Desktop RE Writeup: PE Extraction & Patching
By Shay Mordechai | February 29, 2024
1. PE Carving: Analyzing a suspicious PDF in a Hex Editor revealed an embedded PE signature (`4D 5A`). I carved the block and extracted the standalone executable (`new-flag.exe`)[cite: 9].
2. Binary Patching in IDA: The validation logic required the ASCII sum `AND 0xFF` to equal `0Ah`. To bypass the lock entirely, I patched the `and eax, 0FFh` instruction to `mov eax, 0Ah`, guaranteeing a successful check for any input[cite: 9].
3. Decompilation: Reconstructed the internal XOR encryption algorithm into clean C++ code to verify the final control flow (even indices XORed with 0xA, odd with 0xB)[cite: 9].