Rating:
# Help Me
The given memory dump contains the flag which is splitted in 3 parts. Let's analyse it with `volatility`:
```
python2 /opt/volatility/vol.py -f Challenge.vmem imageinfo
```
We see `Win7SP1x64` being a possible profile so we'll use this one. I often start my analysis by saving the output of `filescan` while checking the `iehistory`:
```
python2 /opt/volatility/vol.py --profile=Win7SP1x64 -f Challenge.vmem iehistory
...
C:/Users/alexander/Downloads/L4ST.py.txt
C:/Users/alexander/Documents/Part%20II.png
C:/Users/alexander/Downloads/L4ST.py
...
```
It shows some interesting files that seemed to be downloaded on the machine, as `filescan` confirms.
```
0x000000007e269310 12 0 R--r-d \Device\HarddiskVolume1\Users\alexander\Documents\Part II.png
0x000000007ec2c970 2 0 R--r-- \Device\HarddiskVolume1\Users\alexander\Downloads\L4ST.py.zip
0x000000007f07b740 13 0 R--r-d \Device\HarddiskVolume1\Users\alexander\Downloads\DumpIt.exe
```
We also see that strange `DumpIt.exe` that we'll check after. Let's dump both part 2 and part 3 with
```
python2 /opt/volatility/vol.py --profile=Win7SP1x64 -f Challenge.vmem dumpfiles -D dumped -Q [addr]
```
I started with the third part in the Python script. In the order:
- it waits for an input
- it calls a first decoding function on this input
- it calls a second decoding function on the decoded result
- it checks if the final decoded string is equal to the expected one
- if yes, then it prints the flag from a decoding function, else it just returns.
Here are those functions, after cleaning the code and renaming functions properly:
```python
#!/usr/bin/env python3
s = 4
y = []
Z = []
res = []
expected="uh27bio:uY
