TryHackme : Basic Malware RE — Writeup
The purpose of these tasks is to educate you on the “Static Analysis” method that was employed to examine the malware. The primary goal of this room is to avoid using any kind of debugger and to avoid running any executables or programs on any platform. It is necessary that you respond to every question without ever opening the debugger or running any applications or executables.
Ghidra is a smart and potent tool that I used in the challenge to carry out simple reverse engineering tasks. The National Security Agency created the open-source Ghidra software package, which is renowned for its ability to decipher complicated software’s inner workings and analyze harmful code. Ghidra’s powerful decompilation and disassembly features were utilized in my method to methodically disassemble the compiled binary. Through this technique, I was able to examine the underlying assembly code and comprehend the logic and structure of the program.
Strings :: Challenge 1
in this first challenge the answer is pretty easy to find out, just take a look on the entry function the flag is there.
Flag : FLAG{CAN-I-*****************-OBVIOUS}
Strings :: Challenge 2
In the realm of cybersecurity and digital forensics, uncovering hidden messages is often akin to solving a complex puzzle. A fascinating example of this is the decoding of hexadecimal values into readable text, a common technique in examining malicious code or investigating cybersecurity breaches. In a recent case, a series of hex values — ranging from 0x46 to 0x7d—were meticulously converted into their corresponding ASCII characters. Such discoveries are not just about the thrill of decoding; they often hold critical clues in cybersecurity investigations. This particular string, resembling a flag format often used in capture-the-flag (CTF) cybersecurity competitions, could indicate a breadcrumb in a simulated challenge or, in a real-world scenario, a marker used by attackers. This example underscores the importance of attention to detail and the diverse skill set required in the cybersecurity field, where even a seemingly innocuous string of hex values can unveil significant information.
decode this hex value using this script :
# Decoding the hexadecimal values to a string
hex_values = [
'F', 0x4C, 0x41, 0x47, 0x7B, 0x53, 0x54, 0x41, 0x43, 0x4B, 0x2D,
0x53, 0x54, 0x52, 0x49, 0x4E, 0x47, 0x53, 0x2D, 0x41, 0x52, 0x45,
0x2D, 0x42, 0x45, 0x53, 0x54, 0x2D, 0x53, 0x54, 0x52, 0x49, 0x4E,
0x47, 0x53, 0x7D
]
# Convert each hexadecimal value to its corresponding character
decoded_string = ''.join(chr(value) if isinstance(value, int) else value for value in hex_values)
decoded_stringFlag : FLAG{STACK-S*****************-STRINGS}
Strings :: Challenge 3
at this challenge is little bit tricky, on this challenge we should read the code carefully because the flag is on another place.
Variable Declarations:
local_4a4: ACHARvariable, likely used to store a single character.local_4a3 [1027]: An array ofundefinedtype, with a size of 1027 bytes. This is probably used as a buffer.local_9c [144]: An array ofMD5objects, each of size144bytes. This suggests that it is used for an MD5 hashing operation.- Function Execution:
MD5::MD5(local_9c): This line calls the constructor of theMD5class to initialize thelocal_9carray.memset(local_4a3,0,0x3ff): This clears thelocal_4a3buffer by setting0x3ff(1023) bytes to0.FindResourceA(): Searches for a resource named "rc.rc" in the application's executable file. The found resource is assigned tolocal_c.LoadStringA(): Loads a string resource with an identifier of0x110(272 in decimal) into the buffer pointed to by&local_4a4. It loads up to0x3ff(1023) characters.MD5::digestString(local_9c,&local_4a4): This computes the MD5 digest of the string pointed to by&local_4a4and returns a pointer to the result, which is stored inlocal_a0.
you can find the flag on the String ID 272.
Flag : FLAG{RESOURCES-******-MALWARE}
