Thank’s for the info …
After extracting rev.exe (shell.exe), I run it and attach a debugger. I see the contents of the decrypted shellcode in 1400014B0
but I still don’t see any flag there. Any ideas?
The shellcode is encrypted, which may be why you can’t read the flag. Run the executable and check the memory image strings via Process Hacker. You’ll find it.
I’m running rev.exe
, and open it with process hacker. Go to memory tab. Analyze strings. I don’t see anything that resembles the second half of a flag. Is it encrypted too? I see references to an IP my machine doesn’t have, and a long string that has underscores and hyphens.
There’s an option before scanning the strings called image strings. Tick the image option and then run it.
Search for }
Yeah the image (0x140000000) is the only check I have enabled and I still don’t see any flag-looking string. I must be doing something wrong here. I’ll try again tomorrow and retrieve all artifacts from scratch again
Exclusive content for this challenge will be available soon.