reversefreemedium

FFModule

HackTheBox

Task: A Windows PE loader injects XOR-decoded shellcode into Firefox, where it hooks NSS networking code to steal plaintext POST data before TLS encryption. Solution: Reverse the injector and shellcode, identify the custom rolling transform used for UDP exfiltration, and apply the same routine to the embedded marker to recover the flag.

$ ls tags/ techniques/

firefox xor windows pe32 shellcode process_injection api_hashing crc32c nss3 udp_exfiltration

shellcode_unpackingcrc32_api_hash_resolutionfirefox_pr_write_hook_analysiscustom_transform_reversalstatic_flag_recovery

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

FFModule — HackTheBox

Description

The challenge provides ffmodule.exe, a 64-bit Windows console executable presented as a Firefox hooking module. The goal is to understand what the injected payload does and recover the hidden flag from the malware logic.

Analysis

main prints Running Firefox (105.0.1) Hooking Module and decodes the first 0x5a4 bytes of its .data section with XOR key 0x72. The decoded blob is x64 shellcode that gets injected into firefox.exe through the standard remote injection sequence: CreateToolhelp32Snapshot, Process32First, Process32Next, OpenProcess, VirtualAllocEx, WriteProcessMemory, VirtualProtectEx, and CreateRemoteThread.

Inside the shellcode, APIs are resolved dynamically with CRC32C hashing. The resolver walks the export table and matches GetProcAddress by hash 0x43aac47d, then resolves helpers such as VirtualAlloc and VirtualProtect. It also searches for Firefox NSS libraries by hashed names and locates PR_Write, which is the function chosen for hooking.

The hook activates only when the outgoing buffer begins with POST, which means the malware intercepts plaintext HTTP POST bodies before Firefox passes them into the TLS layer. Stolen data is then obfuscated with a custom 32-byte rolling transform and sent out with sendto() over UDP to 127.0.0.1:1337.

The same transform is also applied to an embedded 16-byte 0xff marker. Reversing that routine yields the flag directly.

Solution

...

$ grep --similar

Similar writeups

[forensics][Pro]oBfsC4t10n— HackTheBox
[pwn][free]Getting Started— hackthebox
[reverse][Pro]Challenge7— tamuctf
[reverse][free]cf madness— pingctf2026
[pwn][free]0xDiablos— hackthebox