LinkedinGithubORCID

Challenge 4

Gotta Get That Fast UPX Delivery!

  • This challenge does the calculation of "2+2=4".

  • According to the triage summary, this binary was compiled using Visual Studio; which should make things a bit easier as MSVC compiled programs contain useful metadata.

  • While looking closely, the binary seems weird i.e data is spread across the binary in UPXn sections; where "n" is the section number. After googling it up, it seems that the binary is packed using UPX tool. It seems that UPX has an unpack command "-d".

  • Rerunning the binary again after unpacking it -

  • The output has changed to - "2 + 2 = 5". Let's take a deeper look into the binary. The start of the program calls "fun_403f23" and after execution of that function, jumps to "fun_403847".

  • It takes in a CLI argument and compares it against the System Time value. Let's try that -

  • Nothing happened. Also there's no explanation as to why the equation's value is different in the unpacked binary. Maybe this is because the packed stub is being modified during the unpacking process. So let's try this the packed binary again.

  • Well we got the flag

  • At location 0x40b60b , the value '4' is being saved to memory and there's a loop above it which runs 53 times and adds a character to a memory region each time. We need to examine this in x32dbg. Put a breakpoint at the loop instruction and the above memory location.

At the start of the loop
By the end of the loop

  • So, the file unpacked by the unpack stub of itself is different from the file unpacked using the UPX tool. This value is base64 encoded and compared with the input.

PreviousChallenge 3NextChallenge 5

Last updated