[BINARY] Present - 100 Pts.


We were given this file:

lol it didn't load
After extracting the contents, we got present.exe. We can also see what kind of file type it is. A PE binary but packed with UPX (Ultimate Packer for eXecutables)

lol it didn't load

We can unpack this using the UPX tool.

lol it didn't load

After unpacking, we can now see that it is a windows PE 32 bit. We can do static analysis against the unpacked PE to investigate what it really does.

lol it didn't load

lol it didn't load

To investigate the binary, we used Cutter (radare2 w/ GUI)

lol it didn't load

First, we have to find the main. From the image above, it is concluded that the “main” identified by the Cutter (highlighted) doesn’t really do that’s interesting. Therefore, we proceeded finding other interesting functions


In the image below, we can see there are two mains:

sym.__main and sym._main

lol it didn't load

Let’s see what

sym.__main

does… It looks like it only goes to the .ctors of the binary

lol it didn't load

Let’s check sym._main… There’s an interesting string that’s encoded in base64

lol it didn't load


After decoding, we got the flag.

lol it didn't load

:D :D :D

Thank you for reading!