Memdump to leak the current active proccess ( paint image )

kata budi do re mi IZINKAN KU LUKIS SENJA MENGUKIR NAMAMU DISANA https://mega.nz/file/r8EgxBSK#2-mzO_zD2D55xd4L4Ft2KESujbA6rF6YaWCnAFGyCkU #hint : clue nya didalam file(kalo teliti gak bakal ngedukun) author : @ud1nsan formatflag = technofair{}

imageinfo : win7

filescan suspiciou file :

isinya:
Pasted image 20240318162224.png

we directly using plugins mftparser to get temp/recycle file/folder

suspicious txt file :
Pasted image 20240318162354.png
We asume this is a hint
Hint 1 ( mftparser in ) :


bermain.sepak.bola.adalah.hal.yang.mengasikan.banyak.sekali.peraturan.disini.diantara.nya.adalah..OFFSET.serta.pelanggaran.dan.lain.lain,.bayangkan.jika.suatu.lapangan.memiliki.luas.512.x.512

stuck for a while. but we can read the title and the description
kata budi do re mi IZINKAN KU LUKIS SENJA MENGUKIR NAMAMU DISANA

Lukis??? paint?? we assume this memory record that paint is running. lets check by using pstree to lists program that running

Pasted image 20240318162528.png

yeah correct notepadd is running. we can dump the proccess that running and see what image in paint using memdump
command :
volatility2 -f damdamsitdamdamapelo.raw --profile=Win7SP1x64 memdump -p 2800 -D output_dump_files

-p is for the pid -D for output folder.

( we need change the extension to .data so it will be recognized by gimp as dump files of paint )
after that we open in gimp.
Pasted image 20240318162630.png

but the results is broken. we can adjust image type to SRGB ALPHA to make full srgb.

we got a hint 512x512 we set that heigh. but we can adjust offset by trying all of the offset :"
Pasted image 20240318163026.png
t offset this we can see yelow color and part of the flag . so maybe around this

Pasted image 20240318163223.png

get the flag...

technofair{dump_3a5y}