| nice, I think it was as "runtime" as it is possible |
==> |
| One last thing I have to ask, the loader was PIC C/C++ code with custom gcc/vc options or handwritten asm? the push rcx {i think it was rcx} pop rcx to get the encrypted data's address was nice |
==> |
| Overall yes I think the challenge did each job "mostly debbugging" because the shellcode on each own was quite complex so I literally went step-by-step on it. |
==> |
| soo, started with debugging it, BUT with the suspended cmd process thing u did, I had to attach the newly created process to the debugger every time I needed to reloaded the exe for setting the BPs so it was a no go (because each time it was a new Process the BPs were gone).Then decided to extract the whole shellcode and wrote a simple shellcode executioner to debug it. Last step was to extract the final exe from memory to analyse it.The last step could have been for sure "only runtime" but I think extracting the exe and analyse it static was easier.For the first part, analysing it only in memory would take ages.There are still suspended cmd process xD |
==> |
| must took a great effort to write the PIC loader, noice |
==> |
| painful challenge, too many steps to write a writeup so just posting the password Shadow42!, good job mate |
==> |
| one hint tho, your input does not matter, its before the input actually, and its not a "unique" one |
==> |
| HOLLYY, haven't seen more "useless code" being used so smart.Really confused me. Good job m8.I don't post the psswd, everyone should try |
==> |