domingo, 3 de marzo de 2013

Nullcon 2013 BattleUnderground - Reverse Engineering Question 2 Write up

In this level, we were provided with a file called sample2.exe. It is a PE32 packed with UPX.

I used FUU to unpack it but when I executed, the following error message appeared:

"Unable to open the script file."
 I loaded the unpacked file in Ollydbg and saw some string references about "AutoIt", so, I remembered an AutoIt crackme from 2005 I solved it. At that time, I used Aut2Exe v3 but it did not work this time. So, I searched for another AutoIt decompiler and found exe2aut that worked fine. 

I loaded the sample2.exe into exe2aut and this was the result:

MsgBox(64, "[MSG]", "Much simpler than that"
 The value in $key seems to be a base64 encoded string. Decoding that string gave us the flag:

>>> "ZjlmMGMyOTZmYzA5OTNlNDMwMDkwYjY5NWI2M2ZhYTQ=".decode("base64")
 The flag was: f9f0c296fc0993e430090b695b63faa4

No hay comentarios: