TryHackme : Basic Malware RE — Writeup

4 min readJan 15, 2024

The purpose of these tasks is to educate you on the “Static Analysis” method that was employed to examine the malware. The primary goal of this room is to avoid using any kind of debugger and to avoid running any executables or programs on any platform. It is necessary that you respond to every question without ever opening the debugger or running any applications or executables.

Ghidra is a smart and potent tool that I used in the challenge to carry out simple reverse engineering tasks. The National Security Agency created the open-source Ghidra software package, which is renowned for its ability to decipher complicated software’s inner workings and analyze harmful code. Ghidra’s powerful decompilation and disassembly features were utilized in my method to methodically disassemble the compiled binary. Through this technique, I was able to examine the underlying assembly code and comprehend the logic and structure of the program.

TryHackme Challenge

Strings :: Challenge 1

in this first challenge the answer is pretty easy to find out, just take a look on the entry function the flag is there.

Flag : FLAG{CAN-I-*****************-OBVIOUS}

Strings :: Challenge 2

In the realm of cybersecurity and digital forensics, uncovering hidden messages is often akin to solving a complex puzzle. A fascinating example of this is the decoding of hexadecimal values into readable text, a common technique in examining malicious code or investigating cybersecurity breaches. In a recent case, a series of hex values — ranging from 0x46 to 0x7d—were meticulously converted into their corresponding ASCII characters. Such discoveries are not just about the thrill of decoding; they often hold critical clues in cybersecurity investigations. This particular string, resembling a flag format often used in capture-the-flag (CTF) cybersecurity competitions, could indicate a breadcrumb in a simulated challenge or, in a real-world scenario, a marker used by attackers. This example underscores the importance of attention to detail and the diverse skill set required in the cybersecurity field, where even a seemingly innocuous string of hex values can unveil significant information.

decode this hex value using this script :

# Decoding the hexadecimal values to a string

hex_values = [
    'F', 0x4C, 0x41, 0x47, 0x7B, 0x53, 0x54, 0x41, 0x43, 0x4B, 0x2D,
    0x53, 0x54, 0x52, 0x49, 0x4E, 0x47, 0x53, 0x2D, 0x41, 0x52, 0x45,
    0x2D, 0x42, 0x45, 0x53, 0x54, 0x2D, 0x53, 0x54, 0x52, 0x49, 0x4E,
    0x47, 0x53, 0x7D
]

# Convert each hexadecimal value to its corresponding character
decoded_string = ''.join(chr(value) if isinstance(value, int) else value for value in hex_values)
decoded_string

Flag : FLAG{STACK-S*****************-STRINGS}

Strings :: Challenge 3

at this challenge is little bit tricky, on this challenge we should read the code carefully because the flag is on another place.

Variable Declarations:

local_4a4: A CHAR variable, likely used to store a single character.
local_4a3 [1027]: An array of undefined type, with a size of 1027 bytes. This is probably used as a buffer.
local_9c [144]: An array of MD5 objects, each of size 144 bytes. This suggests that it is used for an MD5 hashing operation.
Function Execution:
MD5::MD5(local_9c): This line calls the constructor of the MD5 class to initialize the local_9c array.
memset(local_4a3,0,0x3ff): This clears the local_4a3 buffer by setting 0x3ff (1023) bytes to 0.
FindResourceA(): Searches for a resource named "rc.rc" in the application's executable file. The found resource is assigned to local_c.
LoadStringA(): Loads a string resource with an identifier of 0x110 (272 in decimal) into the buffer pointed to by &local_4a4. It loads up to 0x3ff (1023) characters.
MD5::digestString(local_9c,&local_4a4): This computes the MD5 digest of the string pointed to by &local_4a4 and returns a pointer to the result, which is stored in local_a0.