MalwareTech Windows Reversing Challenge #5 Write-Ups
[ Shellcode ]
Position independent code (AKA Shellcode) is assembly code which can simply be copied to a memory location and run. Due to the lack of need for complex loading & initialization, it is popular for many tasks such as code injection. These challenges are designed to test your ability to reverse engineer malware shellcode.
Shellcode2
Hi, now we are given a PE file named shellcode2.exe_ .
Description:
shellcode2.exe contains a flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?
Rules & Information:
- You are not require to run shellcode2.exe, this challenge is static analysis only.
- Do not use a debugger or dumper to retrieve the decrypted flag from memory, this is cheating.
- Analysis can be done using the free version of IDA Pro (you don’t need the debugger).
detect it easy result:
I opened in Ghidra and found only one function recognized by Ghidra, that is entrypoint function and here is the result of Ghidra’s decompiler:
Let’s break it down!!!
First, we have a byte array that is stored in stack memory and i guessed this is encrypted data, so i named encrypted_data.
Second, we have an allocated heap memory stored in local_8 that stores some data.
This allocated heap memory has size 0x10 byte or 4 DWORD that stores:
- #1 DWORD stores LoadLibraryA address
- #2 DWORD stores GetProcAddress address
- #3 DWORD stores encrypted_data address
- #4 DWORD stores 0x24
Third, we have an allocated memory with PAGE_EXECUTE_READWRITE permission stored in _Dst.
then DAT_00404040 is copied to this allocated memory and after that, it’s being executed as shellcode with local_8 taken as a parameter.
Now let’s analyze the shellcode, disassemble DAT_00404040, and set it as a function in Ghidra so we can decompile it and break it down.
First, the shellcode initialized some strings in stack memory
and these are what we’ve got after analyzing it:
From those strings, i guessed that this shellcode will do dynamic loading of some modules and functions.
Next, shellcode copies two data stored in parameter to local variables
Here local_8 will hold LoadLibraryA address and local_48 will hold GetProcAddress address, to make the code clearer, i renamed these two variable in Ghidra to:
- local_8 => LoadLibraryA
- local_48 => GetProcAddress
Next, shellcode load msvcrt.dll and kernel32.dll and store their base address to local variables.
Next, shellcode will get some function addresses and store them to local variables.
Let’s rename those local variable to:
- local_14 = GetModuleFileNameA
- local_84 = fopen
- local_a8 = fseek
- local_94 = fread
- local_68 = fclose
Next, shellcode opened the current executable file(shellcode2.exe_) with rb mode
Next, shellcode sets the file position of the stream to offset 0x4e, read 0x26 bytes and stores it in local_3c as buffer, then closes the stream
this is the data shellcode reads:
Next, shellcode copies the last two data stored in the parameter
puVar1 will hold DWORD value 0x24 and puVar2 will hold the encrypted_data address, so let’s rename it to:
- puVar1 => DWORD_24h
- puVar2 => encrypted_data
Next, i guessed the shellcode does the decryption process using xor-loop operation between encrypted_data and local_3c as xor-key 0x24 times
Now let’s try to decrypt, i extracted encrypted_data from Ghidra to a file using this script:
and i extracted the xor-key to a file using hex editor(HxD), so now we have two files, encrypted_data.dat and xor_key.dat
I made a python script that emulates the decryption process and write the result to a file
Opened the result file in HxD:
We got a very interesting decoded text here, FLAG{STORE-EVERYTHING-ON-THE-STACK}.
I checked that string as a flag on their website page and here is the result:
Yep!, we’ve got the FLAG.
Challenge source: https://www.malwaretech.com/challenges/windows-reversing/shellcode2