For this challenge you need your full attention, it will be very helpful 😉

Note: the flag format for this challenge is slightly different.

att3nti0n.exe

We are given an .exe file. Let’s see if it is really a PE file.

Indeed it is a PE32 executable file.

Let’s decompile its main function first.

It takes a password as an argument and checks whether it is correct or not. Let’s decompile the check function.

This function recursively xors our string with the 4 different keys and compares it to the 45 bytes of enc.

Let’s look at the keys first.

Now, let’s create a python script to decrypt enc. Even though, it compares the first 45 bytes only, enc has 60 bytes. Therefore, I will decrypt all 60 bytes.

Let’s run it.

It seems we need to find a different function in the binary.

I found this string in the binary.

It is called within getFlag function.  Let’s try to decompile the getFlag function.

It only shows us assignment operations. It means there exists a code which never gets executed and decompiler skips that code away since it is useless. Therefore, we need to analyze this function by looking at the x86 assembly code of the function.

At the beginning, we have some assignments.

It looks like it fills two pointers that start at ebp+var_32 and ebp+var_51 respectively.

Then, it checks the first 4 bytes from ebp+var_51.

Next, it allocates 31 bytes of virtual memory and stores the pointer of it at ebp+lpAddress.

Afterwards, there is a for loop that runs 4 times at total.

This for loop does the following:

It basically puts the address of ebp+var_32 into (ebp+var_51)[7:11] and (ebp+var_51)[12:16].

Let’s continue to our analysis.

It copies the bytes from ebp+var_51 to ebp+lpAddress and calls it!

Finally, it frees the allocated memory at ebp+lpAddress. Then, prints the flag from ebp+var_32. Since we know that ebp+var_32 does not contain the flag at the beginning, its characters must be modified by the function call above.

We know that ebp+var_51 contains a function code. Let’s try to disassemble bytes of it.

This code looks meaningless. Remember that the first 4 bytes of ebp+var_51 were checked before the for loop and checks were failed! Expected 4 bytes are 0x55, 0x89, 0xE5, 0x60. Let’s decompile these 4 bytes only.

This looks better. It seems the bytes of ebp+var_51 are encrypted and we need to decrypt them first.

If we xor the first bytes of ebp+var_51 with the expected 4 bytes, we get the following bytes:

Remember them? They are the 4 keys of the fake password encryption routine. Let’s use the code we have written to decrypt the bytes of ebp+var_51.

Here is the python script for this task.

Let’s execute it and get the original bytes of the code.

Now, let’s disassemble these bytes and get the real code.

Look at the bytes at [7:11] and [12:16]. They are 0x11223344 and 0xaabbccdd respectively, which are obviously placeholders. Our for loop was inserting the address of ebp+var_32 to these indexes. Then, this code just xors the bytes of ebp+var_32 with the key 0x17.

Let’s create a python script to get the flag.

Let’s execute it.

Here is the flag noxTF{H1dd3n_FUNc710n5_4r3_C001!}.