Official emo Discussion

Cl0d · January 7, 2022, 9:59am

Man, this challenge blew me away. Learned so much (and also banged my head against the wall for about 3 days straight ).

@antmar904 : No, you were on the right track with the base64

@Thms84 : If you can read the PS, filter out the junk, see what the PS actually does. One thing that helped me : open the console and reproduce it

PS : If someone is willing to discuss this, DM

antmar904 · January 7, 2022, 1:18pm

I have the decoded ps script but i’m having issues with it. let me go through it again!

It’s heavily obfuscated which is the issue but It’s a learning curve.

Cl0d · January 7, 2022, 1:51pm

Yes exactly. Look at the PS closely, if it’s too obfuscated, find something that can peel off some layers for you, or do it manually.

antmar904 · January 7, 2022, 3:05pm

Yeup, I am getting close. The last for loop is crazy obfuscated.

ezzzz · April 26, 2022, 2:30pm

I’m soooo confused. I still haven’t figured out the VBA macro stuff - so far i’ve just been trying to convert it to VBS so i can run it (since I don’t have Office to run the VBA - and i’d rather not buy office).

I’m stuck at an error; It can’t create a w*nmg*t object. I’m so lost now…

c0nn · September 13, 2022, 5:16pm

Hi everyone,
with dynamic analysis, i deobfuscated the ps code and got the flag but i am confused.
[Small Spoiler] → The line that helped me get the flag was : ${A8I3KE1}.(ToCharArray).Invoke() | (ForEach-Object) -Process { ${FN5GGmSh} += ([byte][char]${} -bxor SomeKey )
where ${FN5GGmSh} is an array of numbers and ${A8I3KE1} has to do with the links found in the obfuscated code.
So i initially went and xored the decimal value of each character of the links with the xor key but it didnt work. Then i tried doing it with the numbers the ${FN5GGmSh} holds and it got me the flag.
Was the line ${FN5GGmSh} += ([byte][char]${} -bxor SomeKey a hint that we should xor the values of ${FN5GGmSh} instead of the links…? ( as you can tell, im new to obfuscation & powershell ) .

Also, is there any static analysis writeup ? Because dynamic analysis feels like “cheating” .

tXxc · December 27, 2022, 3:47pm

Is it possible to do this challenge without dynamic analysis resp. execution of the file? Haven’t got an Office licence on my FlareVM.
I extracted all the Macros, but I think it will be a brainf**k to de-obfuscate them.

Edit:
I found the flag. Really nice challenge @0xdf !
Some hints

If it is not possible for you to run the file on your malware analysis machine, use google
I did not de-obfuscate the VBA macros
Think smart. Use the given script/commands to reverse it a little bit instead of creating own solutions

Feel free to DM me for more hints

julianglez16 · March 27, 2023, 5:53pm

Finally, I managed to solve it.

What I used (if it is useful for someone):

> Virustotal for sandboxing

> Cyberchef

> Prints and execute

That was my nooby way to solve it, hope it helps

Feel free to PM me