CIA
Initializing Cyber Invasion
Home Shinigami Soul Society Archives Contact Enlist →
Back to Writeups
Writeup

Mem 2

Memory forensics writeup for decoding a single-byte XOR-obfuscated blob recovered from explorer.exe memory.

EWU National ROBOFESTMemory ForensicsXORCTF

Overview

Mem 2 covered a memory artifact found in explorer.exe. The hidden data was encoded with a single-byte repeating XOR key. By leveraging the known ROBOFEST{ flag prefix, the encoded location and XOR key were recovered efficiently.

Category: Memory Forensics
Platform: Windows 7 memory image captured with DumpIt.exe
Primary Artifact: explorer.exe anomalous XOR blob
Points: 150
Recovered Flag: ROBOFEST{dll_p4th_r3v34ls_th3_truth}
Core Technique: Single-byte XOR brute force using known flag prefix

Environment

The analysis used Shadow_Memory.raw, a Windows 7 workstation memory image. UTF-16LE string extraction is still useful for first-pass memory triage, and Volatility can be used later for process attribution.

file Shadow_Memory.raw
ls -lh Shadow_Memory.raw
strings -a -el Shadow_Memory.raw | grep -iE 'ROBOFEST|StikyNot|CTXBLK'

Investigation

The artifact was described as anomalous data inside explorer.exe. Since the encoding used a single-byte repeating XOR key, the scanner tested all 256 keys and searched for an encoded version of the expected ROBOFEST{ prefix.

#!/usr/bin/env python3
from pathlib import Path

data = Path("Shadow_Memory.raw").read_bytes()
prefix = b"ROBOFEST{"

for key in range(256):
    encoded_prefix = bytes(b ^ key for b in prefix)
    pos = data.find(encoded_prefix)
    if pos != -1:
        blob = data[pos:pos + 100]
        decoded = bytes(b ^ key for b in blob)
        print(f"[+] key = {key:#x}, offset = {pos:#x}")
        print(decoded)

Evidence

Recovered XOR key: 0x41
ASCII equivalent: A
Decoded plaintext: ROBOFEST{dll_p4th_r3v34ls_th3_truth}

Optional Process Attribution

The same recovery can be validated against an explorer.exe-specific memory dump instead of the full raw image.

# Volatility 2 style
vol.py -f Shadow_Memory.raw imageinfo
vol.py -f Shadow_Memory.raw --profile=Win7SP1x64 pslist | grep -i explorer
mkdir -p dumps
vol.py -f Shadow_Memory.raw --profile=Win7SP1x64 memdump -p <EXPLORER_PID> -D dumps
python3 xor_flag_scan.py dumps/<EXPLORER_PID>.dmp

# Volatility 3 style
vol -f Shadow_Memory.raw windows.pslist | grep -i explorer
mkdir -p dumps
vol -f Shadow_Memory.raw -o dumps windows.memmap --pid <EXPLORER_PID> --dump
python3 xor_flag_scan.py dumps/*

The decoder XORs the known plaintext prefix with each candidate key and searches for the encoded prefix in memory. A hit identifies both the blob location and the candidate key. Decoding nearby bytes reveals the flag.

Result

The scanner found a valid encoded ROBOFEST{ prefix and decoded the blob with key 0x41, the ASCII character A.

ROBOFEST{dll_p4th_r3v34ls_th3_truth}

Notes

  • Known-format values such as CTF flag prefixes make XOR key discovery practical.
  • Process attribution is stronger when the target process memory is dumped separately and the same decoder is run against that dump.
  • A recovered plaintext that references DLL paths should prompt reviewers to inspect module lists and load paths in a full investigation.