Steps before Reverse Engineering

  • Download All zips
  • Unzip files using Password: MalwareTech

Strings:: Challenge 1

  • Download File
  • Unzip File using password
  • analyze using strings

    strings strings1.exe_
    # ...
    # Flags ...
    

    It’ll print many flags, but we need to find exact flag

  • Create Ghidra project and load file in the project
  • On Importing the strings1.exe_ file
  • From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)
  • From Decompiled C program we can see partial flag, copying it’s few words and grepping with strings commands, we get our desired flag

    strings strings1.exe_ | grep "REDACTED"
    # Output
    # FLAG{REDACTED}
    

Strings:: Challenge 2

  • Close strings1.exe_ file
  • Press Ctrl+O open strings2.exe_
  • From Symbol Tree view -> Functions -> entry -> local_8 (Double Click to get View)
  • From Decode File, we can see multiple variable declared above
  • variables are assigned values later
  • from first variable is assigned char value, on hovering over other variables, we get to see char value
  • Convert hex value to char value for all the variables
  • We get our flag

Strings:: Challenge 3

  • Load strings3.exe_ in Ghidra
  • Repeat previous steps and get to entry point function
  • From analyzing MessageBoxA would print/popup md5 hash (from above line)
  • On hovering over LoadStringA, it accepts uint ID in its second parameter, which is a hexadecimal value, in decimal turns out to be 272
  • after scrolling down in listing, we find various flags with ids, on scrolling down to 272 value, we get our last flag