TryHackMe BasicMalwareRE Writeup
@ Animesh Roy | Monday, May 31, 2021 | 3 minutes read | Update at Monday, May 31, 2021



I learnt from this Book: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

Task 01: Introduction

These challenges are aimed towards learning about the “Static Analysis” technique used to analyze the malware. The main aim for this room is not to used any types of debuggers neither the executable’s/programs should be run on any platform. You are required to answer all the questions without even using the debugger and even not executing the executable’s/programs.

Meanwhile all the credits goes to @MalwareTechBlog for creating these awesome challenges.

Note: If you have already solved these challenges - give it a try again while giving enough time to the newbies who want to learn about “Malware Analysis”. Also don’t try to copy paste stuff from other blogs/walkthroughs as it won’t lead you to learn this amazing field. If you are having hard time solving these challenges. Study more about it and the techniques which are involved. Meanwhile you can also join TryHackMe discord and fire up you problems in there.

Password for the ZIP is MalwareTech.

Task 02: Strings :: Challenge 1

Flag 1

Find the entry point

Jump to EAX value (just double click on it)

FLag :

Task 03: Strings :: Challenge 2

Find the entry point

Copy the values to a temp file (3)

Filter the output for parsing

cat temp | awk -F "0x" '{print $2}' > cleanHex

open with vim to clean trailing ‘;’

vi cleanHex
:%s/; # delete ';' from results

now we only have HEX values that we can parse eiher online or using a simple bash script. I used a bash script to automate


echo -n $1 | xxd -r -p | tee >>  flag2
# $1 will be input file later on

all set, let’s Convert the hex to ascii and get the flag.

while IFS= read -r line; do ./ $line; done < cleanHex 
# cleanHex is the input fiile name

output :

$cat flag2 

Task 04: Strings 3 :: Challenge 3

Entry Point

  1. Open this project, go the functions, see entry and double click it. Same as before.
  2. Okay, so first we have quite a few defined variables. None of these were super interesting. I was hopeful that maybe one of them would reference a defined string, but no dice.
  3. Next I look at the body of the function, and we see a call another functions FindResourceA() and LoadStringA(). A quick look at the assembly and we see FindResourceA() is from the Kernel32 Library and LoadStringA() is from User32 Library. I quickly found this reference to try and gain an understanding of LoadStringA(). The most relevant thing it seems is that the string is being loaded from its reference and stored at the variable local_4a
    • The assembly code shows the LoadStringA function, and then right next to it shows what it actually loads (aka the flag). I have cut this out for obvious
  4. We know the identifier for the string is hex value 0x110 as seen in the parameters for the function call. Now if we open up the defined strings and clock on the first one, we can see the start of the flag table. Included on the far right is the string id. 0x110 translates to 272 in decimal. Scroll down to 272 and that is your final flag :)

follow the “Call” function

got the Flag:

© 2010 - 2024 Classroom

Reading Stuffs

Social Links