Challenge 5
Return To Sender
This challenge contains two files - a PCAP file and a PE. The PE on execution asks for an input text file which apparently contains a key. Judging by the PCAP file given, I think the key is somewhere inside it. So let's start with the PCAP file.
This PCAP has 2 types of protocols in it - HTTP POST and TCP PDUs. The POST packets look interesting. Add the
HTTPfilter and look at the packets.
Each of the packets has a 4 byte value. I think these values are part of the required key. So, adding them up gives
Welp.. it's a start. Altleast it accepts the key data but is having trouble sending it. Let's hack into it.
Looking at the imports, the binary is indeed trying to connect to some web server using
Wininet.dll. Maybe we can patch-out the internet function or something.
Looking for the text "[!] Error sending key data." in the binary, we come the the function "sub_401100".
So, this function takes in "key.txt", opens it using
CreateFileAwinapi and checks the value ofesiregister to determine it's flow of control. The read key is stored in a buffer and the file handle is closed. Next, the buffer is given to "sub_401250".
This function takes in the buffer, does a simple key encryption on it using
flarebearstareas the key. The calculation appears to be -
Going further down in "sub_4012a0", we see this string being used.
This means that Base64 is being used to encode the key string. Now looking further, in the internet access function,
HttpSendRequestAis being called with 4 as a parameter, which is the reason why the key was distributed as 4 byte strings in the POST requests.
Based on this, we can write a python script that decodes the key for us -
Last updated