howtouse challenge:
- On looking at the file it seems its a windows dll file. After looking at its export section, it contains an interesting export that might give us a lead "fnhowtouse(int)".
- Using ollydbg i loaded the dll and ran the export with the parameter of 1. once it took me to the beginning of its execution i noticed a series of MOV operations referencing the area of memory below which seemed a bit suspicious.
CPU Dump
Address Hex dump ASCII
71061000 B8 01 00 00|00 C2 0C 00|CC CC CC CC|CC CC CC CC| ¸ Â ÌÌÌÌÌÌÌÌ
71061010 B8 61 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸a ÃÌÌÌÌÌÌÌÌÌÌ
71061020 B8 62 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸b ÃÌÌÌÌÌÌÌÌÌÌ
71061030 B8 63 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸c ÃÌÌÌÌÌÌÌÌÌÌ
71061040 B8 64 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸d ÃÌÌÌÌÌÌÌÌÌÌ
71061050 B8 65 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸e ÃÌÌÌÌÌÌÌÌÌÌ
71061060 B8 66 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸f ÃÌÌÌÌÌÌÌÌÌÌ
71061070 B8 41 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸A ÃÌÌÌÌÌÌÌÌÌÌ
71061080 B8 4D 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸M ÃÌÌÌÌÌÌÌÌÌÌ
71061090 B8 30 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸0 ÃÌÌÌÌÌÌÌÌÌÌ
710610A0 B8 31 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸1 ÃÌÌÌÌÌÌÌÌÌÌ
710610B0 B8 32 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸2 ÃÌÌÌÌÌÌÌÌÌÌ
710610C0 B8 33 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸3 ÃÌÌÌÌÌÌÌÌÌÌ
710610D0 B8 34 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸4 ÃÌÌÌÌÌÌÌÌÌÌ
710610E0 B8 37 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸7 ÃÌÌÌÌÌÌÌÌÌÌ
710610F0 B8 38 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸8 ÃÌÌÌÌÌÌÌÌÌÌ
71061100 B8 39 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸9 ÃÌÌÌÌÌÌÌÌÌÌ
71061110 B8 7B 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸{ ÃÌÌÌÌÌÌÌÌÌÌ
71061120 B8 7D 00 00|00 C3 CC CC|CC CC CC CC|CC CC ¸} ÃÌÌÌÌÌÌÌÌ
- On looking at the memory region above, there seems to be a pattern in which the first byte is B8 and the next byte is an ascii char. since i noticed there were chars that could be part of the key i figured it could be used to build the key later on.
- On following the execution of the program, the memory region above was indeed used to build the key what i did was to put a break point on the following instruction and wait for the program to hit it:
CPU Disasm
Address Hex dump Command Comments
71061276 |. C78424 B40000 MOV DWORD PTR SS:[LOCAL.0],71061120 ; Entry point
Once it hit the breakpoint i went to analyze the memory on LOCAL.0. to my surprise it indicated the last part of the key.
CPU Dump
Address Hex dump ASCII
0012FE90 80 10 06 71|80 10 06 71|70 10 06 71|10 11 06 71| € q€ qp q q
0012FEA0 60 10 06 71|30 10 06 71|E0 10 06 71|40 10 06 71| ` q0 qà q@ q
0012FEB0 00 11 06 71|90 10 06 71|30 10 06 71|10 10 06 71| q q0 q q
0012FEC0 90 10 06 71|90 10 06 71|A0 10 06 71|60 10 06 71| q q q` q
0012FED0 30 10 06 71|F0 10 06 71|E0 10 06 71|A0 10 06 71| 0 qð qà q q
0012FEE0 B0 10 06 71|D0 10 06 71|00 11 06 71|E0 10 06 71| ° qÐ q qà q
0012FEF0 40 10 06 71|F0 10 06 71|F0 10 06 71|40 10 06 71| @ qð qð q@ q
0012FF00 00 11 06 71|50 10 06 71|50 10 06 71|E0 10 06 71| qP qP qà q
0012FF10 50 10 06 71|60 10 06 71|10 10 06 71|00 11 06 71| P q` q q q
0012FF20 50 10 06 71|00 11 06 71|20 10 06 71|C0 10 06 71| P q q qÀ q
0012FF30 B0 10 06 71|50 10 06 71|40 10 06 71|F0 10 06 71| ° qP q@ qð q
0012FF40 20 11 06 71| q
All there is left at this point is to start decoding each byte one by one until the key is revealed.
key: MMA{fc7d90ca001fc8712497d88d9ee7efa9e9b32ed8}
"cannotberun" challenge : this challenge was about fixing a corrupted PE header. once the header was fixed just run the program and it would give you the key.
key: MMA{7a35hxb9q81fsg6}
No comments:
Post a Comment