CTFReverse Engineering

MalwareTech’s shellcode 1 : Static Analysis Walkthrough

This is a quick walkthrough for Shellcode 1, one of the static analysis challanges by MalwareTech.

Problem Statement :

shellcode1.exe contains a flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?

-MalwareTech

You can download the shellcode1.exe from MalwareTech’s site. The password to the zip file is MalwareTech.

Lets begin by loading the file in IDA right away.

vm-001-2018-09-28-17-21-48

Looking at first few lines of the code we see GetProcessHeap being called. GetProcessHeap retrieves a handle to the heap of the calling process. And then a call to HeapAlloc. This is enough for us to know the code is dealing with the process heap. HeapAlloc allocates a block of memory on heap. Moving forward we see offset str being pushed to the stack. Let’s see where and what offset str refers. Double click on Str.

vm-001-2018-09-28-17-23-01

Str has some values initialized i.e. ‘2b’, 0Ah, ‘:’, DB, 9A, 42, … , 00.

Let’s go back to the code to see what it’s being used for and if it is related to the flag we are looking for.

vm-001-2018-09-28-17-21-47

Now there is a call made to another windows API VirtualAlloc. VirtualAlloc allocates memory in the Virtual Address Space of the calling process. The size parameter being passed is dwSize and is defined 0Dh (13). So 13 bytes of memory is allocated.

Next there is a call made to memcpy function. Lets take a look at what this function does. A quick google search 😉

Screenshot (125)

Okay now we know memcpy takes in 3 parameters dest, src and count. In our case the count(size) is 0Dh (i.e 13), destination is where EDX is pointing to. The important one; src is an offset to unk_404068. Let’s take a look at what unk_404068 holds.

vm-001-2018-09-28-17-25-08

It looks gibberish bytes but press C and we get this:

vm-001-2018-09-28-17-25-23

Okay it’s reading the bytes from the Str and performing left shift rotate on it. It looks like a decoder logic. rol byte ptr [edi+ecx-1], 5 means left shift rotate 5 times.

Now lets go back and note down all values initialized to Str and write a C program to left shift rotate them 5 times and see what we get.

Screenshot (123)

Executing it we get

Screenshot (127)

FLAG{SHELLCODE-ISNT-JUST-FOR-EXPLOITS} is what we are looking for. 😉

Buy me a coffeeBuy me a coffee

One thought on “MalwareTech’s shellcode 1 : Static Analysis Walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *