DuRaRaRa - HackMD

# DuRaRaRa decompile the `Cracked_IDA_PRO_7_5_SP3_installer.exe` we can see that it allocate a executable memory and copy something in it then create a thread ```cpp= local_14 = (LPTHREAD_START_ROUTINE)VirtualAlloc((LPVOID)0x0,DAT_0045d4b4,0x3000,0x40); memcpy(local_14,&DAT_00403020,DAT_0045d4b4); local_18 = CreateThread((LPSECURITY_ATTRIBUTES)0x0,0,local_14,(LPVOID)0x0,0,&local_1c); ``` we can see that the data it copies is a PE binary ![](https://i.imgur.com/sHx7hzP.png) so extract the binary out then decompile again we can see in main the program opens flag add does MD5 hash for every 5 words and then xor with local data ```cpp= while (flag_len = _strlen(&flag), itr < flag_len) { _memcpy(&local_ad,&flag + itr,5); __Z7MD5InitP7MD5_CTX(local_108); flag_len = _strlen((char *)&local_ad); __Z9MD5UpdateP7MD5_CTXPhj(local_108,&local_ad,flag_len); __Z8MD5FinalP7MD5_CTXPh(local_108,(int)local_a7); local_1c = 0; while (local_1c < 0x10) { _fprintf(local_24,"%02x",(uint)(local_97[local_1c] ^ local_a7[local_1c])); local_1c = local_1c + 1; } ``` so convert the `secret.txt` to md5s ```python= xor_arr = [] xor_arr.append(0xa8) xor_arr.append(0x81) xor_arr.append(0x21) xor_arr.append(0xe4) xor_arr.append(0x6e) xor_arr.append(0x48) xor_arr.append(0x32) xor_arr.append(0x2b) xor_arr.append(0x13) xor_arr.append(0x32) xor_arr.append(0x8c) xor_arr.append(0xeb) xor_arr.append(0xf4) xor_arr.append(0xfb) xor_arr.append(0x6c) xor_arr.append(0x1e) target = "c35f2bca2f79dcf56c4863b89c80a97362a47454652178\ 0f878ac7651dead037f8380f4c51a73167f1957f164cd1866d2431aa5\ 40b53d462b4455abc7289a49f34a7fe7abc1b5715a2ece8bedf263669\ 13431e915e03b55f838a34f725f508e10a06bbde480e4e68e30b3c39d\ 017308070d1d1a8b500030188d3fd09e03bd8f065a345df725e158b52\ a806d14432979e5080d06a9fedc6af6b516175c4af22eb4cf2b11ae72\ dbf6ee061a17e283ba900018f38724d89f59c203351a0b2cf061ca6b9\ cfa80e24ca8141a67be5a6a10bab90084de1b0314a4c5319d6803ceda\ 13f5bcf5f6f2908744f85bf5cfec245ed56fea2885bc4d7ef1acfb6d7\ 0d720f9e1e435d2529990c5ee0284627a2ca7f0ee83cb14c1dfab3ec4\ 0ed331ee5bbddff2e" new_target = "" for i in range(len(target) // 2): new_hex = hex(int(target[i * 2: (i + 1) * 2], 16) ^ xor_arr[i % 16])[2:] if(len(new_hex) == 1): new_hex = "0" + new_hex new_target += new_hex print(len(new_target)) for i in range(18): print(new_target[i * 32: (i + 1) * 32]) ``` and we get those md5s and crack it > 6bde0a2e4131eede7f7aef53687bc56d ca2555b00b694a2494b84b8ee911bc29 50b92ea83fef034ce2a7f3fdb82aea73 8cb08bb0651be649a777d6578672c881 9c26df9ed253653eb1de64552bdd5a77 bbc23f75304b877490b8b81cd10e64ff a2879a3a26467c43f039b0d224ec5c9e d850f04cdb48312a9be171e214c0b4ee cd22643b1c1627a0419a8a3ab0c9fb80 f801f18ef1a5f4847863ed9e30544ef5 e47390fe89658d45f3532d95dcc0c51e a90e199623c1c7b73301dd4b46346a02 0e38ee4c606cf8aa5294f70e525a67b5 38896c05de797867402b5a6bc816cd21 f34e7e8b47404664968dd01536be8148 5623a9bfaa9fdd31dc845be686f4f200 ebdc04cdf7446ccb3b74ab493e8462f6 94306df994fbde6bfe01920e4f269330 it can't be cracked with online cracker so use a simple brute for to crack ```python= from Crypto.Hash import MD5 import string # t = string.printable[:95] t = "abcdefghijklmnopqrstuvwxyz_{}FLAG" print(t) match = ["6bde0a2e4131eede7f7aef53687bc56d", #FLAG{ "ca2555b00b694a2494b84b8ee911bc29", #wait_ "50b92ea83fef034ce2a7f3fdb82aea73", #what_ "8cb08bb0651be649a777d6578672c881", #are_y "9c26df9ed253653eb1de64552bdd5a77", #ou_lo "bbc23f75304b877490b8b81cd10e64ff", #oking "a2879a3a26467c43f039b0d224ec5c9e", #_for_ "d850f04cdb48312a9be171e214c0b4ee", #there "cd22643b1c1627a0419a8a3ab0c9fb80", #_is_n "f801f18ef1a5f4847863ed9e30544ef5", #othin "e47390fe89658d45f3532d95dcc0c51e", #g_ins "a90e199623c1c7b73301dd4b46346a02", #ide_t "0e38ee4c606cf8aa5294f70e525a67b5", #his_v "38896c05de797867402b5a6bc816cd21", #m_hac "f34e7e8b47404664968dd01536be8148", #ker_h "5623a9bfaa9fdd31dc845be686f4f200", #acker "ebdc04cdf7446ccb3b74ab493e8462f6", #_go_a "94306df994fbde6bfe01920e4f269330"] #way!} for a in range(33): print(a) for b in range(33): for c in range(33): for d in range(33): for e in range(33): h = MD5.new() nt = t[a] + t[b] + t[c] + t[d] + t[e] h.update(nt.encode()) hh = h.hexdigest() for m in match: if m == hh: print(m, nt) break ``` FLAG{wait_what_are_you_looking_for_there_is_nothing_inside_this_vm_hacker_hacker_go_away!} ###### tags: `solved`