I’m not able to understand what tool or method does the author want in order to answer the second task
“When was the binary file originally created, according to its metadata (UTC)?”
Would be great if someone could help. Thanks!
1 Like
There is a website that can give you the “total” information.
1 Like
i think its due to DiE use your machine timezone. make sure to add/substract your timezone to get the UTC. Tested with PE bear, the timestamp is already converted and the is correct!
finished everything, just stuck on this one:
It appears that the binary may have undergone a file conversion process. Could you determine its original filename?
1 Like
Anyone knows the offset of the beginning of the obfuscated code? I put all the offsets where begin the base64 encoded code and nothing happens, i put the one of the ps1 file and neither… i got stuck there
Here’s a hint for that question:
When analyzing a binary file, one of the first things you should always do is investigate the Strings.
Looking through the strings, it was occasionally hinted that this file included some [insert_language_here] code, and if you keep looking, that suspicion is confirmed by finding a filename in the Strings! That discovered filename (name.extension format) is the answer to that question.
(I solved my own question-TWO of my tools gave me the wrong value?! Hint below!)
Question regarding Task #3 (“specify the byte size of the code in this binary”):
Tried submitting the actual byte size of the binary, but I figured that wasn’t what it was asking for. I’m a bit stuck on locating the byte size of the actual code. Is this something we have to manually calculate somehow?
Things I’ve tried:
- Checking Overviews/Stats in Cutter, PEBear, PEStudio
- Tried the byte size of the full binary (didn’t expect that to be it).
- Taking the embedded script and counting the byte size also was not correct.
- Trying the length of the full string containing the script.
Not looking for a direct answer, moreso hints to push me in the right direction. Any help on this?
UPDATE, found it! Here’s a hint for those still stuck:
- What section of a PE File usually contains its executable code?
- Some tools will give you the raw-size of this section (I even mentioned a tool that does it above!).
If you still need help with this, here’s a hint:
Certain tools will calculate the offset for you, or make it easy to find. PE-Bear and HxD, for example, will both work easily for this.
For PE-Bear:
- Try searching for the code entry using this tool instead to let it calc the offset for you.
For HxD (This one will help you understand how it works better):
- Locate the beginning of the code in the binary and select the first character. On the left, you’ll see the base offset for the line you are on, and up top, you’ll see the actual number. So, if you’ve selected a hex entry and the left says “00002E80” and the top says “05”, then you are at the following offset: “00002E85.” In hexadecimal, you can remove preceeding zeroes, which leaves you with “2E85”
If you still need help, you’re welcome to message me.
Thanks . Funny thing is i actually found this and when i submitted it said answer was wrong. I must have copied an extra character lol.
I figured you probably had it right considering you had everything else already haha
same here
can u give me a hint pls
im still stucked on this, someone can give me some help? 
Try filtering the strings in the binary to focus on those that resemble file extension structure 
.
anybody help me with task 8. i have completed all but stuck on task 8