PAN LabyREnth CTF – Windows #4

Sample: 3dd0d247d51df1e9c8ae594089c82608792f6bbc376e102aee52ad7c1baa91ab (PW: infected)

file JugsOfBeer.exe
JugsOfBeer.exe: PE32+ executable for MS Windows (GUI) Mono/.Net assembly

This is a x64 Binary which is asking for a valid serial number.

jugsofbeer_start

So you need to find the function which is checking input. In order to find it, I always look for suspicious strings if applicable.

jugsofbeer_findstrings

 

In IDA graph view, the function looks pretty confusing but you you just have to follow the paths and you will find a function which is responsible for the serial validation.

jugsofbeer_serialvalidation

After finding the serial validation function you need to understand the algorithm. Here, the IDA decompiler helps a lot but for easier debugging I reimplemented the function in python to better understand what the algorithm does.

I could see that there are some values swapped around but I still did not have any idea whats going one. A got a hint by someone that I should check the challenge description. After googling I found out that the algorithm is a variant of the quite popular Three Jugs Problem. Maybe you remember the movie Die Hard 3 where John and Zeus were also facing this kind of problem 😉

After that, everything was quite clear and I could solve the problem via pen & paper. You basically have three containers with a size of 7, 13 and 19. The 7 and 13 size containers are  filled and the 19 size container is empty. What you need in the end is 10 in two containers (13 and 19).

solution

 

After I wrote down the solution on paper I just had to run my python code and build a valid serial to fill the mask appropriately.

mask_solution

 

jugsofbeer_finish

This entry was posted in Reverse Engineering and tagged , . Bookmark the permalink.