oBfsC4t10n

Type your comment> @Xentropy said:

I’m at the same place as limbernie. Unfortunately the shellcode doesn’t really look “right” during disassembly. Even wrote up a macro to output the shellcode to disk to make sure my conversion is right.

The shellcode may look weird at first glance. Try to focus on first few instructions and remember that allocated memory is rwx.

Got it. Trust in yourself but bear in mind the target environment the shellcode is attacking.

Got it! What a great little challenge! :smiley:

Cool :slight_smile:

It was hella good challenge . Thanks @0xdf

I agree; I had tons of fun with it. For those who do not like reversing shellcode, there’s always the possibility of dumping something to disk and then searching for something interesting … just saying XD

@Kucharskov said:

I also stuck with negative values in array. Stranger is that when running that in office I have a problem with variable types. Any hint how to manipulate that numbers?

no need to use VBA to do this, it can be done just fine with python. Just remember to use the correct mask. This topic from stackoverflow is usefull.

Hi there, I extracted the payload in the HTA file, trying to be super careful not to mess things up. However, the resulting binary payload doesn’t make any sense. Could any kind soul review my approach?
Disclaimers:

  • I don’t have Microsoft Office
  • I don’t have a clue on Blue Teamer/Malware analyst tasks (this could be a good opportunity to learn something new).

Thanks for your time!

Type your comment> @davidlightman said:

Hi there, I extracted the payload in the HTA file, trying to be super careful not to mess things up. However, the resulting binary payload doesn’t make any sense. Could any kind soul review my approach?
Disclaimers:

  • I don’t have Microsoft Office
  • I don’t have a clue on Blue Teamer/Malware analyst tasks (this could be a good opportunity to learn something new).

Thanks for your time!

You don’t need Office for this - check the hint by kekburger for the shellcode and the challenge’s author might have some clues on twitter as well :slight_smile:

I don’t know if I’m arriving to the solution.
But I must download a Windows virtualbox machine for to test the VBA code for the injection(I don’t want to use the windows of my physical machine :slight_smile:

OK :slight_smile: my antivirus complain because identify the payload as a virus, I’ve managed to reach the point where I have isolated the bad payload.

Edit: I got it, but I actually modified the vbscript and run in excel to get correct payload, I wonder if there is some way to get the very same result without resorting on running vbscript (some tool maybe?)

Got it! Took me way too long to solve this! My tip: when you see it, dbg it! Also, make sure that you extract the payload with extra care.

Would be glad to help fellow hackers who are banging their heads against the wall. :slight_smile: Just pm.

Type your comment> @limbernie said:

I got the shellcode hidden in the HTA file. Not sure if my interpretation of turning a negative integer into a byte is correct.

three’s a crowd.

amazing challenge, thanks 0xdf!

I really liked this one. Solid challenge. Good job @0xdf

First stage with finding, decoding and joining pieces was fun and easy, but now I’m also stuck at the array stage. I tried hundreds of repices on it without luck. :frowning: It does not contain any usable string or pattern in it no matter what I do with it.
If that is a shellcode, what tool shall I use to analyze it? Do I need to find a windows vm add PE header to that and just run it :slight_smile: ?
Please PM me with any hint. It drives me crazy… another night and not moving forward.

I reversed shellcode to assembly but quite difficult to understand, anyone give some hint to understand this?

Step through several instructions and it will be clear what is going on. After that look at assembly again or just continue debugging and pay attention to parameters passed into various windows api calls

many thaks to @Kucharskov

most difficult part for me was the hunt for the tool for the last part.

I am interested in doing the analysis of last part manually.
Doing it with olly somehow it fails.
anybody has some pointers? or even a writeup to read?

https://isc.sans.edu/forums/diary/Interesting+JavaScript+Obfuscation+Example/25020