Code of The Day

https://crackmes.one/crackme/60906d5833c5d458ce0ec80b I’ve been doing plenty of crackmes as a way to improve my RE skills, although I do stay away from Keygen challenges as I don’t find them particularly interesting. Instead, I’m attempting those that require you to key in a right username or password. This write up is about a pretty interesting and challenging […]

Today we’re gonna look at a sample of FormBook Malware, which contains AgentTesla within it. It features things such as hiding an EXE within an EXE, and installing a persistent backdoor within the system. Source: https://bazaar.abuse.ch/sample/35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d/#intel First DNSpy Analysis When we run the exe file through DNSpy, it looks to be building a simple form. […]

The sample we’re analyzing is part of the Ave Maria RAT malware family, but judging from it’s simple functions, perhaps it’s simply a loader to download the more complete malware. The file disguises itself as a PDF file with the icon, but in actuality, it’s a .NET program. We fire up DNSpy and load it […]

After doing a substantial amount of RE challenges, I decided to analyze real Malware to see if what I’ve learnt is actually useful, and I have to say, I think it really helped! In this post, I’ll be dissecting the initial portions of the Linux variant of LockBit. Basic Information The binary on its own […]

Before we start, this will probably be the last RE Series from HTB, as I’ve completed almost all of the RE challenges on HTB. Almost, because some of them has trouble running on my machine, and I’m honestly too lazy to fix broken challenges. I’ll probably now pivot towards analyzing real-life malware, and hopefully what […]

An interesting challenge with a tricky obfuscator. Honestly, once the code has been de-obfuscated, it’s quite straight forward! Static Analysis Running it through Exeinfo, we see that the binary has been packed with ConfuserEx. The hardest part actually is finding the deobfuscator Opening the binary with DNSpy, this is what the obfuscated version looks like: […]

A fun CTF that has unreachable code, although I wonder how practical this is in real life! Static Analysis with Ghidra We throw the binary into Ghidra to analyze the main function It’s pretty complicated. On line 13, its creating a value based off srand() from iVar2 On line 15, it checks if there are […]

My first Insane challenge, and I’m glad I solved it. Binary Analysis Running some simple analysis, we see that the binary prompts us for a password, it’s a stripped binary, dynamically linked, and curiously ltrace fails immediately. Dynamic Analysis with IDA As we step through the function, we get to the part where it calls […]

A write up for the challenges posted here: https://github.com/wapiflapi/exrs I’ve only done r1-r7, and I’ve yet to do r8 and r9 R1 As straight forward as running “strings” on the binary R2 Some dynamic analysis is involved. We run the program through IDA, and breakpoint at the string comparison to see what it’s comparing to […]