Basic Malware RE

Steps before Reverse Engineering

  • Download All zips

  • Unzip files using Password: MalwareTech

Strings:: Challenge 1

  • Download File

  • Unzip File using password

  • analyze using strings

    strings strings1.exe_
# ...
# Flags ...

    It'll print many flags, but we need to find exact flag

  • Create Ghidra project and load file in the project

  • On Importing the strings1.exe_ file

  • From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)

  • From Decompiled C program we can see partial flag, copying it's few words and grepping with strings commands, we get our desired flag

    strings strings1.exe_ | grep "REDACTED"
# Output
# FLAG{REDACTED}

Strings:: Challenge 2

  • Close strings1.exe_ file

  • Press Ctrl+O open strings2.exe_

  • From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)

  • From Decode File, we can see multiple variable declared above

  • variables are assigned values later

  • from first variable is assigned char value, on hovering over other variables, we get to see char value

  • Convert hex value to char value for all the variables

  • We get our flag

Strings:: Challenge 3

  • Load strings3.exe_ in Ghidra

  • Repeat previous steps and get to entry point function

  • From analyzing MessageBoxA would print/popup md5 hash (from above line)

  • On hovering over LoadStringA, it accepts uint ID in its second parameter, which is a hexadecimal value, in decimal turns out to be 272

  • after scrolling down in listing, we find various flags with ids, on scrolling down to 272 value, we get our last flag

PreviousStartUpNextBounty Hacker

Last updated