Payload

CHALLENGE DESCRIPTION

You’ve completed Training Day — congrats, rookie. Now the real game begins. An unmarked binary just landed on your desk. It’s acting shady, tripping a few alarms, but no one’s sure what it really is. Malware? Or just a misunderstood piece of code? Your mission: reverse-engineer the program, trace its behavior, and uncover the truth. Every line of code could be a clue—or a trap. Welcome to your first real case.

SOLUTION

What is the SHA256 hash of func_pointer.exe?

Upload file on VirusTotal

Answer

EDD41B4A819F917F81203424730AAF0C24CC95E40ACFC0F1BD90B11DADF58015

What compiler is being used?

Answer

mingW

What is the compilation date?

Answer

2023-04-06 15:21:17

Is ASLR enabled? (True or False)

Answer

False

What is the image base address?

Upload on Binary Ninja Cloud, search for image

Answer

0x140000000

What is the entry point?

Search for entry

Answer

0x1125

What are the first 8 bytes of the encrypted payload that is being moved to allocated memory? (format: daffd563616c632e)

Answer

unsolved

What is the key for decryption in hex?

Answer

unsolved

What is the address of the decrypted payload?

Answer

unsolved

What are the first 8 bytes of the decrypted payload that is being moved to allocated memory? (format: daffd563616c632e)

Answer

unsolved

There are several functions that are not in the import table but are invoked. Which of these functions starts with V?

Answer

VirtualAllocEx