rootkall's blog

 Introduction In this blog post, I'll be showcasing via example a useful trick to invoke .NET methods from Powershell and skipping all the anti-analysis routines. The same technique could be used for string decryption and other things. We'll be unpacking a sample which I suspect, based on the loading steps, to be Purelog Stealer (This is an advanced stage. I won't bother you with how I got to this stage tldr; boring stuff, AutoIt.) using Powershell and then presenting an analysis of how the sample works and what I think it does. Hash of this stage sha256: 46ddbdbe28dbdfb95cefa95b3597b989a50cd415fb978fe7fb14d2b8e3b5dee8 How is the payload stored? Skimming through the method, we find this memory stream Usually, something like this is very interesting and worth exploring. Tracing this method. We find the decrypted stream used in this method. Something is loaded, so that's a giveaway that we're dealing with an unpacking routine. Another method is called before the loadi...

 Introduction In this blogpost, I'll be going through PE Reverse Engineering challenges on  root-me.org  . I'll be writing the article and solving the challenges at the same time. So, the blogpost might not include the solutions to all the challenges for the moment PE x86 - 0 protection We're given a PE File called ch15.exe , let's load it in detect it easy. It's a 32bit binary written in C. Going through the strings, nothing is interesting. Let's fire up IDA. Our goal is to find the main. The start function calls some other functions Let's recall that the main function takes two parameters argc and argv . Going through both functions we find what we looking for in the second function (after return). Either IDA messed up or the author is trying to confuse us. As the function called main is not the real main but rather the function taking argc and argv as arguments One thing one should always do is fix the types and rename functions and variables to make thin...