The entry point (0x401000) quickly jumps to sub_401200, which performs a few sanity checks (checking a registry key, a file in %APPDATA%, etc.). None of those checks abort the program in the nulled version – they are stubbed out with jmp 0x4014B0.
To be thorough, we can let the program itself print the flag. The load_resource → decode_string → MessageBoxA chain is called in sub_4017B0. Patch the binary to write the decoded string to a file: visertube-v1.3-nulled.zip
This step isn’t required for the CTF, but it demonstrates that the flag really is produced by the binary itself. The entry point ( 0x401000 ) quickly jumps
| Step | Tool | What we did |
|------|------|--------------|
| 1️⃣ | unzip | Extracted the only file (ViserTube.exe). |
| 2️⃣ | file, peid | Identified the binary as a UPX‑packed PE. |
| 3️⃣ | upx -d | Decompressed the executable. |
| 4️⃣ | strings, grep | Searched for obvious flag strings – none found. |
| 5️⃣ | Ghidra / IDA | Discovered a custom XOR decoder and a resource loader. |
| 6️⃣ | pefile (Python) or Resource Hacker | Dumped resource #101 from the RT_RCDATA section. |
| 7️⃣ | radare2 or Ghidra | Located the XOR key (0x37) in the data segment. |
| 8️⃣ | Simple Python script | XOR‑decoded the resource → flag. |
| 9️⃣ | Optional runtime patch | Confirmed that the program itself produces the flag. | This step isn’t required for the CTF, but
Without specific details on what ViserTube is used for, we can only speculate on its intended purpose. However, given the name, it might be related to video processing, streaming, or downloading, possibly interacting with YouTube or similar video platforms.