tl;dr

  • Mixed mode assembly (a feature of .NET binaries), involving both C# as well as C++ code in the same executable
  • Code flow jumps between both C#/C++ frequently to make analysis harder
  • SEH mechanism triggered in C++ code, which uses SEH trampoline to make debugging harder
  • SEH triggered once again in C#, which is handled by C++
  • VM bytecode is decrypted loaded by C#
  • VM checks input in 4 ways: CRC32 hash (2 byte pairs), RC4 encryption, rolling XOR and byte by byte checks
Read More
bi0sCTF

tl;dr

  • Whisper model converts audio to text
  • text is passed through subprocess and not sanitized
  • difficult to generate a command injection through manual voice
  • Need to invert the Neural network that will generate the audio file we need
  • Implement Gradient descent based inversion to find input for target output.
  • Generate the audio file and send, get flag!
Read More
bi0sCTF

tl;dr

  • memcpy in CPY goes out-of-bounds of VM stack.
  • Abuse memcpy to copy the register struct to stack and modify the values using stack operations and register operations.
  • Copy values back to the register struct, modifying the VM stack bp and sp registers.
  • This migrates the VM stack to wherever you want, gaining arbitrary read and write.
  • Leak environ pointer to get stack leak.
  • Migrate VM stack to main function’s stack to overwrite return address with ROP chain or one-gadget.
Read More
bi0sCTF

tl;dr

  • Analysis of different types of malware in a linear storyline
  • Windows timelining
  • Analysis of Rootkit, Ransomware, C2 Framework, Process Hollowing, Persistence, and more
Read More
bi0sCTF Incident Response Malware Analysis Threat Hunting bi0sctf2024 Ransomware Ransomware Analysis Ransomware Investigation Ransomware Recovery Reverse Engineering Windows Forensics Rootkit Analysis C2 Analysis Windows timelining

1 / 19