s4r's illusion.exe

Author:
s4r

Language:
C/C++

Upload:
2023-09-01 14:40

Download

Platform:
Windows

Difficulty:
5.2

Quality:
5.8

Arch:
x86

Downloads:
32

Size:
1.23 MB

Writeups:
0

Comments:
7

Description

Windows challenge that I created for Barbhack CTF 2023

Comments (7)
Writeups (0)

You must be logged in to post a comment

cnathansmith on 2023-09-13 11:45: I almost had to break out the PlayStation controller to solve this one

nightxyz on 2023-09-13 18:42: @cnathansmith Did you solve ? There are antidebugs, obfuscations, self modifiging codes, tlscallbacks, 2 extra threads, cryptos. After getting registry key, i didn't found any location where it uses this information.

cnathansmith on 2023-09-14 04:34: No, sorry... I actually commented on the wrong challenge of his lol. This was meant for encrypted_box. I'm still working on this one. Used Pin to track down where the key gets validated. It goes through a loop checking chars against 'A', 'B', 'C', or 'D', then uses the value to calculate an index (through some clever SEH abuse) it compares a byte from to either continue the loop, break out with a specific value, or otherwise fail out through ExitProcess(). I started fuzzing they keys a char at a time and following branches that don't die. There are combos that would let you keep the loop going forever no matter the length (eg. CACACA...) but clearly you want to cause the break condition at some point, so I need to look at what's happening after that to figure out when/how exactly.

cnathansmith on 2023-09-14 04:44: When you instrument with Pin, you still need to hook ZwQueryInformationProcess to hide the debugger checks involving it, but it otherwise flies under the radar If you hook CryptEncrypt and log the data it affects after, you can patch the exe with the code segments up to whatever point your key causes an exit. (Be mindful it generally gets called on each location twice, once to decrypt then again to re-encrypt.) Good luck with it. I might not have a chance to work on it for a while.

cnathansmith on 2023-09-14 04:47: It makes static analysis easier. Just note that there's IAT hooking (eg. Sleep() really points to ExitProcess()) Be careful not to get confused by trusting call names in the static disassembly. That's presumably the "illusion" aspect of the challenge.

cnathansmith on 2023-09-14 04:52: 401ffa movzx eax, byte ptr [eax+0x53d040] *** key_buf read by 401ffa from 53d040

nightxyz on 2023-09-14 07:55: @cnathansmith Thank you for taking the time to share your findings.

You must be logged in to submit a writeup

crackmes.one

crackmes.one

s4r's illusion.exe