# Help Me

The given memory dump contains the flag which is splitted in 3 parts. Let's analyse it with `volatility`:

python2 /opt/volatility/vol.py -f Challenge.vmem imageinfo

We see `Win7SP1x64` being a possible profile so we'll use this one. I often start my analysis by saving the output of `filescan` while checking the `iehistory`:

python2 /opt/volatility/vol.py --profile=Win7SP1x64 -f Challenge.vmem iehistory

It shows some interesting files that seemed to be downloaded on the machine, as `filescan` confirms.

0x000000007e269310 12 0 R--r-d \Device\HarddiskVolume1\Users\alexander\Documents\Part II.png
0x000000007ec2c970 2 0 R--r-- \Device\HarddiskVolume1\Users\alexander\Downloads\L4ST.py.zip
0x000000007f07b740 13 0 R--r-d \Device\HarddiskVolume1\Users\alexander\Downloads\DumpIt.exe

We also see that strange `DumpIt.exe` that we'll check after. Let's dump both part 2 and part 3 with

python2 /opt/volatility/vol.py --profile=Win7SP1x64 -f Challenge.vmem dumpfiles -D dumped -Q [addr]

I started with the third part in the Python script. In the order:

- it waits for an input
- it calls a first decoding function on this input
- it calls a second decoding function on the decoded result
- it checks if the final decoded string is equal to the expected one
- if yes, then it prints the flag from a decoding function, else it just returns.

Here are those functions, after cleaning the code and renaming functions properly:

#!/usr/bin/env python3

s = 4
y = []
Z = []
res = []

Original writeup (https://github.com/Ewael/CTFs/tree/master/2021/ShaktiCTF/Forensics/HelpMe).