PAN LabyREnth CTF – Windows #1

Sample: 61921d13ef1be2285301fceafa6ecd3d0a01d45f71fe620149975d63e92d3612 (PW: infected)

file AntiD.exe
AntiD.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit

The file is packed with UPX but unfortunately, it cannot be unpacked the easy way with UPX.

AntiD.exe ExeInfo

You must unpack it manually. However, there are thousands of tutorial which explain doing this so I will not explain it again here.

After unpacking the file (you can download the unpacked version here: AntiD_Dump PW: infected) you can load it into IDA and start looking for suspicious or interesting stuff. I always start with the “Strings Window”.

AntiD_Dump_IDA_strings

The strings “Figure the key out:” or “Well done! A+! You get a gold star!\n” look very interesting. Following those strings will bring you to the function which is doing the check against your input.

AntiD_Dump_IDA_checkInput

I already annotated the called function before the branch to “checkKey” because it’s quite obvious what’s going on here.

Digging deeper into the function, you will see a lot of hex values assigned to variables.

AntiD_Dump_IDA_checkkey_hexvalues

These hex values concatenated will most probably be the solution. The rest is simple reversing. For the sake of simplicity, here is the annotated decompiled version of the “checkKey” function.

AntiD_dump_IDA_checkKey_decompiled

You can see that there are some Anti-Debugging features in place. You can just change the specific flags to avoid getting hit by one of these features or patch them out. During debugging I thought the latter would be easier so I patched everything out.

After understanding the logic of this code, I wrote a simple python script to reverse the hex values.

Running the script will display the key for the next round:

PAN{C0nf1agul4ti0ns_0n_4_J08_W3LL_D0N3!}

This entry was posted in Reverse Engineering and tagged , . Bookmark the permalink.