3DS CTF 2017 - W32.killah

by chq-matteo
January 2, 2018

We are given a malware sample. We take a snapshot on our VM and run it. It asks for administrative privileges that we proptly grant. After the execution our machine shuts down and cannot reboot.

Let’s open it with x64dbg and step through the code. We notice that:


┌ (fcn) fcn.004011b5 10                                                                              
│   fcn.004011b5 ();                                                                                 
│              ; UNKNOWN XREF from 0x0040107e (entry0)                                               
│              ; CALL XREF from 0x0040107e (entry0)                                                  
│           0x004011b5      51             push ecx                                                  
│           0x004011b6      52             push edx                                                  
│              ; JMP XREF from 0x004011ba (fcn.004011b5)                                             
│       ┌─> 0x004011b7      3002           xor byte [edx], al                                        
│       ⁝   0x004011b9      42             inc edx                                                   
│       └─< 0x004011ba      e2fb           loop 0x4011b7               ;[3]                          
│           0x004011bc      5a             pop edx                                                   
│           0x004011bd      59             pop ecx                                                   
└           0x004011be      c3             ret   

So we try jumping around at each function call prelude. The first half of the flag is easy to get (you can actually read it in the file), for the latter half I missed a call at first so I just got rubbish and it cost me a couple of resets.