patch

The Challenge

https://dreamhack.io/wargame/challenges/49

Solving my first reversing challenge

The flag is drawn using some Windows API functions, but it is partially obfuscated. Since this is a patching challenge, I need to remove the draw instructions which draw over the flag.

The flag is obfuscated…

I found the function for the drawing process, so let’s expand it

Renaming the function…

Again, the main drawing logic can be found here.

Renaming the function…

There are two drawing instruction chunks here. Assuming that one chunk is for drawing the flag, and the other is for hiding the flag, I added a breakpoint in between them so I could tell them apart.

Found the important logic

At the breakpoint, only the scribbles were drawn. This means that I need to patch the program to remove the first set of draw instructions.

Screenshot of program at breakpoint

To achieve this, I replace the call instructions in the assembly with NOPs.

Screenshot of program at breakpoint

I repeated this about 20 times, and the patched program gives us the flag.

Win!