sunny
VIP Members
-
30/06/2014
-
870
-
1.849 bài viết
[WhiteHat Contest 10] Writeup Re200
Credit: http://nnguwriteups.blogspot.ru/2015/07/whitehat-contest-10-reverse-200.html
Thank for sharing.
__________
It is a command line binary in PE format for windows platform. The size of the executable is 16 kb, it was written with pure c++ with std.
The input string passes as an argument.
A quick look through the code shows a couple of mov opcodes with base64 strings. There is a screenshot with the kindly decoded strings.
Very interesting! The easieast way is concatenate 3 peases into 1 and try. It will be enough, the flag is WH@t!Flag=(AB241ACCTGMNSQGT)
The investigation showed that the program searchs for kernel32.dll in curious way: It steps through the memory starting from the big address and descending with the step 0x10000 and checks is the current memory address a start of a imported library.
To check the input string it uses stccpy and other string functions also encoded into the base64.
This task would be a hard one for somebody unfamiliar with the base64 encoded strings.
Thank for sharing.
__________
It is a command line binary in PE format for windows platform. The size of the executable is 16 kb, it was written with pure c++ with std.
The input string passes as an argument.
A quick look through the code shows a couple of mov opcodes with base64 strings. There is a screenshot with the kindly decoded strings.
The investigation showed that the program searchs for kernel32.dll in curious way: It steps through the memory starting from the big address and descending with the step 0x10000 and checks is the current memory address a start of a imported library.
To check the input string it uses stccpy and other string functions also encoded into the base64.
This task would be a hard one for somebody unfamiliar with the base64 encoded strings.
Chỉnh sửa lần cuối bởi người điều hành: