LABYRENTH CTF WINDOWS TRACK CHALLENGE #3

File: SquirtleChallenge.exe

SHA256: 360BB1FF6D129C99BC7B361A7B52C4CBDE04E5710101C866893DBB7236815E15

Packed: No

Architecture: 32Bit

Tools used: exeinfo, IDA Pro

Codes & Binaries: https://github.com/jmprsp/labyrenth/tree/master/Window-Challenge-3

Description: This challenge is written in C and it is not packed at all =). There are many anti debugger tricks that need to be bypassed to get the flag.

From the above figures, we can derived that the challenge is not packed at all.

Let’s try to run the program…

Squirtle
Figure 3. Squirtle asking for password

Guess we need to load IDA Pro and start looking for strings =)

We need to know what is the password first else a Squirtle will die everytime we enter a wrong 1 =(… that is so wrong…

idaPassword
Figure 4. IDA Pro string lists

From the above figure we can easily find the main functions call that checks on the password.

checkPassword
Figure 5. The function responsible for killing squirtle

So we have located the squirtle killer and just by reading the assembly we can see that the password is “incorrect”.

passwordIncorrect
Figure 6. incorrect is the password

Let’s see if anymore squirtle dies.

incorrect
Figure 7. a file answer.jpg is generated…

However there is no flag in answer.jpg

Seems like there are lots of anti debugger checks preventing us from generating the correct answer.jpg. Lets just patch the binary on those it complains on.

checkForDebugger
Figure 8. Checking for debugger

1 easy way is to patch 0x00401062 to mov eax, 0. Alternatively you can patch the caller when it test on eax. Voila Squirtle is getting excited as shown in the figure below.

fs30
Figure 9. Checking for debugger flag

the above figure demonstrates a very common technique used to check whether a debugger is attached via its debugger flag. If you have been following my blog this is nothing new to you. Oh well for this challenge seems like it likes to be debugged… i will just patch jz to jnz @ 0x401684. As shown in the figure below, Squirtle is glad I am watching him =D.

timecheck
Figure 10. GetTickCount Time Check

Simply patch the instruction @ 0x401a45 (from jbe to ja) and see if it works =)

Yeah we got it. Squirtle no longer complains!

jobDone
Figure 11. Job Done?

Let’s take a look at answer.jpg. Ok we would just need to decode it.

answer
Figure 12. flag?
solution
Figure 13. We got the flag!

FLAG: PAN{Th3_$quirtL3_$qu@d_w@z_bLuffiNg}

Advertisements
LABYRENTH CTF WINDOWS TRACK CHALLENGE #3

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s