• Analysing IcedID: The macro and Mshta

    Analysing IcedID malware Context I was looking up for a malware to analyse just for fun. One day, I’ve saw a post on twitter from Suspicious Link, when there was a link to the app.any.run sample. I thought it would be an opportunity to check out the sample. I’ll describe...

  • Defenit CTF 2020 - Malicious Baby

    Defenit CTF 2020 had a reverse engineering chalenge, Malicious Baby, which was a Windows binary. The goal was to unpack it and get the flag, as the description tells us. Description: There is a malicious binary packed with a PE Packer I made for you. Your mission is unpacking the...

  • UTCTF 2020 - Crack the heart

    There was this challenge called Crack the heart during the UTCTF. Although it wasn’t particularly difficult, there were differents ways to solve this challenge: angr, digging deep down into the reversing, etc. My solution was to patch the binary and then pin it. As I like to not over reverse...

  • Simple unpacking using IDA (Python)

    Unpacking binaries is a common thing in malware analysis and binaries in CTFs. I used to put a breakpoint just before the unpacked was called, dumped the memory and analyzed it, but this comes with a lot of disadvantages (I still do it though.). In this post, I’ll show how...

  • Patching binary in order to debug child process

    I sometimes stumble into binaries that use CreateProcess, CreateProcessInternal, CreateThread or any functions like that. In this case, the binary is using CreateProcess function. When debugging with xdbg, we cannot follow the code excution. In order to debug the binary, I often patch it, then run it and hook to...