1

In a ctf there was a rev PE challenge where it appeared in the deassembly as if the programm was calling functions from the ADVAPI32 but instead called some different code because the import table was modified. I can't quite figure out what was getting called instead. A Binaryninja line where the ADVAPI function appears to be called:

CreateServiceA(&var_20, 0, 0, 0x18, 0xf0000000)

The Import information I got from PEBear:

Call Via: 81D8, Name: CreateServiceA, Ordinal: -, Original Thunk: 4E908, Thunk: 8360, Hint: DAB9

As I understood it the "Original Thunk" is the RVA where the "Hint" is located? But I don't really understand the rest.

My Question: What do the Thunks and the Hint mean, what exactly gets called and what was originally being called?

Hellstormer
  • 11
  • 1
  • I'm not sure what information you need to answer my questions. I'll be happy to provide it if you point it out – Hellstormer Mar 21 '22 at 21:42
  • which challenge is that? – Igor Skochinsky Mar 23 '22 at 09:27
  • It is "service". But I think (after countless hours) I understand it now. They used a tool (https://github.com/d35ha/CallObfuscator) to obfuscate the IAT of the PE and load in the correct functions at runtime right before the main function. Should I delete my question or attempt to answer it? I don't think anyone cares about the answer. – Hellstormer Mar 23 '22 at 10:29
  • if you describe the implementation details in the answer, it can be useful. but maybe the title should be changed if it's not about the hint anymore. – Igor Skochinsky Mar 23 '22 at 10:35

0 Answers0