Hello, anyone who finished this exercise can give me some help.
This has been the most frustrating exercise yet, I don’t even understand the concept or what I am doing.
I did all the steps.
After dumping the file from x64dbg.exe and running string64.exe on it, this is my output:
Running de4dot.exe:
Pretty sure i did every step correctly. If not i suppose i would not find the map with a size of 0000000000003000 with a type of MAP and protection set to -RW--. I think! Like i said i have no idea what I am doing in this exercise.
I’m running into an issue with this section. I go through the steps and it doesn’t ever create a .bat file as specified. I also, I agree with @JahBless , this section is very convoluted and doesn’t explain very well what we’re even doing. Following along to get the flag feels like a lot of information is missing in the explanation of why this works the way it does.
hi, can any kind soul. give some other hints? it is not the same as what the guide was showing right? i got the MAP with rw memory but the strings output is nothing related.
I am working on " Attacking Thick Client Applications" assignment.
I am logging in and there is supposed to be a user called Matt; at least according to writeup.
There is no user Matt. I added the list of users on the machine.
Then I run the Oracle application and according to description there the is supposed to be diretcory named App under user cybervaca as shown in the attached figure.
Finally got this, the box has a few issues with running powershell. Basically run powershell as admin and make the executions from there. The modification to the folder where the bat file gets written to needs to be changed for administrators as well. x64dbg takes a lot of time to open, but it finally does (just need to be patient).
I got to the point in the steps “Follow in Memory Map” but could never find the 3000 size. Finally found it today, just needed to scroll to the top of the window. Then start checking RWs for the same size. Clicking on them should reveal which one is the file, by the MZ magic byte.
thank you everyone for your input. i followed the section for this exactly without skipping any steps and was able to find it very easily after a million failed attempts. my hint for anyone trying to take the easy way through this is that they give you the script for all the power you need in the world. once executed its pretty straight forward from there.
This one took me a while to get right, hopefully this saves some folk some heart ache. Follow the module to get this to work, it does if you tweak a few things:
You won’t be using the user “Matt” like in the example, sub that for “cybervaca” in whatever you’re seeing with Matt.
When it comes to modifying the batch file, I ONLY got it to work if I copied the bottom part from the module and pasted it in to replace the stuff at the bottom that was already there. Remember to get rid of the bits at the top like in the example too.
When you change preferences on the Debugger, RESTART the program immediately after and re-open it or the changes won’t take effect!
When it comes to using PowerShell in this module, RUN AS ADMIN!
When you import the file to the Debugger, if you don’t see the red arrow at the top left as you import the file in the CPU section, you’re onto a loser, it NEEDS to be there for it to work.
You’ll have to sift for that MAP file with RW privs, but it is there.
The VM is slow as a year in jail, opening the debugger took minutes so you have to give it a while.
If you use strings and get TONNES of data, your dumped file isn’t the correct one, try another.
On DNSpy, don’t panic if you don’t see your file straight away, drag it in and go down the file chain like in the example.
Whoever is reading this, it’s doable, a tough one but you got it.
Guys, how did you manage to click on the correct line in x64dbg?? Everything keeps changing so fast I do not have time to double click and then choose the option before it changes??? Why are these exercises like this???
I really need help with this section. I am on the same boat here, Honestly cant find the the MAP section which is Read/Write.
Here is what I have already done:
Restarted x64dbg with only the Entry breakpoint
Tried importing Ghidra and analyzing the exe (no strings found apparently)
I have tried searching in x64dbg for the Ascii (4D5A - MZ) and its apparently only in two places as a file header (the restart service block with its .text,.data, .bss sections) and (the dll section which is irrelevent)
Dumping these gives me the error file isnt a .NET PE which is frustrating.
Any help would be appreciated.
Discord - elus1nist#0
Life saver lol,
So if you sort the memory from address it does not jump up and down so you can handle it,
So I downloaded all MAP + RW and one of them worked.
BTW - Dont forget to use the new oracle restart service and not the original one.
Hello
Please can someone help. Powershell is not working on my box. I restarted the box many times with same result. That make the restart-service.exe file not to show in the directory.
