The solution for this binary was pretty straight foward. Using Detectit Easy, the binary shows to have no linker and is ecrypted as it has a high entropy. The binary is compressed with crinkler v2.1, as the header of binary was MZ21PE, here 21 means version 2.1 Since the exe is using DirectX9.
crincker usage: hxxps://reverseengineering.stackexchange[.]com/questions/13912/trying-to-decompress-a-hello-world-program-using-ollydbg-v201
To get the program to run, I needed to install DirectX9.
(https://www.microsoft.com/en-us/download/details.aspx?id=35).
When you run the exe, a window pops up with a nice 3D Flare logo, spinning around. Ninja ripper DDRAWrapper demostrates this as well.
Open 4k.exe using nijaripper and then press F10/“Capture shortcut", and you will have .RIP files. Now we need to read the content of those .RIP files of all currently drawn objects to the configured output directory.
With the help of the according plugin, the .rip files can then be loaded into Noesis. First copy fmt_ninjaripper_rip.py from ninjaripper1.7.1\tools\noesis_importer to noesisv4406\plugins\python and then load .RIP files in noesis. Click on .RIP file and you get the flag.
Comments
Post a Comment