PE Studio

image.png

Load it up in x32dbg

Starting at entry point

image.png

We suspect shellcode is present in this executable, so we start off by setting a breakpoint on VirtualAlloc in x32dbg with the command bp VirtualAlloc, run the executable and then run to user code or shortcut Alt + F9.

At this point, we can Step Over (F8) until we reach a CALL that allocates the shellcode which is at 00408460

Currently at user code after the breakpoint set on VirtualAlloc

image.png

In EAX, you can Follow in Dump and see Opcodes FC E8 that reference shellcode

image.png

From here, you can right-click on 00408460 to Follow in Memory Map

Then, right-click again and Dump Memory to file where you’ll now have a copy of the shellcode

image.png