EB CTF 2013 Writeup
By Darkfloyd, VXRL (Valkyrie-X Security Research Group)
Updated: August 2013
When we execute the binary, and debug it via step over and into the call eax at 0x40124B,
we started to get a key (Sup3RSeCr3tStuFf) from its memory:
Figure 1: A key in memory?!
However, it is not the key EBCTF wants but another hint is about where can they hid the comment.
[*] Yes, that is correct! However that was not the goal of this
Did you know that compiled code does not contain any comments?
By referring to the documents about reversing PERL2EXE (http://forum.tuts4you.com/topic/31340-
decompile-perl2exe/ and http://fileoffset.com/re/tutorials/perl2exe.htm), it is said we could export
other files other than DLL to the temporary directory. We simply execute with debug mode, it
shows the key is probably stored in _main.pl:
C:Documents and SettingsAdministratorDesktop>ebCTF_BIN200.exe
P2X: Debug mode enabled - V090508
P2X: Expanded module filename = C:Documents and
GetTempDir: returning C:DOCUME~1ADMINI~1LOCALS~1Temp/p2xtmp-
ISEXT_Init: filename = p2x_stub.lib
ISEXT_Init: filename = p2x_header.pm
ISEXT_Init: filename = p2x_pre_exec_message
ISEXT_Init: filename = p2x_trial_message
ISEXT_Init: filename = p2x_exec_command
ISEXT_Init: filename = p2x_info.pm
ISEXT_Init: filename = _main.pl
ISEXT_Init: filename = P2XDLL/p2x5123.dll
P2X: ISEXT_Init done
P2X: OpenScript: C:Documents and
e FOUND IN PERL2EXE_STORAGE
[*] ebCTF BIN 200
[*] What is the secret?
From the binary, we have figured out the loop to export DLL file only, if we would like to export all
other files, we need to ensure all the JNZ (Jump if non-zero) will be patched to become
unconditional jump (JMP), meanwhile, we need to set up a break point after the loop.
We have identified the loop as below:
Figures 2a-d: Main loop to export the files, it will loop and jump back to 280AC4F9
Meanwhile, here are the breakpoints I have set up:
Figure 3: Breakpoints
Afterwards, we patch the JNZ as JMP at the following memory addresses:
Figures 4a-b: Patched the JNZ into JMP (unconditional jump)
Finally, we simply step over and run it, once hitting the breakpoint (at where the loop is complete)
280AC654 68 F4610C28 PUSH p2x5123.280C61F4 ; ASCII "P2X: ISEXT_Init done"
Let us take a look over the folder and we have found the _main.pl file is exported and we got the
key from its source code. The key is found as
Figures 5a-b: _main.pl and keys, Mission Complete :)