Monday, July 22, 2013

UFOCTF WriteUP: Mmmm, Whiskey metal

My brother has taught me the Windows kernel programming, but I always asked him to help me with debugging. He was pissed off after a while. So he created kernel dump analysis task for me. I can't find answer. Please help me to find key and I will give you N points. I know that he modified my keylogger somehow, and I'm sure that driver already unloaded in virtual PC.

 P.S. I already get a few tips:
- key is SHA256 or decoded string
- My brother always make "Burp" and likes tea.

Here you can find a dump.

 Here is a short how to...

First you should find "Burp" log string in the memory dump. There is a two ways here. Using DebugView

Or just using search in WinDbg

Next start to analyze pool shown in log

Take a look inside.

Executable code found. Let's execute them. First we save memory.

To execute I will use Windbg. Load notepad in windbg, Readmem and set eip.

Here is a key: