I start with the shellcode2.exe - Intermediate. I take this opportunity to used IDApro because it is powerful in static analysis as well as the IDaPython.
The Static Analysis:
The file is not pack or obfuscated so IDAPRO will help us a lot in analyzing to this file.. :)At the beginning of the code there are consecutive of "MOV" instructions with memory displacement and immediate constant. This code was a great clue because it saving those constant value to a array of memory.
 |
| figure 1 - the consecutive mov instruction |
and as you move forward you will see that it will allocate virtual memory with a size of 248h and copy the shellcode lies in addrress 0x404040 using memcopy the it will call that address indirectly using the EBP register. this shellcode will return the FLAG string and push it as a parameter to digestString@MD5 function that will compute the MD5 of it and print it in msg box.
 |
| figure - main control flow of the challenge |
The Shellcode:
The start of SubmainCode function was initializing the string name of modules and api it will use to decrypt the flag.Module Name:Kernel32.dll
API:
- GetModuleFileName
API:
- fopen
- fread
- fseek
- fclose
as well as the mode how the file will open "rb" (read binary mode).
Then it will open its own file read the 0x26h bytes starting from 0x4Eh index which is the DOS stub string "This program cannot be run in DOS mode" the n XOR with the series of bytes initialized earlier.
 |
| figure 3 - the decryption of flag |
Solving it IDAPython:
First I tried to parse all the bytes that are initialized in a array at the start of the code. |
| figure 4 - finding the decryption key |
 | |
| figure 5 - decrypting the FLAG |
 |
| figure 6 - the FLAG string |
