Codegate 2013 Bin 300 Writeup

Bin300 is a win32 EXE, run it like this:

It seems like need a password.

At 004029c0, wo found the password checking.

Just brute jump out of the checking, the function then released a file named “8c12…..exe.unprotected.exe”.

The file is stored in the end of the Bin300.

Launch the unprotected EXE but we get the alert:

Check the PE header, we found the Version Setting is 7.1, and then correct it to 5.1.

As the CodeGate give the hint:

[Bin 300 Hint] Routine that makes the “Note”

[Bin 300 Hint2] Find out notes that are created in somewhere where is not 1,2,3 difficulty level,

We found the routine which makes the “Note”:

After case 1,2,3, there is a default case, where the GraphBuffer2 is filled from note_default. It must be noted that there are 2 graph buffers.

In other cases, the GraphBuffer1 is filled. And the GraphBuffer1 is the actual output buffer.

We launch the program in OllyDbg, at the “switch” point we modify the “Difficulty” to 4(or any other value but not 1,2,3) then the “case default” can be covered.

At the “case default”, modify the code “pOutGraph = pGraphLine2_1 – 1;” into “pOutGraph = pGraphLine – 1;” to change the output buffer to GraphBuffer1. At the asm level, it’s change the “mov ecx, [ebp+pGraphLine2_1]” into “lea ecx, [edi]”.


Wow, the flag is printed.