✒hhro([email protected])

Overview

As I extract the challenge zip file, there is only one file bass_boosted.exe. After analyzing with some PE tools and some executions, I found out that it seems like a typical crackme challenge. However, it is not that simple as I thought.

It is stripped PE, programmed with cpp and cpp boost library which is massive and complicated. I spent lots of time to understand some cpp structure and its operations.

What does this PE do

In brief, there are four stages in total.

1. Initialize the key-value structure
2. Xor each character with dict[c]
3. Xor each character with xoree
4. Hexlify

Stage1. Initialize key-value structure.

I don't exactly know what this structure really is, but I can only guess it's some kind of key-value thing(would call dict).

In the function sub_611030() located in init_array, it calls the function sub_616180(). And sub_616180() generates the dict that is used soon in second stage.

Here is part of the code that makes the dict:

key = 'A';
val = 'z';
makeKeyVal(keyValPair, (int)&key, (int)&val);
LOBYTE(v38) = 1;
pushToStructure(dict, (int)v8, (int)keyValPair);
LOBYTE(v38) = 0;
sub_616D00(keyValPair);
v17 = 13;
sub_615B20(v34, (int)&v17);
qmemcpy(v31, "}L", sizeof(v31));
makeKeyVal(v14, (int)v31, (int)&v31[1]);
LOBYTE(v38) = 2;
pushToStructure(dict, (int)v7, (int)v14);
LOBYTE(v38) = 0;
sub_616D00(v14);
...

In python, it can be simplified as: