach the decryption routine of the flag. It performs an XOR decryption of the encrypted flag with a 4 byte key, 0x8899AABB
We can set a breakpoint right after the decryption subroutine and view the decrypted flag in the memory dump:
key:number2isalittlebitharder:p
After analyzing the file with a debugger, it was found that it stores the encrypted flag at 0x00409B10.
After returning from this subroutine, it checks for the presence of a debugger by checking the value of BeingDebugged flag at offset 0x2 in the PEB (Process Environment Block):
If it is being debugged, it jumps to the address, 0x0040106E where it displays the message box with the encrypted flag:
We need to patch the conditional jump right after it checks the BeingDebugged flag. There is also a breakpoint placed after the conditional jump. Binary edit the file to overwrite 0xCC with 0x90
Now, we reach the decryption routine of the flag. It performs an XOR decryption of the encrypted flag with a 4 byte key, 0x8899AABB
We can set a breakpoint right after the decryption subroutine and view the decrypted flag in the memory dump:
key:number2isalittlebitharder:p
0 comments: