Tags: 5 engineering reverse metatrader 

Rating: 5.0

TLDR: Load into Metatrader 5, launch, dump process memory, find MeepwnCTF{XXX...} string and there should be "your flag: %s" and "MdgsskESNr]8`am?}"M!KA~$G[v/\x7fvAO\x14S\x16G\x17X" strings nearby. Find xor key and decrypt the Mdg~ string.

Thanks for Eternal from P4 (https://twitter.com/EternalRed0) for describing the solution on IRC:

```
22:58 <luna> how does one solve EX5?
23:04 <eternal> Luna: download metatrader5 from the internet. then loadthis script. attach process hacker to the process -> memory -> find all strings of the process -> search for "flag" -> click on something like "you flag is: %s". You ended up in a place with interesting strings. There are strings connected with flag, readinging user input. but one was strange. The first letter was M, you culd xor beggining of this
23:04 <eternal> string witg flag prefix format and you would have got 0,1,2,3,4,5... patern . this is the xor key
23:05 <eternal> I mean 0,1,2....,len(flag) was the key
```

An IPython session with pwntools loaded (`import pwn`):
```
In [14]: ct='MdgsskESNr]8`am?}"M!KA~$G[v/\x7fvAO\x14S\x16G\x17X' # ct flag retrieved from memory dump + hexdump (to get unprintable bytes
In [15]: pt='MeepwnCTF{' # known flag prefix
In [16]: pwn.xor(ct[:len(pt)], pt) # lets see if its a xor/key
Out[16]: '\x00\x01\x02\x03\x04\x05\x06\x07\x08\t'
In [17]: ord('\t')
Out[17]: 9
In [18]: # looks like key is 0, 1, 2, 3, ...
In [19]: pwn.xor(ct, list(range(len(ct))))
Out[19]: 'MeepwnCTF{W3llc0m3_2_Th3_Bl4ck_P4r4d3}'
```