... visits
Challenge Points: 998
No. of solves: 3
Challenge Author: Azr43lKn1ght
Damian Wayne stored a secret in his old pc, but Dr. Simon Hurt who got this information, planned a contingency against Damian by the help of Starlab’s techies, poor Damaian was so eager to view the encrypted secret file that Raven sent him long back but Simon knows this piece of information as well as the decryption process, will he win this situation like a Wayne? will Damaian’s Redemption be successful!?
File Password : vOCorthoAGESeNsivEli
Flag format: bi0sCTF{...}
first let’s start with profiling of the memory dump.
vol.py -f Damian.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/mnt/e/writeup/bat1/Damian.mem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf8000280f0a0L
Number of Processors : 6
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002810d00L
KPCR for CPU 1 : 0xfffff880009ea000L
KPCR for CPU 2 : 0xfffff880030a8000L
KPCR for CPU 3 : 0xfffff8800311d000L
KPCR for CPU 4 : 0xfffff88003192000L
KPCR for CPU 5 : 0xfffff880031c7000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2023-05-06 16:45:20 UTC+0000
Image local date and time : 2023-05-06 22:15:20 +0530
now let’s get the list of processes running on the system.
vol.py -f Damian.mem --profile Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa80036e2040 System 4 0 98 469 ------ 0 2023-05-06 16:43:35 UTC+0000
0xfffffa8004961300 smss.exe 272 4 2 34 ------ 0 2023-05-06 16:43:35 UTC+0000
0xfffffa80062e8a20 csrss.exe 352 332 10 353 0 0 2023-05-06 16:43:38 UTC+0000
0xfffffa80047ca060 wininit.exe 404 332 4 84 0 0 2023-05-06 16:43:39 UTC+0000
0xfffffa80047c8360 csrss.exe 412 396 10 290 1 0 2023-05-06 16:43:39 UTC+0000
0xfffffa800643a740 services.exe 464 404 14 196 0 0 2023-05-06 16:43:39 UTC+0000
0xfffffa8006444060 winlogon.exe 488 396 6 121 1 0 2023-05-06 16:43:39 UTC+0000
0xfffffa800498f260 lsass.exe 516 404 11 581 0 0 2023-05-06 16:43:40 UTC+0000
0xfffffa800644d5b0 lsm.exe 524 404 10 147 0 0 2023-05-06 16:43:40 UTC+0000
0xfffffa800632a660 svchost.exe 628 464 13 372 0 0 2023-05-06 16:43:40 UTC+0000
0xfffffa80064d2b30 VBoxService.ex 692 464 13 123 0 0 2023-05-06 16:43:40 UTC+0000
0xfffffa800644bb30 svchost.exe 760 464 8 255 0 0 2023-05-06 16:43:41 UTC+0000
0xfffffa800651ab30 svchost.exe 840 464 20 392 0 0 2023-05-06 16:43:41 UTC+0000
0xfffffa800654a7c0 svchost.exe 896 464 21 476 0 0 2023-05-06 16:43:41 UTC+0000
0xfffffa8006552940 svchost.exe 924 464 33 875 0 0 2023-05-06 16:43:41 UTC+0000
0xfffffa8006575b30 audiodg.exe 1000 840 8 136 0 0 2023-05-06 16:43:41 UTC+0000
0xfffffa8004871060 svchost.exe 296 464 13 290 0 0 2023-05-06 16:43:41 UTC+0000
0xfffffa80065cfb30 svchost.exe 348 464 18 387 0 0 2023-05-06 16:43:41 UTC+0000
0xfffffa8006651a30 spoolsv.exe 1140 464 15 315 0 0 2023-05-06 16:43:42 UTC+0000
0xfffffa800656ab30 svchost.exe 1180 464 21 332 0 0 2023-05-06 16:43:42 UTC+0000
0xfffffa80066dbb30 taskhost.exe 1312 464 10 155 1 0 2023-05-06 16:43:43 UTC+0000
0xfffffa8006742b30 dwm.exe 1448 896 6 103 1 0 2023-05-06 16:43:43 UTC+0000
0xfffffa8006783060 explorer.exe 1532 1416 40 1002 1 0 2023-05-06 16:43:43 UTC+0000
0xfffffa800676d490 VBoxTray.exe 2044 1532 15 149 1 0 2023-05-06 16:43:44 UTC+0000
0xfffffa80066e3060 SearchIndexer. 300 464 14 644 0 0 2023-05-06 16:43:51 UTC+0000
0xfffffa8006305b30 SearchProtocol 1756 300 9 382 0 0 2023-05-06 16:43:51 UTC+0000
0xfffffa8006907b30 SearchFilterHo 1580 300 7 143 0 0 2023-05-06 16:43:51 UTC+0000
0xfffffa80062f5300 iexplore.exe 2668 1532 22 477 1 1 2023-05-06 16:44:41 UTC+0000
0xfffffa80038a2b30 iexplore.exe 2752 2668 21 434 1 1 2023-05-06 16:44:41 UTC+0000
0xfffffa8006434b30 iexplore.exe 2892 2668 20 388 1 1 2023-05-06 16:44:47 UTC+0000
0xfffffa8003967b30 scvhost.exe 1924 1532 5 55 1 0 2023-05-06 16:44:54 UTC+0000
0xfffffa800393db30 conhost.exe 2292 412 3 51 1 0 2023-05-06 16:44:54 UTC+0000
0xfffffa800398f660 notepad.exe 2320 1924 2 57 1 0 2023-05-06 16:44:54 UTC+0000
0xfffffa800699e750 RamCapture64.e 596 1532 3 77 1 0 2023-05-06 16:45:18 UTC+0000
0xfffffa8003985060 conhost.exe 1900 412 2 51 1 0 2023-05-06 16:45:18 UTC+0000
0xfffffa800664f1b0 svchost.exe 2168 464 5 0 ------ 0 2023-05-06 16:45:49 UTC+0000
so here if, we don’t find any process suspicious if we don’t notice so closely, but still we have notepad running.
let’s see what spawned the process notepad.exe of pid 2320 using pstree
Volatility Foundation Volatility Framework 2.6.1
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa80047ca060:wininit.exe 404 332 4 84 2023-05-06 16:43:39 UTC+0000
. 0xfffffa800644d5b0:lsm.exe 524 404 10 147 2023-05-06 16:43:40 UTC+0000
. 0xfffffa800498f260:lsass.exe 516 404 11 581 2023-05-06 16:43:40 UTC+0000
. 0xfffffa800643a740:services.exe 464 404 14 196 2023-05-06 16:43:39 UTC+0000
.. 0xfffffa800654a7c0:svchost.exe 896 464 21 476 2023-05-06 16:43:41 UTC+0000
... 0xfffffa8006742b30:dwm.exe 1448 896 6 103 2023-05-06 16:43:43 UTC+0000
.. 0xfffffa8006552940:svchost.exe 924 464 33 875 2023-05-06 16:43:41 UTC+0000
.. 0xfffffa80066dbb30:taskhost.exe 1312 464 10 155 2023-05-06 16:43:43 UTC+0000
.. 0xfffffa800656ab30:svchost.exe 1180 464 21 332 2023-05-06 16:43:42 UTC+0000
.. 0xfffffa80066e3060:SearchIndexer. 300 464 14 644 2023-05-06 16:43:51 UTC+0000
... 0xfffffa8006907b30:SearchFilterHo 1580 300 7 143 2023-05-06 16:43:51 UTC+0000
... 0xfffffa8006305b30:SearchProtocol 1756 300 9 382 2023-05-06 16:43:51 UTC+0000
.. 0xfffffa80064d2b30:VBoxService.ex 692 464 13 123 2023-05-06 16:43:40 UTC+0000
.. 0xfffffa800632a660:svchost.exe 628 464 13 372 2023-05-06 16:43:40 UTC+0000
.. 0xfffffa8004871060:svchost.exe 296 464 13 290 2023-05-06 16:43:41 UTC+0000
.. 0xfffffa800651ab30:svchost.exe 840 464 20 392 2023-05-06 16:43:41 UTC+0000
... 0xfffffa8006575b30:audiodg.exe 1000 840 8 136 2023-05-06 16:43:41 UTC+0000
.. 0xfffffa800664f1b0:svchost.exe 2168 464 5 0 2023-05-06 16:45:49 UTC+0000
.. 0xfffffa80065cfb30:svchost.exe 348 464 18 387 2023-05-06 16:43:41 UTC+0000
.. 0xfffffa8006651a30:spoolsv.exe 1140 464 15 315 2023-05-06 16:43:42 UTC+0000
.. 0xfffffa800644bb30:svchost.exe 760 464 8 255 2023-05-06 16:43:41 UTC+0000
0xfffffa80062e8a20:csrss.exe 352 332 10 353 2023-05-06 16:43:38 UTC+0000
0xfffffa80036e2040:System 4 0 98 469 2023-05-06 16:43:35 UTC+0000
. 0xfffffa8004961300:smss.exe 272 4 2 34 2023-05-06 16:43:35 UTC+0000
0xfffffa80047c8360:csrss.exe 412 396 10 290 2023-05-06 16:43:39 UTC+0000
. 0xfffffa8003985060:conhost.exe 1900 412 2 51 2023-05-06 16:45:18 UTC+0000
. 0xfffffa800393db30:conhost.exe 2292 412 3 51 2023-05-06 16:44:54 UTC+0000
0xfffffa8006444060:winlogon.exe 488 396 6 121 2023-05-06 16:43:39 UTC+0000
0xfffffa8006783060:explorer.exe 1532 1416 40 1002 2023-05-06 16:43:43 UTC+0000
. 0xfffffa8003967b30:scvhost.exe 1924 1532 5 55 2023-05-06 16:44:54 UTC+0000
.. 0xfffffa800398f660:notepad.exe 2320 1924 2 57 2023-05-06 16:44:54 UTC+0000
. 0xfffffa800699e750:RamCapture64.e 596 1532 3 77 2023-05-06 16:45:18 UTC+0000
. 0xfffffa800676d490:VBoxTray.exe 2044 1532 15 149 2023-05-06 16:43:44 UTC+0000
. 0xfffffa80062f5300:iexplore.exe 2668 1532 22 477 2023-05-06 16:44:41 UTC+0000
.. 0xfffffa80038a2b30:iexplore.exe 2752 2668 21 434 2023-05-06 16:44:41 UTC+0000
.. 0xfffffa8006434b30:iexplore.exe 2892 2668 20 388 2023-05-06 16:44:47 UTC+0000
so here we can see that the process scvhost.exe of pid 1924 spawned the process notepad.exe of pid 2320.
where we notice it is not the usual svchost.exe but scvhost.exe which is a bit suspicious.
so we look into its commadline.
vol.py -f Damian.mem --profile Win7SP1x64 cmdline -p 1924
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
scvhost.exe pid: 1924
Command line : "C:\Users\EdwardNygma7\Downloads\windows-patch-update\scvhost.exe"
so as suspected we can see that the process is running from a suspicious location.
now let’s look if there are any more suspiction before getting into the process.
vol.py -f Damian.mem --profile Win7SP1x64 malfind
[snip]
Process: explorer.exe Pid: 1532 Address: 0x4180000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 16, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x0000000004180000 41 ba 80 00 00 00 48 b8 38 a1 ee fd fe 07 00 00 A.....H.8.......
0x0000000004180010 48 ff 20 90 41 ba 81 00 00 00 48 b8 38 a1 ee fd H...A.....H.8...
0x0000000004180020 fe 07 00 00 48 ff 20 90 41 ba 82 00 00 00 48 b8 ....H...A.....H.
0x0000000004180030 38 a1 ee fd fe 07 00 00 48 ff 20 90 41 ba 83 00 8.......H...A...
0x0000000004180000 41 INC ECX
0x0000000004180001 ba80000000 MOV EDX, 0x80
0x0000000004180006 48 DEC EAX
0x0000000004180007 b838a1eefd MOV EAX, 0xfdeea138
0x000000000418000c fe07 INC BYTE [EDI]
0x000000000418000e 0000 ADD [EAX], AL
0x0000000004180010 48 DEC EAX
0x0000000004180011 ff20 JMP DWORD [EAX]
0x0000000004180013 90 NOP
0x0000000004180014 41 INC ECX
0x0000000004180015 ba81000000 MOV EDX, 0x81
0x000000000418001a 48 DEC EAX
0x000000000418001b b838a1eefd MOV EAX, 0xfdeea138
0x0000000004180020 fe07 INC BYTE [EDI]
0x0000000004180022 0000 ADD [EAX], AL
0x0000000004180024 48 DEC EAX
0x0000000004180025 ff20 JMP DWORD [EAX]
0x0000000004180027 90 NOP
0x0000000004180028 41 INC ECX
0x0000000004180029 ba82000000 MOV EDX, 0x82
0x000000000418002e 48 DEC EAX
0x000000000418002f b838a1eefd MOV EAX, 0xfdeea138
0x0000000004180034 fe07 INC BYTE [EDI]
0x0000000004180036 0000 ADD [EAX], AL
0x0000000004180038 48 DEC EAX
0x0000000004180039 ff20 JMP DWORD [EAX]
0x000000000418003b 90 NOP
0x000000000418003c 41 INC ECX
0x000000000418003d ba DB 0xba
0x000000000418003e 83 DB 0x83
0x000000000418003f 00 DB 0x0
[snip]
this is the only thing that looked suspicious as it spawned our malicious process.
this looks self modifying as well there seems to be a control flow change as well, but after few analysis there doesn’t seem to be any malciious activity.
let’s get into analysis of the process scvhost.exe’s binary
we can see that the binary is packed with UPX packer.
so let’s unpack it
Looking at the strings of the binary gives us some suspicious output, like
so we will better start analysing it statically with ida.
This initial bit seems straightforward, it’s checking the privilege with which the current process was launched. If it was launched as admin, then it proceeds, else it executes runas svchost.exe, which is standard to elevate privileges.
here we can see that PEB is being meddled with unlinking the current process from the list using SeDebugPrivilege just like how prolaco malware does. in simpole words we can see that this is taking off the link to the current process from the previous node in the process list, and is making it point to the next process in the list. (processes in Windows are stored in the form of a linked list. So a process can be “hidden” by simply unlinking the “next” pointer from the previous process in the list and making it point to the one after the process we wish to hide).
So this function is simply to unlink the process from the process list.
Next, inside both blocks of the if-else condition, lies this function
This function is simply to hide the process from the task-manager list
Next, we have this function
What this function does is, it sets the “priority-class” of the current process to “low”, effectively rendering it as ignored by the system unless and until it has no other jobs to perform. Coincidentally, this also does a good job at hiding the current task.
These if else condition blocks are based on the response given by the user after the UAC (User Access Control) prompt is generated after runas svchost.exe is executed.
Next up we have a plethora of anti-debug checks, which can be easily found by just visiting the function calls from here
so we have to either patch it or bypass it if we have to debug it.
The next function simply creates a Notepad.exe process
Now let us analyse this block
K32EnumProcess is a Windows API to enumerate through all running processes on the system, and it retrieves an iterable with the PIDs of each such process.
Keeping this knowledge in mind, we can make a good hunch saying that this is enumerating through the PID list of current running processes to try and find the PID of the Notepad.exe process that was just created prior. This is backed by the fact that it is iterating from 0 to the highest PID there is, and storing those in a variable and making a comparison against Notepad.exe. Hence, moving on.
Next, it gets the handle to the environment variable AZRAEL
After that, it XOR encrypts the content that the environment variable points to with the key 0x33, and stores that in an array.
let’s get the value of the environment variable AZRAEL
vol.py -f Damian.mem --profile Win7SP1x64 envars | grep -i AZRAEL
Volatility Foundation Volatility Framework 2.6.1
1312 taskhost.exe 0x00000000002a1320 azrael batmanknightfall
1448 dwm.exe 0x00000000002c1320 azrael batmanknightfall
1532 explorer.exe 0x0000000002860a60 azrael batmanknightfall
2044 VBoxTray.exe 0x0000000000391320 azrael batmanknightfall
2668 iexplore.exe 0x0000000000131320 azrael batmanknightfall
2752 iexplore.exe 0x0000000000081320 azrael batmanknightfall
2892 iexplore.exe 0x0000000000541320 azrael batmanknightfall
1924 scvhost.exe 0x0000000000321320 azrael batmanknightfall
2320 notepad.exe 0x00000000001b1320 azrael batmanknightfall
596 RamCapture64.e 0x0000000000211320 azrael batmanknightfall
now let’s xor the key with 0x33 and we get:
QRG^R]X]ZT[GUR__
After this, it opens a file in “read bytes” mode, called confidential.bin, and writes it in “write bytes” mode to another file called windowsupdate.bin.
trying to dump as well as retreive both the files end in a failure as well mft has no data as well which might be because of aes encryption charset issue eventhough the file is not more than 1024 bytes long.
MFT entry found at offset 0x8c2d6400
Attribute: In Use & File
Record Number: 1445
Link count: 2
$STANDARD_INFORMATION
Creation Modified MFT Altered Access Date Type
------------------------------ ------------------------------ ------------------------------ ------------------------------ ----
2023-04-20 13:21:59 UTC+0000 2023-05-06 16:44:54 UTC+0000 2023-05-06 16:44:54 UTC+0000 2023-04-20 13:21:59 UTC+0000 Archive
$FILE_NAME
Creation Modified MFT Altered Access Date Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2023-04-20 13:21:59 UTC+0000 2023-04-20 13:21:59 UTC+0000 2023-04-20 13:21:59 UTC+0000 2023-04-20 13:21:59 UTC+0000 Windows\WINDOW~1.BIN
$FILE_NAME
Creation Modified MFT Altered Access Date Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2023-04-20 13:21:59 UTC+0000 2023-04-20 13:21:59 UTC+0000 2023-04-20 13:21:59 UTC+0000 2023-04-20 13:21:59 UTC+0000 Windows\windowsupdate.bin
$DATA
***************************************************************************
***********************************************************************
Next up, it takes the encrypted environment variable that we have, then performs an AES decryption using that as the key. We know that it is AES-ECB by looking at standard AES operations being performed in the binary, such as sub_bytes and substitution.
Also another dead giveaway is that it is being performed upon multiples of 16 bytes each
This AES decrypted data is then taken and put through another encryption scheme, namely
This seems like a pretty simple encryption, since we already have all the runtime values of the keys and values being used here (key depends on the value that we set the AZRAEL environment variable to)
A decryption algorithm for the above encryption would look as follows:
int a=1;
for (int i = 0; i < size; i++)
{
plaintext[i] = plaintext[i] ^ env_var[i % encsize];
plaintext[i] = plaintext[i] - ((i + a) % 10);
plaintext[i] = plaintext[i] ^ env_var[i % encsize];
plaintext[i] = plaintext[i] - ((i + a) % 10);
a++;
}
This next block we can see
VirtualAllocEx, WriteProcessMemory, GetModuleHandleA(“Kernel32”) are all very very common indicators of a DLL injection being undergone, and in our case, the DLL being injected is Msvrct.dll.
After injecting the dll, the malware seems to be going on a spree of deleting a bunch of windows registry keys clearing forensic evidences, trying to cover up all evidences of its actions. It even deletes confidential.bin, and then deletes any evidences of itself having deleted it.
This is trying to delete a subkey named Notepad.exe under the key opened right before this. The registry keys for this handle are deleted both under the 64-bit and 32-bit mode - as some applications might have separate entries open for both architecture modes.
Furthermore, specific files from the Windows file system are targeted and removed based on their relation to user activity logs (in this case our malware), history, or cache files.
as well we can see that the encrypted strings not unallocated or flushed.
so we have two ways to get the flag here.
vol.py -f Damian.mem --profile Win7SP1x64 vaddump -p 1924 -D vads/
Volatility Foundation Volatility Framework 2.6.1
Pid Process Start End Result
---------- -------------------- ------------------ ------------------ ------
1924 scvhost.exe 0x000000007ffe0000 0x000000007ffeffff vads/scvhost.exe.11ff67b30.0x000000007ffe0000-0x000000007ffeffff.dmp
1924 scvhost.exe 0x0000000000110000 0x000000000030ffff vads/scvhost.exe.11ff67b30.0x0000000000110000-0x000000000030ffff.dmp
1924 scvhost.exe 0x0000000000040000 0x0000000000040fff vads/scvhost.exe.11ff67b30.0x0000000000040000-0x0000000000040fff.dmp
1924 scvhost.exe 0x0000000000020000 0x000000000002ffff vads/scvhost.exe.11ff67b30.0x0000000000020000-0x000000000002ffff.dmp
1924 scvhost.exe 0x0000000000010000 0x000000000001ffff vads/scvhost.exe.11ff67b30.0x0000000000010000-0x000000000001ffff.dmp
1924 scvhost.exe 0x0000000000030000 0x0000000000033fff vads/scvhost.exe.11ff67b30.0x0000000000030000-0x0000000000033fff.dmp
1924 scvhost.exe 0x0000000000060000 0x00000000000c6fff vads/scvhost.exe.11ff67b30.0x0000000000060000-0x00000000000c6fff.dmp
1924 scvhost.exe 0x0000000000050000 0x0000000000050fff vads/scvhost.exe.11ff67b30.0x0000000000050000-0x0000000000050fff.dmp
1924 scvhost.exe 0x00000000000e0000 0x00000000000e0fff vads/scvhost.exe.11ff67b30.0x00000000000e0000-0x00000000000e0fff.dmp
1924 scvhost.exe 0x00000000000d0000 0x00000000000d0fff vads/scvhost.exe.11ff67b30.0x00000000000d0000-0x00000000000d0fff.dmp
1924 scvhost.exe 0x0000000077020000 0x0000000077119fff vads/scvhost.exe.11ff67b30.0x0000000077020000-0x0000000077119fff.dmp
1924 scvhost.exe 0x00000000004a0000 0x000000000059ffff vads/scvhost.exe.11ff67b30.0x00000000004a0000-0x000000000059ffff.dmp
1924 scvhost.exe 0x0000000000490000 0x000000000049ffff vads/scvhost.exe.11ff67b30.0x0000000000490000-0x000000000049ffff.dmp
1924 scvhost.exe 0x0000000000320000 0x000000000041ffff vads/scvhost.exe.11ff67b30.0x0000000000320000-0x000000000041ffff.dmp
1924 scvhost.exe 0x0000000001d20000 0x0000000001f1ffff vads/scvhost.exe.11ff67b30.0x0000000001d20000-0x0000000001f1ffff.dmp
1924 scvhost.exe 0x0000000000730000 0x00000000008b0fff vads/scvhost.exe.11ff67b30.0x0000000000730000-0x00000000008b0fff.dmp
1924 scvhost.exe 0x00000000005a0000 0x0000000000727fff vads/scvhost.exe.11ff67b30.0x00000000005a0000-0x0000000000727fff.dmp
1924 scvhost.exe 0x00000000008c0000 0x0000000001cbffff vads/scvhost.exe.11ff67b30.0x00000000008c0000-0x0000000001cbffff.dmp
1924 scvhost.exe 0x0000000002470000 0x000000000266ffff vads/scvhost.exe.11ff67b30.0x0000000002470000-0x000000000266ffff.dmp
1924 scvhost.exe 0x00000000020b0000 0x00000000022affff vads/scvhost.exe.11ff67b30.0x00000000020b0000-0x00000000022affff.dmp
1924 scvhost.exe 0x00000000026b0000 0x00000000028affff vads/scvhost.exe.11ff67b30.0x00000000026b0000-0x00000000028affff.dmp
1924 scvhost.exe 0x0000000077240000 0x00000000773e8fff vads/scvhost.exe.11ff67b30.0x0000000077240000-0x00000000773e8fff.dmp
1924 scvhost.exe 0x0000000077120000 0x000000007723efff vads/scvhost.exe.11ff67b30.0x0000000077120000-0x000000007723efff.dmp
1924 scvhost.exe 0x000000007f0e0000 0x000000007ffdffff vads/scvhost.exe.11ff67b30.0x000000007f0e0000-0x000000007ffdffff.dmp
1924 scvhost.exe 0x000000007efe0000 0x000000007f0dffff vads/scvhost.exe.11ff67b30.0x000000007efe0000-0x000000007f0dffff.dmp
1924 scvhost.exe 0x000007fefefe0000 0x000007feff0bafff vads/scvhost.exe.11ff67b30.0x000007fefefe0000-0x000007feff0bafff.dmp
1924 scvhost.exe 0x000007fefd570000 0x000007fefd58efff vads/scvhost.exe.11ff67b30.0x000007fefd570000-0x000007fefd58efff.dmp
1924 scvhost.exe 0x000007fefd020000 0x000007fefd076fff vads/scvhost.exe.11ff67b30.0x000007fefd020000-0x000007fefd076fff.dmp
1924 scvhost.exe 0x000000013f130000 0x000000013f22afff vads/scvhost.exe.11ff67b30.0x000000013f130000-0x000000013f22afff.dmp
1924 scvhost.exe 0x000007fefd4f0000 0x000007fefd55afff vads/scvhost.exe.11ff67b30.0x000007fefd4f0000-0x000007fefd55afff.dmp
1924 scvhost.exe 0x000007fefd0c0000 0x000007fefd0cefff vads/scvhost.exe.11ff67b30.0x000007fefd0c0000-0x000007fefd0cefff.dmp
1924 scvhost.exe 0x000007fefd560000 0x000007fefd56dfff vads/scvhost.exe.11ff67b30.0x000007fefd560000-0x000007fefd56dfff.dmp
1924 scvhost.exe 0x000007fefe0c0000 0x000007fefe1ecfff vads/scvhost.exe.11ff67b30.0x000007fefe0c0000-0x000007fefe1ecfff.dmp
1924 scvhost.exe 0x000007fefd590000 0x000007fefd5f6fff vads/scvhost.exe.11ff67b30.0x000007fefd590000-0x000007fefd5f6fff.dmp
1924 scvhost.exe 0x000007fefdfa0000 0x000007fefe068fff vads/scvhost.exe.11ff67b30.0x000007fefdfa0000-0x000007fefe068fff.dmp
1924 scvhost.exe 0x000007fefe250000 0x000007fefefd7fff vads/scvhost.exe.11ff67b30.0x000007fefe250000-0x000007fefefd7fff.dmp
1924 scvhost.exe 0x000007fffffb0000 0x000007fffffd2fff vads/scvhost.exe.11ff67b30.0x000007fffffb0000-0x000007fffffd2fff.dmp
1924 scvhost.exe 0x000007feff430000 0x000007feff4a0fff vads/scvhost.exe.11ff67b30.0x000007feff430000-0x000007feff4a0fff.dmp
1924 scvhost.exe 0x000007feff280000 0x000007feff31efff vads/scvhost.exe.11ff67b30.0x000007feff280000-0x000007feff31efff.dmp
1924 scvhost.exe 0x000007feff250000 0x000007feff27dfff vads/scvhost.exe.11ff67b30.0x000007feff250000-0x000007feff27dfff.dmp
1924 scvhost.exe 0x000007feff320000 0x000007feff428fff vads/scvhost.exe.11ff67b30.0x000007feff320000-0x000007feff428fff.dmp
1924 scvhost.exe 0x000007feff560000 0x000007feff560fff vads/scvhost.exe.11ff67b30.0x000007feff560000-0x000007feff560fff.dmp
1924 scvhost.exe 0x000007fffffd9000 0x000007fffffdafff vads/scvhost.exe.11ff67b30.0x000007fffffd9000-0x000007fffffdafff.dmp
1924 scvhost.exe 0x000007fffffd7000 0x000007fffffd8fff vads/scvhost.exe.11ff67b30.0x000007fffffd7000-0x000007fffffd8fff.dmp
1924 scvhost.exe 0x000007fffffd5000 0x000007fffffd6fff vads/scvhost.exe.11ff67b30.0x000007fffffd5000-0x000007fffffd6fff.dmp
1924 scvhost.exe 0x000007fffffdd000 0x000007fffffdefff vads/scvhost.exe.11ff67b30.0x000007fffffdd000-0x000007fffffdefff.dmp
1924 scvhost.exe 0x000007fffffdb000 0x000007fffffdcfff vads/scvhost.exe.11ff67b30.0x000007fffffdb000-0x000007fffffdcfff.dmp
1924 scvhost.exe 0x000007fffffdf000 0x000007fffffdffff vads/scvhost.exe.11ff67b30.0x000007fffffdf000-0x000007fffffdffff.dmp
`q2sWRN-ne~5a:v"L}7 uc4tVaT@7Xo#wg2w5w0w!q4LfirLz5{3D1Vaxj2Jc0EaKtF5faD15
by either of the method, we get the encrypted string
`q2sWRN-ne~5a:v"L}7 uc4tVaT@7Xo#wg2w5w0w!q4LfirLz5{3D1Vaxj2Jc0EaKtF5faD15
so writing a reverse script for it
ada=1;
for (int i = 0; i < size; i++)
{
plaintext[i]=plaintext[i]^env_var[i%encsize];
plaintext[i] = plaintext[i] - ((i+ada)%10);
plaintext[i]=plaintext[i]^env_var[i%encsize];
plaintext[i] = plaintext[i] - ((i+ada)%10);
ada++;
}
we get the flag
bi0sCTF{M4lw4r3_4n4ly51s_4nd_DF1R_1s_4w3s0m3_4nd_4ppr3c14t3d_th4t_y0u_s0lv3d_<33}
Thank you to everyone who tried the challenge and congratulations to the 3 teams who solved it: idek, kalmarunionen and C4T BuT S4D. We thank you for playing the CTF and would love to hear some feedback about the challenge. If you have any queries regarding the challenge, feel free to hit me up over twitter/discord.
