CSCAMP CTF Quals 2014: PE 4 write-up

Created:2014.11.24, last modified: 2014.11.24 by xorpse
Status: Complete

After first executing the challenge to get an idea of its functionality, a quick scan of the executable with Exeinfo PE reveals it’s probably packed with ‘Packman v1.0’:

The first stage of the challenge then is to unpack the executable; this can be done using more-or-less the ‘standard procedure’. Load the executable into OllyDBG:

  • Step once, follow the value of ESP into the dump window;
  • Set a hardware breakpoint on access on the first double word;
  • Run;
  • Keep running until the debugger breaks at address 0x401290 (the hardware breakpoint will trigger a few times before this point);
  • Step into the call; this is the OEP.

Dump the executable using LordPE:

Reconstuct the import table using ImpREC:

…finally, rebuild the dumped executable with LordPE.

Getting the flag at this point is relatively simple, although there’s an anti-debug measure that must be disabled:

  • Set a breakpoint at 0x401433 (this is where the anti-debugging happens);
  • Run, and force the jump at 0x401433 by flipping the ZF.

We learn that the key must be of length <= 3:

Entering a key with this length, and stepping through the disassembly leads us to an interesting procedure at 0x40172d:

By previous runs, jumping at 0x401738 leads to failure, so the executable is forced on an alternate path by again, flipping the ZF. Running from this point reveals the flag, as required: