For this challenge you’re given a simple win32 executable. A strings dump shows it’s a Perl2EXE binary. Additionally, we can see there is a referenced string “RunPerl.” Jumping to where it is referenced, we see other strings that make it clear this is an imported function from “p2x5123.dll”
We set our breakpoint and run to it. Following the call, we enter the p2exe dll. In IDA’s module list, we can see that this dll is located in a temporary folder. Running it through PEID we can see it is UPX-packed, but that’s fine as we are performing dynamic analysis. We follow the execution path through the DLL without stepping, and we can see that eventually it prints a message that says “Debug mode enabled.” We figure debug info is helpful, and we insert a 1 into the memory address designated as the debug flag. Stepping through, we see some code that references file extensions, and then jumps over a large block of file-writey-looking-code(we can see this through strings in the referenced functions). We decide to nop the jz.
We can browse to our tmp directory and see all the files written. There’s a bunch of p2x junk, and then _main.pl. The code from _main.pl is below, and the flag is obvious(view raw if your resolution is too thin).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/perl
print"\n[*] ebCTF BIN 200\n".
" No comment...\n\n";
$secret = "Sup3RSeCr3tStuFf!";
print"[*] What is the secret? ";
$answer = <STDIN>;
chomp($answer);
if ($answer eq $secret) {
print"\n[*] Yes, that is correct! However that was not the goal of this challenge.\n".
" Did you know that compiled code does not contain any comments?\n";
} else {
print"\n[*] Isn't that cute...but it is WRONG!.\n";
}
# W e l l , w e l l, i t s e e m s t h e r e a c t u a l l y i s a c o m m e n t . . .
![](http://www.tumblr.com/share/link?url=http://a-zA-Z0-9.net/ebctf-finals-2013-bin200/&name=EBCTF Finals 2013 – Bin200&description=<p>For this challenge you’re given a simple win32 executable. A strings dump shows it’s a <a title="Perl2EXE" href="http://www.indigostar.com/perl2exe.php" target="_blank">Perl2EXE</a> binary. Additionally, we can see there is a referenced string “RunPerl.” Jumping to where it is referenced, we see other strings that make it clear this is an imported function from “p2x5123.dll”</p>
<p><a href="http://a-zA-Z0-9.net/wp-content/uploads/4kAxH86.png" rel="lightbox[140]"><img title="RunPerl code section" alt="RunPerl code section" src="http://a-zA-Z0-9.net/wp-content/uploads/4kAxH86.png" width="970" height="612"></a></p>){kind=link}
