Eat the Cake! by Little Pwnie

Hi everyone ,
I've been trying for days this reverse challenge..
and it is obvious there is something that I can't catch!

I've used all "convention" tool : OllyDbg, Immunity Denugger, WinDbg, IDA..
I've also tried objdump to disassemble and mingw tools on linux ..

Am i on the right track? Any hint toward what I'm missing?




  • I am having trouble as well. It does seem packed. Not sure if I correctly unpacked it.

  • edited January 2018



  • You've practically told them the solution...

  • Sorry, if it's a spoiler please remove it... Just wanted to give them some directions, could've gone a bit far...


  • Hi. A little hint should be useful.

  • I solved it using Ollydbg, I am the noobest guy around here maybe, still I think it's kinda too easy for 60 points. You can't expect the password to be in plaintext format, just a little knowledge about assembly instructions is enough to get it.

  • I've just a question about the final password to retrieve: is it really 15 characters?

  • It doesn't run after unpacking it, is it supposed to do that?

  • edited June 2018

    try unpack on windows 7 if doesn't run after unpacking

  • @lucazzz said:
    I've just a question about the final password to retrieve: is it really 15 characters?


  • edited June 2018

    @gavz I tried unpacking it on Windows 7 still not running...

  • edited June 2018

    If it's supposed to work with upx, it doesnt on Windows 7. The produced binary is not unpacked properly. Is this normal? Should I try to unpack manually?

  • Solved it. No need to manually unpack. If upx doesnt cut it for you, try some other tools.
    Pretty straight forward after unpacking.

  • edited August 2018

    @Narmu said:
    @gavz I tried unpacking it on Windows 7 still not running...

    tested on windows 8.1

  • @gavz thanks I figured it out, it was about which unpacker to use

  • @Narmu said:
    @gavz thanks I figured it out, it was about which unpacker to use

    I do not remember how i it unpack:
    1. upx.exe -d on VM windows 8.1 or windows 7 or
    2. through Ollydbg

  • I'm afraid I've been wasting my time on this challenge, so I'd appreciate some advice: how do you know if it's unpacked correctly? If it runs in the debugger, and it shows the ASCII strings that print out, etc., is it correct?

  • I finally solved this challenge. It just wasn't quite as straightforward as I expected from reading this thread. Feel free to DM for hints.

  • Oops so I spoke too soon. Turns out that two of the digits I only got because of guessing correctly.

  • I am a total RE noob - Could anyone PM me or post here some links to help solve this challenge?

    Appreciate everyones help! Thanks!

  • edited January 2019

    Hi all, can someone PM me ? I unp****d using PE********. Now I am reversing, I think it is checking multiple bytes in the provided string, but not all of them...Do I have to guess the bytes which are not compared ?

    EDIT -> This box involves some guesswork from what I understand, solved it but 1-2 digits had to be guessed. Did anyone solve it without guessing ?

  • I have trouble with it also...
    1. is not working after unpack
    2. the password check in the code reveals incomplete flag...

    Any suggestions? Thanks!

  • edited February 2019

    For everyone having issues after unpacking:

    TL/DR: Disable ASLR on the binary.

    Having said that, you can complete this challenge through static analysis alone. I used IDA. If your password is missing characters, you haven't examined the program's control flow carefully enough. Not sure how much more I can say without spoiling.

    404 Friend Not Found

  • solved, by guessing few letters :))

  • Type your comment> @portos060474 said:

    solved, by guessing few letters :))

    I used IDA and Im missing four letters. Obvious ones do not work -:(


  • I'm stuck...assistance please.
    OllyDgb used to gather ESP and EAX have to CMP as same for the program to run... enter 10 digit pass which can be anything... then asked for 15-digit pass.
    Can someone please hint how I can find the code which is executed when the Input I enter at this point is compared/validated?
    As soon as the program starts running OllyDgb will not show me whats going on... new to reversing so if this is a Basic question please go easy.
    Thanks for any replies in advance.

  • No guessing is required.

    1. For unpacking, follow @opt1kz comment.
    2. Find out the conditions of getting the congratulation message.

    For newbies (Like Me): IDA - graph view is very helpful. Makes Reverse Engineering easier.

  • edited September 2019

    For those that try to avoid running closed source as their main OS and are not feeling like resetting their hacking lab windows VM's here is how to unpack from linux/bsd

    retdec-unpacker cake.exe
    [UPX] Detected NRV2B unpacking stub based on signature & metadata.
    [UPX] Started unpacking of file 'cake.exe'.
    [UPX] Detected filter 0x26 with parameter 0x0 based on signature.
    [UPX] Unpacked data based on signature.
    [UPX] Original header found at address 0x791f in extra data.
    [UPX] Import hints address 0x7000 found in extra data.
    [UPX] Relocations hints address 0x7782 found in extra data.
    [UPX] Original entry point address set to 0x2517.
    [UPX] Original load configuration directory found at RVA 0x3730 with size 0x40.
    [UPX] Original resources directory found at RVA 0x6000 with size 0x1e0.
    [UPX] Successfully unpacked 'cake.exe'!

    wont tell you what else to do, this is just with the info already posted, only that on linux not windows


  • To change the flags on the unpacked executeable, one can also use setdllcharacteristics.
    You can compile it on your machine, it is pretty straight forward.

    Besides this i am really stuck on this one. I was able to partly reconstruct the password, but i am missing a few chars and i am not sure where in the program flow i actually turn wrong. Is anyone willing to give me a hint?


    I am always happy to help, but please put some effort into your questions. I won't reply to "I am stuck on machine XXX" messages.

  • I found the second part of this a lot easier on I**! I initially was just using cutter/winedbg, but once I switched I did not even need to debug it!

    Fairly easy with the right tool, but overall nice challenge.

Sign In to comment.