Posted on by and filed under Hack.LU 2012.

At the beginning of this problem, we’re given a Windows binary(.exe). Running it gives some inane output about a username and product key. This is a clue that it could be a keygenme or something more difficult(but it isn’t, yay!)

So, we open the executable up in IDA. Taking a quick look at the string references, we see “You are an admin!” This is probably where we need to go, so we set a breakpoint here.

1

Now we’re looking at an interesting block of code. We can see that it compares ebx to 0x29A to check if the user is an administrator(while I think the author intended you to reverse how it gets this, that isn’t necessary). We want to make sure the program execution takes whatever steps necessary to get to the code section that would be triggered if we were a valid administrator. So, we just set the EIP whenever it looks like the program is going to go to the non-administrator path.

2

We end up here. There’s a string that says a flag is written to a file! and an fopen! And look, right under that there’s an fputc loop(fputc writes a byte to a file)!

3

So, we breakpoint at that fclose(it’s done writing when it gets there) and allow the program to run. We get a PDF file in the same folder as the binary. Throwing caution to the wind and opening that PDF, we get…

4

I’m not sure what language that atoi() is in, but atoi() in C gives 0 for those letters. That’s not right. I figure they mean the hex values of these ASCII characters, and adding those together gives us x = 1165.

The integral evaluates to 2x – 993 = 2(1165) – 993 = 1337. md5(1337) is the key to this problem.

Credits: Ditmar Wendt, Luis Santana, Andrea Long for the integration.