The challenge was to get a password from the excel document.
If you looked inside the Macro for the excel document you could see it was running shellcode.
So i edited the macro to write the shellcode to a file before it was run.
Private Sub ExecuteShellCode() Dim lpMemory As Long Dim sShellCode As String Dim lResult As Long sShellCode = ShellCode() Open "C:\shellcode" For Output As #1 Write #1, ShellCode() Close #1 lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE) lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&) lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&) End Sub
After opening the file it has some shellcode that decodes and runs the exe thats base 64 encoded.
So I just run the Shellcode using C. As the shellocode was super long windows didn’t like it so I used GCC.
#include <stdio.h> char shellcode[] = "\xeb\x3a\x31\xd2\x80\x3b\x2b\x75\x04\xb2\x3e\xeb\x26\x80\x3b\x2f\x75\x04\xb2\x3f\xeb\x1d\x80\x3b\x39\x77\x07\x8a\x13\x80\xea\xfc\xeb\x11\x80\x3b\x5a\x77\x07\x8a\x13\x80\xea\x41\xeb\x05\x8a\x13\x80\xea\x47\xc1\xe0\x06\x08\xd0\x43\xc3\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x31\xc9\x80\xc1\x36\x01\xcb\x89\xd9\x31\xc0\x80\x3b\x3d\x74\x25\xe8\xab\xff\xff\xff\xe8\xa6\xff\xff\xff\xe8\xa1\xff\xff\xff\xe8\x9c\xff\xff\xff\x86\xc4\xc1\xc0\x10\x86\xc4\xc1\xc8\x08\x89\x01\x83\xc1\x03\xeb\xd4" "6FoIAADDVYnlUVZXi00Mi3UQi30U/ +9999 lines of base64 encoded lines. A="; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) shellcode; (int)(*func)(); }
I then loaded it into olly and stepped through the program and kept an eye on what chars were in the registers. Until I saw “ExcelMagic” in a ECX which was being compared to my input.