This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here
Challenge 3 brings a PE executable file to take a look at.
such_evil: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
I loaded the file up in x64dbg and after navigating to the main function it looks to load a whole lot of data onto the stack then CALL into the loaded code.
I continued to step through the program monitoring and watching the memory region pointed to be ESI.
The shell code (not pictured) is decoded and over written in multiple stages leaving these messages at ESI
Finally revealing the flag
There are more elaborate ways to reveal the flag, the official write up uses IDAPython scripting to manually decode the messages.