It's over

hackerlab

Task: Reverse engineer a WinRAR SFX-wrapped PE executable with anti-debug and decoy flag. Solution: Discovered self-modifying code in PE overlay that decrypts hidden ChaCha20 verification shellcode using SUB+XOR transformation.

xor mingw shellcode chacha20 anti_debug self_modifying_code sfx_unpacking decoy_flag pe_overlay virtualprotect

WinRAR SFX unpackingDecoy flag identification via XOR decodingSelf-modifying code analysis in PE overlayRuntime shellcode decryption (SUB+XOR)ChaCha20 parameter extraction from x86-64 assemblyObfuscated constant recovery via XOR with 0xa5a5a5a5

$ ls tags/ techniques/

xor mingw shellcode chacha20 anti_debug self_modifying_code sfx_unpacking decoy_flag pe_overlay virtualprotect

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[reverse][Pro]Весёлый EXE (Funny EXE)— hackerlab
[forensics][Pro]Чувак, где мой флаг? (Dude, Where's My Flag?)— hackerlab
[reverse][free]Debugme— HackTheBox
[reverse][Pro]task1.out (re2)— rev-kids20.forkbomb.ru
[reverse][Pro]Очень защищенный банк (Super Protected Bank)— duckerz