EBCTF Finals 2013 – Bin200
For this challenge you’re given a simple win32 executable. A strings dump shows it’s a Perl2EXE binary. Additionally, we can see there is a referenced string “RunPerl.” Jumping to where it is referenced, we see other strings that make it clear this is an imported function from “p2x5123.dll”
We set our breakpoint and run to it. Following the call, we enter the p2exe dll. In IDA’s module list, we can see that this dll is located in a temporary folder. Running it through PEID we can see it is UPX-packed, but that’s fine as we are performing dynamic analysis. We follow the execution path through the DLL without stepping, and we can see that eventually it prints a message that says “Debug mode enabled.” We figure debug info is helpful, and we insert a 1 into the memory address designated as the debug flag. Stepping through, we see some code that references file extensions, and then jumps over a large block of file-writey-looking-code(we can see this through strings in the referenced functions). We decide to nop the jz.With this jz nopped…
|
|
We can browse to our tmp directory and see all the files written. There’s a bunch of p2x junk, and then _main.pl. The code from _main.pl is below, and the flag is obvious(view raw if your resolution is too thin).
|
|