In this challenge we are given a PE32+ executable for windows. Running the file at first looks like it does nothing.
Openning the file in IDA we get to a main function which does not look useful. On checking the strings out we find out that the binary was written in RUST language. Then we find the congratulatory string in it.
On tracing it back to the function we get a huge function which looks like a VM (“The name tells us its a VM ;).
On analysing this particular function we find a switch case which is repeated a lot of times with minor changes to it.
On further analysis we find a function that looks like Base64 . On going through the XREFS we find that this is being called in the above function. Now lets check the arguements being passed.
Now we have one task that is to extract the bytecode of the VM function.We have many methods of doing this. One would be to write a script to extract the value of each switch case or extract the whole array from the memory . If we go ahead with the first method we have one advantage of knwoing which case was the last one to be excecuted.
Now we know that the first bytecode to be excecuted is 0x11.
Let’s have a look at the switch case.
On having a deep look at the 0x11th switch case we find a function which takes the current dir and removes the first 3 characters from it. Then it passes this string to the base64 function as one of the argumenets. Once this is done it checks if the base64 string is 36 characters long.
Now we know what happens in this challenge. The excecutable gets the Current working directory and removes the first 3 characters and passes it to the base64 function.
Now on looking at the next few switch cases we find out that once the length check is done the VM moves onto check the base64 character by character.