PAN LabyREnth CTF – Windows #3

Sample: 57174eac6975871458d393301bbaa67e799e85ed66fefb912875152581eb2f79 (PW: infected)

file SquirtleChallenge.exe
SquirtleChallenge.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit

Starting the sample, you will be prompted for a password.

squirtle_start

So the next thing is to find out the password. After loading the file in IDA and searching for the string “Type the password:” you will quickly see what you need to type in.

password_check

After typing “incorrect” as a password you will also get a lot of hints what the code needs to  give you the flag. The guys from PAN even give you the URLs where to find additional information about the specific Anti-Debugging technique.

squirtle_anti_debugging

In the end you can either patch out the checks or step over via a debugging. If you’ve done everything right, a valid JPEG file “answer.jpg” will be dropped in the same directory as SquirtleChallenge.exe.

answer.jpg

Decode the binary code:

PAN{Th3_$quirtL3_$qu@d_w@z_bLuffiNg}

 

This entry was posted in Reverse Engineering and tagged , . Bookmark the permalink.