HI (200 pts)

Question:

The Program is registered for following system specification:

  • Processor type: Intel Itanium-based
  • Number of processors: 64
  • Physical RAM: 128GB
  • OS version: 12.2 Build 1200

Run and capture the flag!

Write-Up:

Analyze the file by PEiD for detecting the file packer!

more

The file packed by VMProtect! Can anybody reverse it!?

According to the question, The Program is registered for following system specification:

Let's see how can we get hardware information in windows?

The app uses these functions for getting system information. We should change the return values to the HI by these functions . So we should Hook these functions. How can we hook them? You can not hook them in User space because these APIs and related libraries obfuscated, You can write a simple custom kernel hooking or use EasyHook app for changing the return values of these function as below:

more

dwNumberOfProcessors = 64.

And now run the app and hook functions in run time and capture the flag. The flag is ef71d59e50c5fc4cd7604db75da16de8.