Basic Malware RE
This room aims towards helping everyone learn about the basics of "Malware Reverse Engineering".
Room Answers
Task 1 Introduction
Read the above.
No Answer Needed
Task 2 Strings :: Challenge 1
First I started by unzipping then importing the strings.exe_
File > Batch Import into Ghidra I then analyze it using "Aggressive Instruction Finder" option
We need to look @ the Symbol Tree section as it has the all programs the functions , imports and exports of the code.
I double clicked on the entry function in order to view the source code of it. When observing the source code, I came across a string that is being hashed by MD5, and I could grab the first flag from the de-compiled source code very easily as follows.
What is the flag of which that MD5 gets generated?
FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIOUS}
Task 3 Strings :: Challenge 2
Same procedure was followed in order to solve this challenge too.
When analyzing the functions, I came up with the same structure as previous.
So, I started with entry function, as it was the function where flag was in the previous challenge. De-compiled source code of the entry function is as follows.
It begins with a char variable and then there are bunch of undefined variables. The last one is a character pointer variable.
If we look at the dis-assembler section, we can get an idea about how these variables are added to the stack. We can clearly see a reverse order.
The last char pointer which is local_8 is the first one added to the stack as follows.
Let’s just keep that in mind and observe the de-compiler further.
We can see that each variable is assigned a value as follows. The first char variable which is local_2c is assigned to ‘F’ and all the undefined variables are assigned hex values.
Tip — These hex values should be ASCII characters because each value is exactly one byte.
If you remember, we found that the last variable defined which is local_8, is a character pointer. Now, it is assigned to be a hash of the string starting at the memory address of the variable char local_2c, as follows.
This means that it will hash the entire string from bottom of the stack to top. Thus, we need to convert each hex character assigned for the variables after local_2c into ASCII characters in order to obtain the string that is being hashed.
