| Project Obscura |
2026-01-28 15:02 |
Operation Obscura by 0x3xp
1. Challenge Info
Filename: ProjectObscura.exe
Author: 0x3xp (Piyusha Akash)
Difficulty: 1.3/5.0 (Easy)
Architecture: x86-64
Language: C/C++
2. Protection Overview
The author mentioned that the flag and secret key are not stored in plain text. The binary utilizes:
TLS Callbacks: Used to execute anti-debugging or initialization code before the main Entry Point is reached.
Stack-string Reconstruction: Strings are built dynamically in memory during runtime to evade static analysis.
Junk Data: Misleading strings like Cr4ck_m3_... are present in memory to confuse the analyst.
3. Solution Process
Phase 1: Dynamic Analysis Setup
Load the binary into x64dbg.
Step through the TLS Callbacks (breakpoints triggered at 00007FF606D51D80 and 00007FF606D51D60) by pressing F9.
Continue until the debugger hits the actual Entry Point.
Phase 2: Identifying the Comparison Point
The program prompts for a secret code: :: Enter the secret code: . Since it needs to verify the input, it likely uses a string comparison function.
Set a breakpoint on the strcmp function located in ucrtbase.dll.
In the program console, enter any dummy text and press Enter.
Phase 3: Extracting the Secret Key
The debugger will trigger the breakpoint inside strcmp. Examine the registers:
RCX: Points to the user-provided dummy input.
RDX: Points to the actual reconstructed secret key required by the program.
Value in RDX: 0xP670PPGT56DEA.
While other obfuscated strings were visible in the memory dump, this specific value was the one used for the final validation.
4. Final Result
Restart the program and enter the discovered key: 0xP670PPGT56DEA.
The program triggers a message box: "Congratulations you found the Flag!".
Flag: CTF{R3v3rs3_EnG_1s_4M1ndG4m3s} |