Malware analysis challenge
Let’s patch!
Make our application work in the opposite way. When you are ready, check out some interesting solutions for the challenge here.
Preparation
- Download the
patching05.7z file. The password to open it is: malware - In the Release subdirectory you will find the patching05.exe, the application to be patched.
- When you start the application it starts to listen on port 12345.
- You can connect to it with the Netcat application, for example, to make sure that the application is working. You will find Netcat - nc.exe - in the root directory of the 7z file.
- If you connect to the application and enter an even number it will print 0, while for an odd number it will print 1.
- If you are new to malware analysis watch our tutorial first to get some background knowledge.
Goal
Patch the patching05.exe application to make it work the opposite way. First do it manually, then write a debugger script that executes the patching in an automated way.
Hints
If you need help we have 5 hints to share with you, just scroll down.
"
"
"
"
"
"
"
"
"
"
1) The junction should be somewhere before sending the answer.
"
"
"
"
"
"
"
"
"
"
2) Put a breakpoint on the send command in ws2_32.
"
"
"
"
"
"
"
"
"
"
3) Right click/Search for/Names, and look for &WS2_32#19 (at comments: WS2_32.send).
"
"
"
"
"
"
"
"
"
"
4) It has been called several times, so watch out for what it is sending. It is not the help text that we want to catch.
"
"
"
"
"
"
"
"
"
"
5) Before the calling of the command there is a junction somewhere. Look for the return address when you get something else than the help text. Go back to the appropriate address and look around.