Home Basic Malware RE
Post
Cancel

Basic Malware RE

This room aims towards helping everyone learn about the basics of “Malware Reverse Engineering”.

THM Room https://tryhackme.com/room/basicmalwarere

TASK 1 : Introduction

Read the above.

No Answer.

TASK 2 : Strings :: Challenge 1

What is the flag of which that MD5 gets generated?

Using Ghidra tool and opening codebrowser then analysing the code, i found in the functions a call to md5_hash with a flag before :

Flag 1 Flag 1

Answer : FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIOUS}

TASK 3 : Strings :: Challenge 2

What is the required password to authenticate with?

Looking at the code this times the same manner as above, i see that the md5_hash function is called on a pointer to “local_2c” variable. The assembly code is concatenating all of these variables before calling the hash function :

local_2c local_2c

Putting all the strings values in cyberchef i got the flag with the missing F already harcode in “local_2c” :

Flag 2 Flag 2

Answer : FLAG{STACK-STRINGS-ARE-BEST-STRINGS}

TASK 4 : Strings :: Challenge 3

What is the “hidden” THM{} flag?

While analysing the code for the 3rd file, i found an entry number in the “LoadStringA” function which is called in the code before the hash part :

LoadStringA LoadStringA

LoadStringA LoadStringA

The left panel of Ghidra show me a part of the flag referenced by the call. I need further information to get the full flag. I got this looking the table of the flag strings at the entrey found above (004022ff) :

Flag 3 Flag 3

Answer : FLAG{RESOURCES-ARE-POPULAR-FOR-MALWARE}

This post is licensed under CC BY 4.0 by the author.