Sample: 57174eac6975871458d393301bbaa67e799e85ed66fefb912875152581eb2f79 (PW: infected)
SquirtleChallenge.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit
Starting the sample, you will be prompted for a password.
So the next thing is to find out the password. After loading the file in IDA and searching for the string “Type the password:” you will quickly see what you need to type in.
After typing “incorrect” as a password you will also get a lot of hints what the code needs to give you the flag. The guys from PAN even give you the URLs where to find additional information about the specific Anti-Debugging technique.
In the end you can either patch out the checks or step over via a debugging. If you’ve done everything right, a valid JPEG file “answer.jpg” will be dropped in the same directory as SquirtleChallenge.exe.
Decode the binary code:
code = [0b01010000, 0b01000001, 0b01001110, 0b01111011, 0b01010100, 0b01101000, 0b00110011, 0b01011111,
0b00100100, 0b01110001, 0b01110101, 0b01101001, 0b01110010, 0b01110100, 0b01001100, 0b00110011,
0b01011111, 0b00100100, 0b01110001, 0b01110101, 0b01000000, 0b01100100, 0b01011111, 0b01110111,
0b01000000, 0b01111010, 0b01011111, 0b01100010, 0b01001100, 0b01110101, 0b01100110, 0b01100110,
0b01101001, 0b01001110, 0b01100111, 0b01111101]
result = ""
for c in code: