About:
This is the 3rd challenge from FireEye's "FLARE On" challenge (http://flare-on.com/)
Solution:
In this challenge, the only file you're provided with is a Windows executable file.
I first opened it up in IDA and saw that it seems to prepare the stack with some shellcode, and then start executing it:
I switched to Ollydbg and started stepping through that part of the code, and stopped after the shellcode was called:
It looks like it starts out with an XOR-decryption loop, where the shellcode decrypts and prepares the next bit of shellcode before continuing on and executing it.
By setting a breakpoint to the start of the code that's undergoing decryption, I fast-forwarded to the part where it starts to get executed:
You can see "and so it begins" copied onto the stack.
This process repeats a few times with new code being decrypted and new messages being placed on the stack:
There are a couple more decryption loops, and eventually we get to one that looks like this:
There's the email address we're looking for!
It looks like such.5h311010101@flare-on.com
No comments:
Post a Comment