Over my time working in incident response, I've slowly developed a deep desire to learn more about the inner workings of applications to understand how modern malware is written. Part of this journey has led me to learning some basic reverse engineering, and to hold myself accountable I've document my progress. Today's post is going to be walkthroughs for the reversing challenges published in TryHackMe's "Reversing ELF" room. To iterate, these are **beginner** challenges, and while I've previously posted some Medium difficulty reversing from HTB the goal for this is to ensure we establish a good foundation for techniques. If you're looking for advanced reversing, this isn't the writeup for you. But if you're an eternal learner looking to try something new, I can't stress how satisfying it is to solve these little programming puzzles.

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded into a string that is rebuilt on disk. This encoded string is then loaded into a JScript file that when executed, would rebuild the password-protected zip file on disk and execute it. This is done programmatically by using COM objects to access the GUI-based functions in Windows via the generated JScript loader, executing the loader inside the password-protected zip without having to unzip it first. By password protecting the zip file, it protects the binary from EDRs and disk-based or anti-malware scanning mechanisms.

Who needs AES when you have XOR?