-
Hack the Box Dirty Money 2022 - Mr. Abilgate
Another challenge from Hack The Box. This time, we are given an PE file, KeyStorage.exe and an encrypted file, ImportantAssets.xls.bhtbr. Assuming the binary will traverse the filesystem en encrypt some files, we can guess what function calls could be made. TLDR: Patch the BCryptEncrypt function pointer to BCryptDecrypt using Frida....
-
Hack the Box Business 2020 - Ghost
This challenge was from the Hack the Box Business CTF and was a malware analysis kind. When reversing, I tend not to focuss too deeply on what’s is really going on and only look towards what can be useful. Renaming functions and variables, deobfuscation and doing a good work is...
-
Analysing IcedID: The macro and Mshta
Analysing IcedID malware Context I was looking up for a malware to analyse just for fun. One day, I’ve saw a post on twitter from Suspicious Link, when there was a link to the app.any.run sample. I thought it would be an opportunity to check out the sample. I’ll describe...
-
Defenit CTF 2020 - Malicious Baby
Defenit CTF 2020 had a reverse engineering chalenge, Malicious Baby, which was a Windows binary. The goal was to unpack it and get the flag, as the description tells us. Description: There is a malicious binary packed with a PE Packer I made for you. Your mission is unpacking the...
-
UTCTF 2020 - Crack the heart
There was this challenge called Crack the heart during the UTCTF. Although it wasn’t particularly difficult, there were differents ways to solve this challenge: angr, digging deep down into the reversing, etc. My solution was to patch the binary and then pin it. As I like to not over reverse...
-
Simple unpacking using IDA (Python)
Unpacking binaries is a common thing in malware analysis and binaries in CTFs. I used to put a breakpoint just before the unpacked was called, dumped the memory and analyzed it, but this comes with a lot of disadvantages (I still do it though.). In this post, I’ll show how...
-
Patching binary in order to debug child process
I sometimes stumble into binaries that use CreateProcess, CreateProcessInternal, CreateThread or any functions like that. In this case, the binary is using CreateProcess function. When debugging with xdbg, we cannot follow the code excution. In order to debug the binary, I often patch it, then run it and hook to...