Challenge

The challenge presents as a corrupted file (as stated inside Message.txt) . The file is an executable but if we try to run it Windows does not correctly recognize the format:

Solution

It seems that there’s something we must do for the file to recover it. We start getting some info about the file and we notice from Detect It Easy that the file has been packed with UPX. UPX is a common packer used for counter static/dynamic analysis. Luckily UPX tool comes with its unpacker too, so we just need to execute a command and…

Why it doesn’t work?!

We find that the PE structure of an executable includes also an additional section called overlay (bottom):

The overlay probably matches the manifest file. Also from CFF explorer we notice that the size of the file does not match the sizeOfImage, an information embedded inside the PE:

We need to make the file size matching the PE Size, and in some way it is related also to the manifest issue. With PE Bear we check some red-marked values, often meaning that something is corrupted. Along with the UPX section, we find this:

What does it mean? File expects an additional 732 bytes to match the mapped size:

Let’s see where is corrupted. By looking at the original packed PE, if we open it with any hex editor and we notice that some details were left intact, like the PE signature:

some others not:

Got it! The manifest has not been recovered correctly, causing the file size to be less than PE size.

Turns up that the manifest is not needed to be properly formatted. So we just append the calculated 732 bytes from the end of the file. Now ew match the original PE size: Now re-run UPX with -d option to unpack and…

So far so good! We got the unpacked file! We run it and …

What the actual f*** ? Side-by-side configuration? Windows, what are you trying to tell me?

Windows kindly suggests us to use sxtrace to investigate the problem. From the window 1 we start the trace tool: From window 2 we execute the fixed garbage.exe. Then from window 1 we stop the trace. What we obtain is a trace .etl file, which we can parse into txt using SxTrace Parse command. We finally obtain this human-readable file that explicitly states the cause:

We need the manifest properly formatted to run the executable! After playing with HxD to insert correctly the manifest inside the file, I found a better way using CFF explorer, and adding the resource there deleting the old and adding the new using add custom resource:

Ok so we try to run, but we get some additional errors:

Look at the message: […] because .DLL was not found. What is .DLL? Seems the error message tries to get the DLL module that needs to be loaded, but the name is not present from the executable. From PE Bear we get another error on the imports page: Seems the name is missing. From CFF Explorer we inspect those imports. From the module n.1 we have those functions: