starter

starter

After disassembling this executable using ida,
We first noticed the existence of 2 arrays consisting of “8” elements each…

Arrays

400808 [0x56 , 0x21 , 0xEF , 0x78 , 0xCD , 0x34 , 0xAB , 0x90]
400810 [2 , 3 , 6 , 7 , 3 , 0 , 5 , 1]

These 2 arrays came along with one large array called “s”

s

The size of “s” is 32 elements, which seems close to the size of any regular flag, right?
If so, We have to have some operation(s) performed on “s” … well, let’s find out…

array

We see here that the arrays 400810 is being moved to perform the following on it

array

Well, what this basically does is that it give us the following sequence ( 0,1,2,3,4,5,6,7,0,1,2,3,4,5,6,7,0,1,2… )

This sequence is used as indices for the array 400810 ,which in return is used as indices for the array 400808
Meaning .. we’ll start with index “0” in array 400810 which is “2” … we’ll use this as index for array 400808 which is “0xEF”
Next, we’ll go for index “1” in array 400810 which is “4” … then again we’ll use this as index for array 400808 which is “0xCD” , and so on…

Array “s” is then being moved to $ecx

array

And array 400808 is being moved to $eax

array

An “XOR” function is the being performed on each element we get from array 400808 using the sequence above along with each element in the array “s” consecutively …

So what we’ll get will be something like this —>
0xA6 ^ 0xEF = 0x49 “I”
0x83 ^ 0xCD = 0x4E “N”
0xEF ^ 0xAB = 0X44 “D”
0xC9 ^ 0x90 = 0X59 “Y”
0x03 ^ 0x78 = 0X7B “{”

And bang!! There’s the flag…

With a simple python script we get the following flag —>

INDY{strings_doesnt_always_work}