MalwareTech — Hide and Seek Challenges — Writeup!
I have been trying to learn “Reverse Engineering” and “Malware Analysis” and came across MalwareTech twitter account while finding the places to learn more about these two.
Strings 1
The executable’s are available on MalwareTech blog and the first executable we are going to solve is “Strings 1”.
The description of this executable is defined as.
strings1.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?
The things to be noted down here are, that the program will output an MD5 hash of the flag but not the original flag. All we need is to find the correct flag!
On running “Strings” i found that there are too many flags present!
On running the executable, we find the MD5 of the correct flag!
We will be analyzing this executable with IDA Pro — Community/Freeware!
IDA Pro (Community)
Once the executable is loaded into the IDA Pro. We can see it’s disassembly.
The first few lines are about creating a stack frame.
Then we are able to find the “MOV” instruction. An offset is being moved into the eax register.
On hovering over this instruction we can find the hidden flag of which the md5 is calculated and shown on the screen.
That’s all, we have found the correct flag!
FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIOUS}
Method 2
I was thinking that we are able to extract the flags. We can use python to calculate MD5 of each flag. Then we can check each md5 with the result of the executable and at the end we can print the exact flag of which that md5 was calculated.
So i just wrote down a small python script. Before that i have stored all of the strings using:
strings string1.exe | grep FLAGS* > flags.txt
Python Script
# Written by: Kamran Saifullah aka w4tchd0g
# Python program to read all lines and fetch their MD5
# Dated: 28th August, 2019
import hashlibfile = open(‘flags.txt’, ‘rb’)
for i in file.readlines():
i = i.strip()
result = hashlib.md5(i).hexdigest()
if ‘4c827c4ca62781d707cd049da13539ee’ == result:
print(“The Flag Is”)
print(“**************************”)
print(i)
print(“**************************”)
print(“The MD5 Is”)
print(“**************************”)
print(result)
print(“**************************”)
Strings 2
This executable prompts an MD5 hash as the previous one did. All we need is to find the correct flag!
Loading this executable into IDA.
We can clearly see that at first the variable are being assigned and then HEX values are being moved into the variables in stack. We can clearly confirm that the creator has used a method to move the flag in the stack so that it becomes harder to be retrieved and shall never get caught in the first eye.
In IDA we can press “R” in order to convert the HEX values into their corresponding characters.
We can concatenate the characters now in order to retrieve the exact flag!
FLAG{STACK-STRINGS-ARE-BEST-STRINGS}
Strings 3
This challenge is not easy as compared to the last challenges. On loading the executable into IDA we can’t find any clues regarding the flags directly in variables or stacks. We need to analyze it in more details.
We can see that there is a function call and the function which is being called is “LoadStringA”. This function is being called before MD5 Digest Function.
Now we have a good idea about the function. We need to calculate the uID of the flag in order to correctly fetch it.
We can use “Resource Hacker” in order to analyze the sections of the executable.
Moving back onto the IDA. This time calculating the uID for the flag.
I have solved this on the paper and the screenshot is as above!
So now all we need is to find the flag at position 272. This value was being pushed onto the stack at instruction:
mov [ebp+uID], eax
That’s it. We are done with the “Hide and Seek” Challenges made by MalwareTech. Thanks for reading!
