Malware analysis challenge

Below you will find some nice patching scripts that we've received for the challenge.

0) Manual patch of patching05.exe:

000007DB: 74 --> 75 (jnz instead of jz)

1) WinDbg version by Legol4s

Download WinDbg: https://msdn.microsoft.com/en-us/windows/hardware/... .

foreach /pS 2 /ps 1337 ( base { .shell -ci "!lmi patching05" FIND "Base Address:" } )
{ r $t1 = ${base} }
r $t1 = $t1 + 13DB;
.printf "patching %N", @@(@$t1);
eb @$t1 75

2) OllyDbg v1.10 version by Niall Newman

Download OllyDbg v1.10: http://www.ollydbg.de/download.htm

gma "patching", MODULEBASE
mov addr, $RESULT
add addr, 13DB
mov [addr], #75#

3) OllyDbg v1.10 version by Matrix86

GMI eip, CODEBASE
mov p, $RESULT
add p, 3DB
mov [p], #75#
msg "Patched!„
ret

4) x64dbg version by Matteo Favaro

Download x64dbg: http://x64dbg.com/#start

cmp 0x4FFFFFFF,eip
jg atoep
continuetorun:
run
cmp 0x4FFFFFFF,eip
jb continuetorun
atoep:
mov $pointer, eip //getting OEP
and $pointer, 0xFFFF0000 //section memory base
add $pointer, 0x13DB //address of the "je" to patch
1:[$pointer]=75
msg "je patched in jnz, run it!"

To hear about new challenges subscribe to our newsletter.