Hoàng Tiến Đạt SE162085 15a. Data Encoding *PartTitle Beacons Using Wireshark, we can get random letters: V0lOLUpXQlBQWlNY Strings the STRING: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567 89+/ IDA Pro Searching for all occurrences that contain XOR XorEncode_DATHT xrefs to Call these functions: FindResourceA SozeofResource GlobalAlloc LoadResource LockResource PEview WinHex Modify data Modified data 15b.1. Patching an EXE Run the EXE Examining EXE file with x32dbg Modified one Run it Exported the modified exe file *Get CRC32 hash file a1dccbf4 Gather result 0000.exe J 0000a.exe Instead of changing all into NOP, we can make it go straight to the answer from JNE if we input the wrong answer A 000a1.exe Like the above techique [ The answer : JA[ Patching 19 EXEs After found out this sequence in 19 exe files I just make it go through straight to the result. BEFORE AFTER After seeing this, I can find out "75 1E" from any HEX editor to find its index in file The idea: Hex 75 is at index 1083th Hex 1E is at index 1084th I need to change "75 1E" to "75 00" CODING TIME Output On the Terminal SUM UP The end.
