Basic Malware RE

Steps before Reverse Engineering

Download File
Unzip File using password
analyze using strings
```
strings strings1.exe_
# ...
# Flags ...
```
It'll print many flags, but we need to find exact flag
Create Ghidra project and load file in the project
On Importing the strings1.exe_ file
From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)
From Decompiled C program we can see partial flag, copying it's few words and grepping with strings commands, we get our desired flag
```
strings strings1.exe_ | grep "REDACTED"
# Output
# FLAG{REDACTED}
```

Close strings1.exe_ file
Press Ctrl+O open strings2.exe_
From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)
From Decode File, we can see multiple variable declared above
variables are assigned values later
from first variable is assigned char value, on hovering over other variables, we get to see char value
Convert hex value to char value for all the variables
We get our flag

Load strings3.exe_ in Ghidra
Repeat previous steps and get to entry point function
From analyzing MessageBoxA would print/popup md5 hash (from above line)
On hovering over LoadStringA, it accepts uint ID in its second parameter, which is a hexadecimal value, in decimal turns out to be 272
after scrolling down in listing, we find various flags with ids, on scrolling down to 272 value, we get our last flag

Last updated 2 years ago

Was this helpful?

Download File
Unzip File using password
analyze using strings
```
strings strings1.exe_
# ...
# Flags ...
```
It'll print many flags, but we need to find exact flag
Create Ghidra project and load file in the project
On Importing the strings1.exe_ file
From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)
From Decompiled C program we can see partial flag, copying it's few words and grepping with strings commands, we get our desired flag
```
strings strings1.exe_ | grep "REDACTED"
# Output
# FLAG{REDACTED}
```

Close strings1.exe_ file
Press Ctrl+O open strings2.exe_
From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)
From Decode File, we can see multiple variable declared above
variables are assigned values later
from first variable is assigned char value, on hovering over other variables, we get to see char value
Convert hex value to char value for all the variables
We get our flag

Load strings3.exe_ in Ghidra
Repeat previous steps and get to entry point function
From analyzing MessageBoxA would print/popup md5 hash (from above line)
On hovering over LoadStringA, it accepts uint ID in its second parameter, which is a hexadecimal value, in decimal turns out to be 272
after scrolling down in listing, we find various flags with ids, on scrolling down to 272 value, we get our last flag

Last updated 2 years ago

Was this helpful?