Subscribed unsubscribe Subscribe Subscribe

LabyREnth CTF (Windows Lv3)

1. はじめに

LabyREnth CTF - くじらとたぬきと同じ.

 

2. writeup

・Squirtle (Windows Lv3)

zipを解凍する(Pass : infected)とSquirtleChallenge.exeが出てくる.

 

f:id:kmdnet:20160824155807p:plain

 

 基本的にAnti Debugの問題. それぞれをデバッガで消していく or 条件を合わせると解ける. 最終的に以下の様に出力をさせれば良い.

 

Type the password:
incorrect
You typed: incorrect
Squirtle Happy! You got the password!

Squirtle is getting excited!!!
 Congratz Debugger WindowClass Not Found

Squirtle is glad you are watching him now! fs:[30h+2]

Squirtle appreciates you taking the ticks to get to know him.
 TickCount: 613f43

Squirtle likes when things go fast!
 Ticks passed: 2eecb

Squirtle is dancing!
 Congrats! No Debugger Present!

Squirtle is tail whipping because there is no remote debugger!

Yayyy Squirtle is HydroPumping because there are more than 2 CPUs

Congrats! Squirtle is TailWhipping because there is more than 1024 RAM

Squirtle Aqua Jet BLAST! Congrats HV CPU Bit NOT Set

 

 全ての条件を揃えると以下のjpgが作成される.

f:id:kmdnet:20160824154455j:plain

 このjpgの中の2進数をASCIIに変換するとフラグが出てくる.

 

 

FLAG : PAN{Th3_$quirtL3_$qu@d_w@z_bLuffiNg}

 

3. 補足

 Squirtleはゼニガメ, Tail whipはしっぽをふる らしい.  

 

 以下は問題の中で参考にする様に指示のあるURL

https://msdn.microsoft.com/en-us/library/windows/desktop/ms633499(v=vs.85).aspx

http://www.symantec.com/connect/articles/windows-anti-debug-reference

http://researchcenter.paloaltonetworks.com/2015/10/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/

http://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/ms679280(v=vs.85).aspx

https://www.trustedsec.com/may-2015/bypassing-virtualization-and-sandbox-technologies/

http://artemonsecurity.com/vmde.pdf

 

kmdnet