Reassemble a Split EXE and Crack Its License Check to Reveal the Flag

First download the provided zip file and extract the four .dat parts. Using a hex editor you can identify each part: d.dat contains the DOS header (MZ), p.dat the PE header, s.dat the section table, and b.dat the body.

Create a new file, copy the contents of d.dat, then append p.dat, s.dat, and finally b.dat. Save the result as an .exe and try to run it.

Note: the original file has an extra byte inserted in the section table, which corrupts the PE format.

Remove the stray byte (a leading 00 in the section table) and run the executable again. The program now starts but reports a missing license.dll.

Use the Depends tool to view the import table; it shows a dependency on license.dll and a call to GetLicense. Load the binary into IDA to locate the main function, the call to GetLicense, and the flag‑printing logic.

The license validation performs four checks:

String length must be 16.

Each character must exist in a predefined byte array.

The sum of characters 4‑7 minus the sum of characters 0‑3 must equal 1.

Character 8 must be a hyphen ( -).

Any string satisfying these rules will be accepted.

Method 1: Write a DLL

Implement GetLicense in a DLL that returns a valid license string, e.g. "xuanyuan-zhifeng". The DLL must be exported with extern "C" to keep the name unmangled.

extern "C"
__declspec(dllexport)
char* GetLicense(int code) {
    return "xuanyuan-zhifeng";
}

Place the compiled DLL in the same directory as the rebuilt EXE and run the program; it now prints the flag.

Method 2: Binary Patching (Brute‑Force)

First remove the license.dll import by editing the import table: replace the license.dll entry with the second entry ( kernel32.dll) and clear the original entry. After this the executable only depends on kernel32.dll, but the call to GetLicense still fails.

Patch the binary to bypass the check: change the conditional jump (JZ) after the license verification to an unconditional jump (JNZ) or directly hook the main entry to jump to the flag‑printing block. This can be done by overwriting the first instruction of main with a short jump to the success path.

Method 3: Direct Flag Decoding

IDA decompiles the flag‑decoding function, which XORs each byte of an encrypted array with 0xCC. The encrypted bytes are:

char flag_bytes[] = {
    0xB4, 0xB9, 0xAD, 0xA2, 0xB5, 0xAD, 0xA2, 0x8C,
    0xAE, 0xA5, 0xAD, 0xA2, 0xAF, 0xA4, 0xA9, 0xA2,
    0xAB, 0xE2, 0xB9, 0xA2, 0xA5, 0xBA, 0xA9, 0xBE,
    0xBF, 0xA9, 0x00
};
for (int i = 0; i < strlen(flag_bytes); i++) {
    flag_bytes[i] ^= 0xCC;
}
printf(flag_bytes);

Compiling and running this snippet prints the flag directly, bypassing any license checks.

These three approaches—creating a matching DLL, patching the binary, or decoding the encrypted flag—demonstrate common techniques used in CTF Pwn challenges and illustrate practical PE file reconstruction, import‑table manipulation, and reverse‑engineering workflows.