Basic Malware RE

Steps before Reverse Engineering

• Download All zips

• Unzip files using Password: MalwareTech

Strings:: Challenge 1

• Download File

• Unzip File using password

• analyze using strings

  strings strings1.exe_
  # ...
  # Flags ...

  It'll print many flags, but we need to find exact flag

• Create Ghidra project and load file in the project

• On Importing the strings1.exe_ file

• From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)

• From Decompiled C program we can see partial flag, copying it's few words and grepping with strings commands, we get our desired flag

  strings strings1.exe_ | grep "REDACTED"
  # Output
  # FLAG{REDACTED}

Strings:: Challenge 2

• Close strings1.exe_ file

• Press Ctrl+O open strings2.exe_

• From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)

• From Decode File, we can see multiple variable declared above

• variables are assigned values later

• from first variable is assigned char value, on hovering over other variables, we get to see char value

• Convert hex value to char value for all the variables

• We get our flag

Strings:: Challenge 3

• Load strings3.exe_ in Ghidra

• Repeat previous steps and get to entry point function

• From analyzing MessageBoxA would print/popup md5 hash (from above line)

• On hovering over LoadStringA, it accepts uint ID in its second parameter, which is a hexadecimal value, in decimal turns out to be 272

• after scrolling down in listing, we find various flags with ids, on scrolling down to 272 value, we get our last flag