We are provided with a 1.8 GB CSV file which has the ‘network logs of a medium sized company’. We can use pandas dataframe to analyze it in python.

We are provided with c++ files which emulate a RISC processor. Main is as follows

The main program loads the user payload and the admin payload to be executed.

The payload consists of instructions defined in asm_instructions.c

Output operations:

  • PRINTC to print the lower byte of a register as a…


We find ourselves unable to run this binary. Loading this into radare, we are unable to find a symbol table. Running binwalk on this, we find an executable at 254. We can extract this executable and analyse it using ghidra.


Trying to run the binary, we get

Running binwalk on this also returns nothing. However, running readelf -h shows that the magic bytes are missing from the header. Inserting the magic bytes using a hex editor gets the program running.


After extracting the executables sucessfully, we can reverse the with help of angr.

Problem : My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me.

Solution : Running volatility filescan with grep for .txt files gives a suspicious looking important.txt file. However dumping the file using dumpfile plugin does not work.

Running pslist gives a StikyNot.exe process. Running file scan with grep for .snt gives a StickyNotes.snt file which contains the text

Searching for recovery of deleted data on volatility yields results related to mftparser. Using the plugin with grep for important.txt gives the flag.

Problem statement : A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please?

Solution : Using Volatility pslist we see two notepad processes running. Both process memories are dumped using memdump.

The plugin cmdline is then used…

Anarta Poashan


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store