Basic Malware RE
The room link : Room link
Strings : Challenge 1
Lets start the first task
let’s download the file then use PE-studio, because of the name of the task “string” I thought it was about strings so immediately I went to the strings part in pe studio and we can see there are a lot of them
let’s drag the file into our favorite tool IDA
it is obvious that what is stored in off_432294 is pushed as a parameter for the md5_hash function (it prints generated md5 in the message box)
so just go to off_432294 and here is your flag
Strings : Challenge 2
this time lets start by open the task file using IDA
we can see a lot of values are pushed to the stack before calling the md5 function the solution is very easy and there is more than one way to solve it, but because I’m too lazy to open any other tool.
I’ll debug the file using ida and put a breakpoint before the calling instruction, Then I’ll extract the values from the stack.
now we can see our dear flag in the stack
Strings : Challenge 3
It is the last task in the room so for the same laziness reasons I’ll open it using ida
there is a call for two important APIs here
first one is FindResourceA (for more information about it visit)
in simple words, this API will load the resource (it contains a lot of fake flags) of the file then using the second API (LoadStringA)
it will loads the targeted string using an identifier (the identifier will let us know the right flag in resource)
to know the right identifier look at the second parameter pushed to the LoadStringA
it is (epb+var_4) which is generated before by moving 1 to eax then shift left by 8 which equal to 256
after that it shifts left 1 by 4 which equal 16, then it does an OR between 256 and 16 which equal 272
so let’s open the file using resource hacker and search for the (272) identifier and voila
