Registry
Analysis :
First, when I Download this challenge I take first shot by reg shot tool after that I run the sample and after it finish I take a second shot but I didn’t found anything useful so I open the challenge by notebad++
You can see file contain 4 parts
1) Regkey[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
Which makes his value PART2
2) In the second part you found PowerShell script which is searched at C: for files with len 0x00026A83 and has an extension.REG, then I copy the content of the file to tmpreg.bat
3) another PowerShell script that takes tmpreg.bat and XOR its content after it skips 000643 bytes and put the encoding file a tmp + random +.exe
4) Random Values
Now we have abstract knowledge to know what is done here I ran the sample and go to Regedit
This key works when we restart the machine
After restarting I go to %temp% and found these files .
I will make an analysis for tmp1224721815.exe When I run it close quickly
so I open it at ida and when see strings I found EGCRT{ Which is the start of the flag so I know I’m at on the right way
When I open the function that uses this string I found It assembles the Flag at two-part first char by char and second block by block
First Part:
Second Part:
When I was debugging I didn’t find any problem but at second part I was hit with memory exception so I will split the second part to explain where is it happening
You found here {getenv} function which return value of environment variable But I found it pass var name doesn’t exist and then check if the return value is zero which every iteration is zero or value that not reference to memory address then It get value from reference [rbx+r13*8]and compare it with the return value which made memory exception
I patch the jnz to je and change the value of RAX every iteration to avoid memory exception And if the compare not equal it jumps to a bad decision else add it to the flag And then add {_}
After all iteration that the flag was assembled at Destination Flag: EGCERT{r3v3rseing_r3g_f1l3s_with_3mb3dd3d_ex3cutabl3_c0d3_9ccb6bd3}