OtterCTF Writeup Memory Forensics 5 - Name Game 2 150

Memory Forensics

5 - Name Game 2 150

From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} What's rick's character's name? format: CTF{...}

 3 - Play TimeでLunarMSをプレイしていることが分かっている。

VolatilityでLunarMS.exeをメモリダンプする。

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" psscan
Volatility Foundation Volatility Framework 2.6_commit_a2dd5d34

Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x000000007d403610 mscorsvw.exe 412 492 0x0000000040d28000 2018-08-04 19:28:42 UTC+0000
0x000000007d686b30 Rick And Morty 3820 2728 0x000000000b59a000 2018-08-04 19:32:55 UTC+0000
0x000000007d6a7b30 bittorrentie.e 2308 2836 0x0000000076ada000 2018-08-04 19:27:19 UTC+0000
0x000000007d6c9b30 bittorrentie.e 2624 2836 0x00000000761f5000 2018-08-04 19:27:21 UTC+0000
0x000000007d7cb740 LunarMS.exe 708 2728 0x00000000731cb000 2018-08-04 19:27:39 UTC+0000
0x000000007d832060 sppsvc.exe 2500 492 0x000000000ae7b000 2018-08-04 19:26:58 UTC+0000
0x000000007d87e060 explorer.exe 2728 2696 0x000000000873f000 2018-08-04 19:27:04 UTC+0000
0x000000007d890b30 BitTorrent.exe 2836 2728 0x0000000006c2e000 2018-08-04 19:27:07 UTC+0000

 (sninp)

> volatility.exe --profile=Win7SP1x64 -f "C:\Users\Aqua\Desktop\OtterCTF\Memory Forensics\OtterCTF.vmem" memdump -p 708 -D ./

 問題文にある0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2}をバイナリエディタで探す。

f:id:Yunolay:20181210232852p:plain

FLAG:CTF{M0rtyL0L}