:::: MENU ::::

FireEye Tech-Talk@CMU Challenge Write-Up

First. the only string reference pointed to this section :

Capture

Instruction at 0x00401310 checks if there is a command line argument. There is an irritating sleep function, you could either NOP the function or change the argument to 0. Next there is a reference to 0x417550 and then a Jump to the actual code.

On inspecting the memory at 0x417550, a plain text is received (274 bytes) when XOR-ed with 0x55.

“Good job! Keep going….Good luck!”

Next, it checks that the name of the program is princesswarrior.exe, you can just bypass that or rename the executable, then the length of the string is checked, it should be 0x32.

Capture

Lastly, the fun part, so

x1 = your string.

x2 = string at 4174E8

x3 = string at 417664

So the key => x1  = (x3 xor x2) – 12

Capture

 


by Adwiteeya Agrawal

One Comment

So, what do you think ?