LabyREnth CTF (Windows Lv3)
1. はじめに
2. writeup
・Squirtle (Windows Lv3)
zipを解凍する(Pass : infected)とSquirtleChallenge.exeが出てくる.
基本的にAnti Debugの問題. それぞれをデバッガで消していく or 条件を合わせると解ける. 最終的に以下の様に出力をさせれば良い.
Type the password:
incorrect
You typed: incorrect
Squirtle Happy! You got the password!
Squirtle is getting excited!!!
Congratz Debugger WindowClass Not Found
Squirtle is glad you are watching him now! fs:[30h+2]
Squirtle appreciates you taking the ticks to get to know him.
TickCount: 613f43
Squirtle likes when things go fast!
Ticks passed: 2eecb
Squirtle is dancing!
Congrats! No Debugger Present!
Squirtle is tail whipping because there is no remote debugger!
Yayyy Squirtle is HydroPumping because there are more than 2 CPUs
Congrats! Squirtle is TailWhipping because there is more than 1024 RAM
Squirtle Aqua Jet BLAST! Congrats HV CPU Bit NOT Set
全ての条件を揃えると以下のjpgが作成される.
このjpgの中の2進数をASCIIに変換するとフラグが出てくる.
FLAG : PAN{Th3_$quirtL3_$qu@d_w@z_bLuffiNg}
3. 補足
Squirtleはゼニガメ, Tail whipはしっぽをふる らしい.
以下は問題の中で参考にする様に指示のあるURL
・https://msdn.microsoft.com/en-us/library/windows/desktop/ms633499(v=vs.85).aspx
・http://www.symantec.com/connect/articles/windows-anti-debug-reference
・http://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf
・https://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspx
・https://msdn.microsoft.com/en-us/library/windows/desktop/ms679280(v=vs.85).aspx
・https://www.trustedsec.com/may-2015/bypassing-virtualization-and-sandbox-technologies/
・http://artemonsecurity.com/vmde.pdf
kmdnet