Monday, July 22, 2013

UFOCTF WriteUP: Mmmm, Whiskey metal

Task: 
My brother has taught me the Windows kernel programming, but I always asked him to help me with debugging. He was pissed off after a while. So he created kernel dump analysis task for me. I can't find answer. Please help me to find key and I will give you N points. I know that he modified my keylogger somehow, and I'm sure that driver already unloaded in virtual PC.

 P.S. I already get a few tips:
- key is SHA256 or decoded string
- My brother always make "Burp" and likes tea.

Here you can find a dump.
https://docs.google.com/file/d/0Bw72cstp5cGsMVlDSlBJU05fdVE

 Here is a short how to...

First you should find "Burp" log string in the memory dump. There is a two ways here. Using DebugView


Or just using search in WinDbg


Next start to analyze pool shown in log


Take a look inside.


Executable code found. Let's execute them. First we save memory.


To execute I will use Windbg. Load notepad in windbg, Readmem and set eip.


Here is a key:

Read more...