File: SquirtleChallenge.exe

SHA256: 360BB1FF6D129C99BC7B361A7B52C4CBDE04E5710101C866893DBB7236815E15

Packed: No

Architecture: 32Bit

Tools used: exeinfo, IDA Pro

Codes & Binaries:

Description: This challenge is written in C and it is not packed at all =). There are many anti debugger tricks that need to be bypassed to get the flag.

From the above figures, we can derived that the challenge is not packed at all.

Let’s try to run the program…

Figure 3. Squirtle asking for password

Guess we need to load IDA Pro and start looking for strings =)

We need to know what is the password first else a Squirtle will die everytime we enter a wrong 1 =(… that is so wrong…

Figure 4. IDA Pro string lists

From the above figure we can easily find the main functions call that checks on the password.

Figure 5. The function responsible for killing squirtle

So we have located the squirtle killer and just by reading the assembly we can see that the password is “incorrect”.

Figure 6. incorrect is the password

Let’s see if anymore squirtle dies.

Figure 7. a file answer.jpg is generated…

However there is no flag in answer.jpg

Seems like there are lots of anti debugger checks preventing us from generating the correct answer.jpg. Lets just patch the binary on those it complains on.

Figure 8. Checking for debugger

1 easy way is to patch 0x00401062 to mov eax, 0. Alternatively you can patch the caller when it test on eax. Voila Squirtle is getting excited as shown in the figure below.

Figure 9. Checking for debugger flag

the above figure demonstrates a very common technique used to check whether a debugger is attached via its debugger flag. If you have been following my blog this is nothing new to you. Oh well for this challenge seems like it likes to be debugged… i will just patch jz to jnz @ 0x401684. As shown in the figure below, Squirtle is glad I am watching him =D.

Figure 10. GetTickCount Time Check

Simply patch the instruction @ 0x401a45 (from jbe to ja) and see if it works =)

Yeah we got it. Squirtle no longer complains!

Figure 11. Job Done?

Let’s take a look at answer.jpg. Ok we would just need to decode it.

Figure 12. flag?
Figure 13. We got the flag!

FLAG: PAN{Th3_$quirtL3_$qu@d_w@z_bLuffiNg}


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s