oBfsC4t10n

I really liked this one. Solid challenge. Good job @0xdf

First stage with finding, decoding and joining pieces was fun and easy, but now I’m also stuck at the array stage. I tried hundreds of repices on it without luck. :frowning: It does not contain any usable string or pattern in it no matter what I do with it.
If that is a shellcode, what tool shall I use to analyze it? Do I need to find a windows vm add PE header to that and just run it :slight_smile: ?
Please PM me with any hint. It drives me crazy… another night and not moving forward.

I reversed shellcode to assembly but quite difficult to understand, anyone give some hint to understand this?

Step through several instructions and it will be clear what is going on. After that look at assembly again or just continue debugging and pay attention to parameters passed into various windows api calls

many thaks to @Kucharskov

most difficult part for me was the hunt for the tool for the last part.

I am interested in doing the analysis of last part manually.
Doing it with olly somehow it fails.
anybody has some pointers? or even a writeup to read?

https://isc.sans.edu/forums/diary/Interesting+JavaScript+Obfuscation+Example/25020

Anyone can help me? I’ve dumped the shellcode from the hta and tried to disassemble but it seems quite difficult to understand… Tried to debug/trace with no result… dunno if using the right tools or not… and also have some doubts on what i’ve done… any suggest welcome. PM me if you can.

got it! really a great challenge! +++

awesome challenge, lots of this stuff in the real world!


~~~I’ve found all part of HTA, so I have problems with deobsfucation when vipermonkey or something like doesn’t work on your kali ~~~

I get clear macros from HTA but I while stuck here, sorry

I stuck with de-compiling of memory injection byte array.
Can anybody give any tips?

Sorry, click button by mistake

I’ve done it
Thanks @luskin for tips and @0xdf for challenge :slight_smile:

I am this close to solving it. I have deobfuscated the H** and got the payload. I don’t know what to do with the payload though

I found an article that help me a lot on this challenge. I hope this is not a spoiler:

i stuck in here few months…
i extrack .vba and .hta file but not found any useful…
this challenge have to reversing?

please help me.

Piouf. Solved ! Not an easy one, but a fun one :smile:. Thanks @0xdf for this

If anyone is still working on this one, does anyone have a tip for the last step? I have the deobfuscated payload from the h** file and was able to get valid shellcode from it, but I can’t get it to execute correctly (unless that’s not what is needed).

I found shellcode, but i don’t know good tools to work with it. May be anyone can give me an advice?

Got it!
Feel free to ask a nudge