Game 7 : If you already found the drop file. Congratulation! Line 1 is Hex and Line 2 was encryptied string. Look the icon of "picaball.exe", you might think about something. Game 7 : You can download process tool to monitor and find out the drop file. Game 7 : Two different LOCK in the drop file. Game 7 : You DON'T need to win the game, just EXECUTE it. There's a file appears
執行之後利用ProcessMonitor監測 發現他會偷創檔案 picaball.exe CreateFile C:\Users\Chen\AppData\Local\Temp\IXP000.TMP 找到路徑後發現兩個檔案 lsass.exe picaball.exe
逆向發現lsass.exe也偷創一個檔案 .rdata:00403067 0000001B C C:\\WINDOWS\\TEMP\\secure.dat 19500364083D0F3E164E290E3904701F07294F3D0736121C64073741331600631B721335111B370A73 UHduRG9SYQ 第一串都是0~F想也覺得是Hex 那第二串去做base64得到PwnDoRa 拿第一串去做XOR的的key >>> ''.join(xor(a,b*100)) "I'm gonna make him offer he can't refuse!"