Tuesday, December 23, 2014

FLARE - Challenge 3


This is the 3rd challenge from FireEye's "FLARE On" challenge (http://flare-on.com/)


In this challenge, the only file you're provided with is a Windows executable file.

I first opened it up in IDA and saw that it seems to prepare the stack with some shellcode, and then start executing it:

I switched to Ollydbg and started stepping through that part of the code, and stopped after the shellcode was called:

It looks like it starts out with an XOR-decryption loop, where the shellcode decrypts and prepares the next bit of shellcode before continuing on and executing it.

By setting a breakpoint to the start of the code that's undergoing decryption, I fast-forwarded to the part where it starts to get executed:

You can see "and so it begins" copied onto the stack.

This process repeats a few times with new code being decrypted and new messages being placed on the stack:

Here, the message is "get ready to get nop'ed so damn hard in the paint".

There are a couple more decryption loops, and eventually we get to one that looks like this:

There's the email address we're looking for!

It looks like such.5h311010101@flare-on.com

No comments:

Post a Comment