reversehard
Вишнёвая семёрка (Cherry Seven)
hackerlab
Task: Analyze a fake 7-Zip installer (8.8MB vs 1.6MB original) to find a malicious backdoor. Solution: Parsed Inno Setup format, extracted 108 files via LZMA2 decompression with TransformCallInstructions reversal, identified extra 7zGM.exe with hidden AES-128-CBC encrypted payload in resources, decrypted inner PE and decoded flag using byte subtraction (0x67).
$ ls tags/ techniques/
custom_encodingpe_analysismalware_analysisinno_setupfake_installeraes_128_cbclzmape_resourcesbmp_steganographycall_instruction_transform
Inno Setup binary format parsing (offset tables, compressed blocks, file location entries)LZMA1/LZMA2 decompression of Inno Setup dataInno Setup TransformCallInstructions reversal (E8/E9 in 64KB blocks)PE resource extraction (BMP images from .rsrc section)AES-128-CBC decryption of embedded payloadCustom byte-subtraction encoding reversalDiff analysis against legitimate installer to find injected file
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Create a free account with GitHub, then upgrade to Pro.
$ssh [email protected]