✒hhro([email protected])
As I extract the challenge zip file, there is only one file bass_boosted.exe
. After analyzing with some PE tools and some executions, I found out that it seems like a typical crackme
challenge. However, it is not that simple as I thought.
It is stripped PE, programmed with cpp and cpp boost library which is massive and complicated. I spent lots of time to understand some cpp structure and its operations.
In brief, there are four stages in total.
dict[c]
xoree
I don't exactly know what this structure really is, but I can only guess it's some kind of key-value thing(would call dict
).
In the function sub_611030()
located in init_array
, it calls the function sub_616180()
. And sub_616180()
generates the dict
that is used soon in second stage.
Here is part of the code that makes the dict
:
key = 'A';
val = 'z';
makeKeyVal(keyValPair, (int)&key, (int)&val);
LOBYTE(v38) = 1;
pushToStructure(dict, (int)v8, (int)keyValPair);
LOBYTE(v38) = 0;
sub_616D00(keyValPair);
v17 = 13;
sub_615B20(v34, (int)&v17);
qmemcpy(v31, "}L", sizeof(v31));
makeKeyVal(v14, (int)v31, (int)&v31[1]);
LOBYTE(v38) = 2;
pushToStructure(dict, (int)v7, (int)v14);
LOBYTE(v38) = 0;
sub_616D00(v14);
...
In python, it can be simplified as: