BasicMalwareRE
| Profile | Support |
|---|---|
 |
I learnt from this Book: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Task 01: Introduction
These challenges are aimed towards learning about the “Static Analysis” technique used to analyze the malware. The main aim for this room is not to used any types of debuggers neither the executable’s/programs should be run on any platform. You are required to answer all the questions without even using the debugger and even not executing the executable’s/programs.
Meanwhile all the credits goes to @MalwareTechBlog for creating these awesome challenges.
Note: If you have already solved these challenges - give it a try again while giving enough time to the newbies who want to learn about “Malware Analysis”. Also don’t try to copy paste stuff from other blogs/walkthroughs as it won’t lead you to learn this amazing field. If you are having hard time solving these challenges. Study more about it and the techniques which are involved. Meanwhile you can also join TryHackMe discord and fire up you problems in there.
Password for the ZIP is MalwareTech.
Task 02: Strings :: Challenge 1
Flag 1
Find the entry point
Jump to EAX value (just double click on it)
FLag :
Task 03: Strings :: Challenge 2
Find the entry point
Copy the values to a temp file (3)
Filter the output for parsing
cat temp | awk -F "0x" '{print $2}' > cleanHex
open with vim to clean trailing ‘;’
vi cleanHex
:%s/; # delete ';' from results
now we only have HEX values that we can parse eiher online or using a simple bash script. I used a bash script to automate
code:
#!/bin/bash
echo -n $1 | xxd -r -p | tee >> flag2
# $1 will be input file later on
all set, let’s Convert the hex to ascii and get the flag.
while IFS= read -r line; do ./hextoascii.sh $line; done < cleanHex
# cleanHex is the input fiile name
output :
$cat flag2
FLAG{STACK-STRINGS-[deleted-so-COPY-PASTE-wont-work]-BEST-STRINGS}
Task 04: Strings 3 :: Challenge 3
Entry Point
- Open this project, go the functions, see entry and double click it. Same as before.
- Okay, so first we have quite a few defined variables. None of these were super interesting. I was hopeful that maybe one of them would reference a defined string, but no dice.
- Next I look at the body of the function, and we see a call another functions FindResourceA() and LoadStringA(). A quick look at the assembly and we see FindResourceA() is from the Kernel32 Library and LoadStringA() is from User32 Library. I quickly found this reference to try and gain an understanding of LoadStringA(). The most relevant thing it seems is that the string is being loaded from its reference and stored at the variable local_4a
- The assembly code shows the LoadStringA function, and then right next to it shows what it actually loads (aka the flag). I have cut this out for obvious
- We know the identifier for the string is hex value 0x110 as seen in the parameters for the function call. Now if we open up the defined strings and clock on the first one, we can see the start of the flag table. Included on the far right is the string id. 0x110 translates to 272 in decimal. Scroll down to 272 and that is your final flag :)
follow the “Call” function
got the Flag:
