File: SquirtleChallenge.exe
SHA256: 360BB1FF6D129C99BC7B361A7B52C4CBDE04E5710101C866893DBB7236815E15
Packed: No
Architecture: 32Bit
Tools used: exeinfo, IDA Pro
Codes & Binaries: https://github.com/jmprsp/labyrenth/tree/master/Window-Challenge-3
Description: This challenge is written in C and it is not packed at all =). There are many anti debugger tricks that need to be bypassed to get the flag.
From the above figures, we can derived that the challenge is not packed at all.
Let’s try to run the program…
Guess we need to load IDA Pro and start looking for strings =)
We need to know what is the password first else a Squirtle will die everytime we enter a wrong 1 =(… that is so wrong…
From the above figure we can easily find the main functions call that checks on the password.
So we have located the squirtle killer and just by reading the assembly we can see that the password is “incorrect”.
Let’s see if anymore squirtle dies.
However there is no flag in answer.jpg
Seems like there are lots of anti debugger checks preventing us from generating the correct answer.jpg. Lets just patch the binary on those it complains on.
1 easy way is to patch 0x00401062 to mov eax, 0. Alternatively you can patch the caller when it test on eax. Voila Squirtle is getting excited as shown in the figure below.
the above figure demonstrates a very common technique used to check whether a debugger is attached via its debugger flag. If you have been following my blog this is nothing new to you. Oh well for this challenge seems like it likes to be debugged… i will just patch jz to jnz @ 0x401684. As shown in the figure below, Squirtle is glad I am watching him =D.
Simply patch the instruction @ 0x401a45 (from jbe to ja) and see if it works =)
Yeah we got it. Squirtle no longer complains!
Let’s take a look at answer.jpg. Ok we would just need to decode it.
FLAG: PAN{Th3_$quirtL3_$qu@d_w@z_bLuffiNg}
jmp RSP 