ZaiRoN
September 1st, 2006, 08:01
Well done upb!
Quote:
"On kolmenlaisia ihmisiä, niitä jotka ovat matemaattisesti lahjakkaita ja niitä, jotka eivät ole." |
Yes, it should be the right message but I still have some doubts about it mainly because the message is a simple phrase, nothing special. The english translation is: "There are three kinds of people, those who are mathematically gifted, and those who are not." I was expecting something else... maybe I'm not mathematically gifted :-D
I have looked at the picture inside your archive but it's not the good one; I mean, when you open the picture it doesn't show the mail address, did you change it? Maybe you submit the original file and not the modified version. To let it show the address you have to change the image a little.
Quote:
The third layer (the dynamically loaded process) is PEX by Bart i believe, |
I don't like unpacking really (and I'm far from being an expert) but in my notes I read it's a modified version of it. So, I agree with you upb; for the others, you can trust me or you can directly take a look at Pex source code which is available online ;-)
Quote:
i wrote a small program to attach to the child process and dump out its memory because ollydbg refused to attach to it. |
I used softice with Iceext 'protect on' feature so I didn't have any problem stepping trhought the code, I didn't investigate too much in it but I believe there's atleast an anti-debugging method implemented in the challenge.
The main problem of the challenge is -imho- to find an easy way to trace the files involved in the challenge. Some times ago, talking with Kayaker about a possible "mini project" with t205, he suggested some task for newbies (and not :-p):
1. Identify the processes and threads used by the challenge, as well as noting their starting addresses.
What tools or techniques can be used to accomplish this important first step?
2. Determine the general course of program flow by identifying the API's involved, and their purpose, at crucial points in the challenge. What suitable API breakpoints can be used to "break into" real program code and avoid having to trace extensive amounts of SMC or packer code?
3. What "anti-analysis" tricks are being used? Antitrace, antidump, SEH? How do you bypass or trace through them?
Are packers used here and does dumping serve any purpose?
4. Can portions of the challenge be extracted as isolated elements suitable for analysis in IDA?
Could any IDA scripts be used to decrypt certain portions of the code to "expose" the hidden message and/or email address?
For the moment 4 questions are enough, we can add something else later.
If you have some problems with this challenge I suggest you to give it a try answering to the 4 questions above, I'm pretty sure you'll learn something new. So... good luck!