Dumped! (100 pts)

Question:

In Windows Task Manager, I right clicked a process and selected "Create dump file."

I'll give you the dump, but in return, give me the flag!

RunMe.DMP.xz

Write-Up 1:

Good to Know: This challenge turned out to be a lot easier than we originally planned!

So, we first give our original write-up, and then present a second write-up that is much easier.

Decompress the dump, and open it in a hex editor (I used WinHex).

Find a phrase that you know exists in Windows EXE files (Example: This program cannot be run in DOS mode).

Inspect a few bytes above and below. You'll spot the file beginning (MZ), and also interesting strings like UPX, showing that the EXE file is compressed with UPX.

Scroll down a bit more until you see a chunk like:

0004ba60:  00 6D 73 76 63 72 74 2E - 64 6C 6C 00 00 00 4C 6F | msvcrt.dll   Lo|
0004ba70:  61 64 4C 69 62 72 61 72 - 79 41 00 00 47 65 74 50 |adLibraryA  GetP|
0004ba80:  72 6F 63 41 64 64 72 65 - 73 73 00 00 56 69 72 74 |rocAddress  Virt|
0004ba90:  75 61 6C 50 72 6F 74 65 - 63 74 00 00 56 69 72 74 |ualProtect  Virt|
0004baa0:  75 61 6C 41 6C 6C 6F 63 - 00 00 56 69 72 74 75 61 |ualAlloc  Virtua|
0004bab0:  6C 46 72 65 65 00 00 00 - 45 78 69 74 50 72 6F 63 |lFree   ExitProc|
0004bac0:  65 73 73 00 00 00 65 78 - 69 74 00 00 00 00 00 00 |ess   exit      |
0004bad0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |                |
0004bae0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |                |
0004bae0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |                |
0004baf0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |                |
...

You'll see a lot of 00 bytes there.

Copy from MZ till the end of 00 bytes, and paste it in a new file. Save it as Bad.exe.

You can't run Bad.exe, as we were not careful about it's size and relocations. But you can decompress it using UPX anyway!

Download UPX, and run:

UPX -d Bad.exe

Open Bad.exe in your hex editor, and search for SharifCTF.

There it is, in offset 3374:

SharifCTF{4d7328869acb371ede596d73ce0a9af8}

Write-Up 2:

Simply execute:

strings RunMe.DMP | grep SharifCTF

which results in something like:

SharifCTF
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000SharifCTF{4d7328869acb371ede596d73ce0a9af8}
SharifCTF{4d
SharifCTF{4d7328869acb371ede596d73ce0a9af8}
SharifCTF{4d
SharifCTF{4d7328869acb371ede596d73ce0a9af8}

And the flag is right before your eyes!

The file was compressed to prevent the flag from being spotted easily. But we were not careful: When a compressed executable is loaded into memory, it is decompressed first!

In order to prevent strings being spotted, we could have used some encoding of the flag, say, ASCII codes instead of plain text.