| Jörmungandr |
Solved. Real serial: a693c10308925ea, target string ouroboros_goat (not the banner title), success hash 0x53F55652.
cmd.exe, dummy_target running:
jormungandr.exe <PID> ouroboros_goat a693c10308925ea
→ SEED: 0x7E51 / 0x53F55652 -> DONE
Took me a bit — stock exe exits 0xDEAD (57005) with no output because printf is resolved from msvcrt via PEB walk but KERNEL32 is the only import. Also wasted time on the wrong target string first.
Decoy is 2^0x7E51 mod (2^64-59) = 1331d66091e9e2e5. Shows 0x1337 -> DONE then crashes ~30s later. Don't use it.
Static RE in Ghidra: ECC VM over mod 2^64-59, first stack pop feeds MBA-JIT shellcode at FUN_14000bde8. Deobfuscated the MBA, Z3 with v=1 gave 0x0A693C10308925EA. .ouro SMC decrypted offline (rolling XOR, trap-flag shifter is live-only). Run from cmd for parent check.
gg, fun upgrade from ouroboros.
|
2026-06-06 07:09 |