ShockByte Posted March 11, 2020 Posted March 11, 2020 (edited) Language: C++ Platform: Windows OS Version : Windows 7,8,8.1,10 Packer / Protector : None Virus Total :Scan result Enter correct password for getting flag Password Keeper.zip Edited March 11, 2020 by ShockByte 1
KSDR Posted March 15, 2020 Posted March 15, 2020 (edited) пароль: F * * king_m0rfing Edited March 19, 2020 by KSDR 2
ShockByte Posted March 29, 2020 Author Posted March 29, 2020 On 3/15/2020 at 4:22 PM, KSDR said: пароль: F * * king_m0rfing Good Job xD
Washi Posted April 23, 2020 Posted April 23, 2020 (edited) Nice challenge Quote Key: f**ck*ng_m0rfing (replace the * with the obvious, seems the editor censors it) Flag: shb{Vir7u41_pr073c7_xD} Approach: Spoiler Tools used: x64dbg, ghidra, cyberchef Open in ghidra, navigate to user main method (FUN_004020b0) Notice in this code we are executing a function FUN_00401d90 and if it fails, we output check passwords.db file and skips the main program. This must be reading the passwords db that was provided (renamed to read_passwords_db in picture below): Navigate to read_passwords_db, notice strings are obfuscated, but ends with a call to fopen_s, fread_s and some other function FUN_00401850 (in the picture renamed to process_file_contents) that processes the read file contents. Taking a brief look into this function, it seems this function decrypts the contents in some way or another, then returns a newly allocated buffer containing the decrypted file contents. This result is then stored in some global variable DAT_00407828 (in the picture renamed to DECRYPTED_FILE_BUFFER). Let's let the program decrypt it for us. Fire up x64dbg, execute till this point, dump contents, a trained eye will see this is x86 code (it starts with a very recognizable function prologue push ebp; mov esp, ebp etc). Open this new file in ghidra, let it analyse it, and long and behold the actual verification code: Spoiler We can see the encrypted password is XOR'ed with a key of 0x13, and then compared to the input key. If it fails, the bad message is shown and the program exits. Using cyberchef to decrypt the password results in the correct password string. Using this as a string will result in the flag being decrypted and shown. Edited April 23, 2020 by Washi add censoring to the end result 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now