Introduction
I hope this guide will show some useful techniques to solve this challenge using only simple static analysis without the need to look at the assembly code.
Run the File
We run the file and see the following message box:
When we click OK the dialog closes and the program exits. Obviously there is more to the picture.
Viewing the Resources
During static analysis of the file, we realize it has a binary resource embedded inside of it. The hex begins with 4D 5A, which is the MZ header for PE files.
As it turns out the program will drop this binary as a DLL tucked hidden away in an AppData folder. We'll simply dump it to disk using Resource Hacker, saving it as crackme1.dll
Inspecting the DLL
We open the DLL using PEView, or alternatively (and often better) PEStudio. We go to the Export Address Table (EAT) and see it exports a function called DisplayMessage.
Run the Exported Function
So in order to run the function, we just have to issue the following command, which uses the rundll32.exe program included with Windows:
No comments :
Post a Comment