Overlong.exe is a Windows x32 PE program that decrypts the flag within a loop that never triggers.
Tools used:
IDA Pro or Ghidra, x32dbg, Ollybdg, Cutter(radare2 GUI version).
Password to zipfile is "flare".
We are given a PE32 executable, which when run/executed, pops out a message box saying: “I never broke the encoding:” and doesn't exhibit any other behavior.
Analyzing in ollydbg: Attach to ollydbg and run program.
Analyzing code entry point, on the virtual address section/instruction codes, we see a call to overlong and call to dword pointer Messagebox A. This is pointed out/reflected in the resolved API information section. MessageBoxA is a WinAPI function which displays a modal dialog box on the screen. Hence the MessageBox we see in the image below must be the result of calling this function.
Using IDA: MessageBoxA is a import function from user32 dll. Use proximity browser view or text view to see the calls. View>opensubviews>disaasembly or hover over function and you'll see code(decompiling a function) which takes 4 parameters used in API hooking (HWND hWnd, LPCTSTR lpText, LPCTSTR lPcaption, UINT uType)
F4 decomiples a function, ctrl+F4 decompiles program, F5 pseudocode (pro).
Using Ghidra:
The start/entry point 0x401000 de-compiles to the following code in the image. The de-compiled code for the function at the entry point looks like local_88 is a array of 128 bytes. This is passed to the function FUN_00401160 as the first argument. The second argument &DAT_00402008. The last argument is the integer 0x1c.Navigating to 402008 we see a bunch of bytes. It looks that this is an encrypted piece of data which the function is going to decrypt with the output written to the local_88 array. 0x1c may be the key."I never broke the encoding: " is also 0x1c or in 28 decimal.FUN_00401000: seems like Function performing the decryption and just takes two parameters. It does not take a key. This suggests that 0x1c is not the key but rather the length of the output.
Solution:
Run the program in x32dbg and try increasing the passed value (0x1c)/patching the instruction. x32dbg: Attach executable, change 0x1c (28 in decimal) to push 0x7f (127 bytes) since it has a max of 128 bytes. Run the program and the flag will be displayed on the stack window.
I_a_M_t_h_e_e_n_C_o_D_i_n_g@flare-on.com
Similarly, you can do the same with olldbg;
Solution 2:
Use Cutter(radare2 GUI version). Open the executable in Cutter with Analysis mode enabled and then check Strings and we get the flag!.
Comments
Post a Comment