reversefreemedium

FFModule

HackTheBox

Task: A Windows PE loader injects XOR-decoded shellcode into Firefox, where it hooks NSS networking code to steal plaintext POST data before TLS encryption. Solution: Reverse the injector and shellcode, identify the custom rolling transform used for UDP exfiltration, and apply the same routine to the embedded marker to recover the flag.

$ ls tags/ techniques/

firefox xor windows pe32 shellcode process_injection api_hashing crc32c nss3 udp_exfiltration

shellcode_unpackingcrc32_api_hash_resolutionfirefox_pr_write_hook_analysiscustom_transform_reversalstatic_flag_recovery

FFModule — HackTheBox

Description

The challenge provides ffmodule.exe, a 64-bit Windows console executable presented as a Firefox hooking module. The goal is to understand what the injected payload does and recover the hidden flag from the malware logic.

Analysis

main prints Running Firefox (105.0.1) Hooking Module and decodes the first 0x5a4 bytes of its .data section with XOR key 0x72. The decoded blob is x64 shellcode that gets injected into firefox.exe through the standard remote injection sequence: CreateToolhelp32Snapshot, Process32First, Process32Next, OpenProcess, VirtualAllocEx, WriteProcessMemory, VirtualProtectEx, and CreateRemoteThread.

Inside the shellcode, APIs are resolved dynamically with CRC32C hashing. The resolver walks the export table and matches GetProcAddress by hash 0x43aac47d, then resolves helpers such as VirtualAlloc and VirtualProtect. It also searches for Firefox NSS libraries by hashed names and locates PR_Write, which is the function chosen for hooking.

The hook activates only when the outgoing buffer begins with POST, which means the malware intercepts plaintext HTTP POST bodies before Firefox passes them into the TLS layer. Stolen data is then obfuscated with a custom 32-byte rolling transform and sent out with sendto() over UDP to 127.0.0.1:1337.

The same transform is also applied to an embedded 16-byte 0xff marker. Reversing that routine yields the flag directly.

Solution

Open ffmodule.exe and identify the .data decode loop using XOR key 0x72.
Extract and decode the first 0x5a4 bytes to obtain the shellcode.
Disassemble the shellcode and follow the export-hash resolver to confirm GetProcAddress, VirtualAlloc, VirtualProtect, NSS module discovery, and the PR_Write hook.
Notice the POST comparison at the start of the hook, showing the payload only steals outgoing plaintext form data.
Reconstruct the rolling byte transform used before sendto().
Apply that same transform to the embedded 16 * 0xff marker to reveal the flag.

#!/usr/bin/env python3

FLAG = b"HTB{3vL_FIr3f0x_H00k1ng_M4lware}"

def main():
    print(FLAG.decode())

if __name__ == "__main__":
    main()

$ cat /etc/motd

Liked this one?

Pro unlocks every writeup, every flag, and API access. $9/mo.

$ cat pricing.md

$ grep --similar

Similar writeups

[pwn][free]Getting Started— hackthebox
[reverse][Pro]Challenge7— tamuctf
[reverse][free]cf madness— pingctf2026
[pwn][free]0xDiablos— hackthebox
[forensics][Pro]407_Inject— grodno_new_year_2026