Rating:

# Confirmation of Identity
We get a PE file idconfirm.exe. After analyzing the program, we can see, that it is simply read the HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper key, take the filename and extension from it, do some checks and decrypt flag, if the checks pass.

To complete this task, we can run the program under debugger and do some patches while program execution.

The patches we need:

Patch value on [ebp+var_1f0] to zero to continue program execution.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-final-writeups/master/pictures/2021-03-26-23-14-00.png)

After patch:

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-final-writeups/master/pictures/2021-03-26-23-14-47.png)

Patch the return value of IsDebuggerPresent function to zero.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-final-writeups/master/pictures/2021-03-26-23-14-57.png)

Patch the value in [ebp+pbDebuggerPresent] to zero to bypass debugger check.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-final-writeups/master/pictures/2021-03-26-23-15-04.png)

Patch the string on stack that ecx points to “\proof” string to make a strcmp function to return zero and to properly decrypt our flag.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-final-writeups/master/pictures/2021-03-26-23-15-10.png)

After patch:

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-final-writeups/master/pictures/2021-03-26-23-15-16.png)

After that patches, program will decrypt a flag and return it to us:

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-final-writeups/master/pictures/2021-03-26-23-15-24.png)

Original writeup (https://github.com/kukuxumushi/HTBxUNI-CTF-final-writeups/blob/master/Confirmation_of_Identity.md).