THM Basic malware reverse engineering
Basic malware reverse engineering TryHackMe room writeup
Task 2 Strings :: Challenge 1
The first thing i did was opening the .exe file with ghidra
After ghidra fully opened, I went on the functions and decompiled the entry function which was interesting, and then i got this
void entry(void)
{
char *lpText;
lpText = md5_hash(PTR_s_FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIO_00432294);
MessageBoxA((HWND)0x0,lpText,"We\'ve been compromised!",0x30);
/* WARNING: Subroutine does not return */
ExitProcess(0);
}
Looking at the C code, we can see that the lpText variable stores the output of the function md5_hash() with a string as parameter
so this is pretty easy basically the program converts the string into an md5 hash
to get the flag you just have to double click the string paramenter on the md5_hash() function.
Task 3 Strings :: Challenge 2
now i’ll just do as i did on the first challange where i opened the file on ghidra and decompiled the entry function, where i got this C code
void entry(void)
{
char local_2c;
undefined local_2b;
undefined local_2a;
undefined local_29;
undefined local_28;
undefined local_27;
undefined local_26;
undefined local_25;
undefined local_24;
undefined local_23;
undefined local_22;
undefined local_21;
undefined local_20;
undefined local_1f;
undefined local_1e;
undefined local_1d;
undefined local_1c;
undefined local_1b;
undefined local_1a;
undefined local_19;
undefined local_18;
undefined local_17;
undefined local_16;
undefined local_15;
undefined local_14;
undefined local_13;
undefined local_12;
undefined local_11;
undefined local_10;
undefined local_f;
undefined local_e;
undefined local_d;
undefined local_c;
undefined local_b;
undefined local_a;
undefined local_9;
char *local_8;
local_2c = 'F';
local_2b = 0x4c;
local_2a = 0x41;
local_29 = 0x47;
local_28 = 0x7b;
local_27 = 0x53;
local_26 = 0x54;
local_25 = 0x41;
local_24 = 0x43;
local_23 = 0x4b;
local_22 = 0x2d;
local_21 = 0x53;
local_20 = 0x54;
local_1f = 0x52;
local_1e = 0x49;
local_1d = 0x4e;
local_1c = 0x47;
local_1b = 0x53;
local_1a = 0x2d;
local_19 = 0x41;
local_18 = 0x52;
local_17 = 0x45;
local_16 = 0x2d;
local_15 = 0x42;
local_14 = 0x45;
local_13 = 0x53;
local_12 = 0x54;
local_11 = 0x2d;
local_10 = 0x53;
local_f = 0x54;
local_e = 0x52;
local_d = 0x49;
local_c = 0x4e;
local_b = 0x47;
local_a = 0x53;
local_9 = 0x7d;
local_8 = md5_hash(&local_2c);
MessageBoxA((HWND)0x0,local_8,"We\'ve been compromised!",0x30);
/* WARNING: Subroutine does not return */
ExitProcess(0);
}
here we can see that there are a bunch of variables that belong to a stack all with a hex value that probably are going to be an ascii character the last variable which is local_8 is passing to the function md5_hash() a parameter that is the last variable of the stack local_2c, so basically it’s going to hash the entiere stack from the bottom and moving up this means that if we convert all the values of the stack variables we are going to get the flag
to find the flag without converting each variable one by one i made this python code that find the flag quickly
chars = [
"4c",
"41",
"47",
"7b",
"53",
"54",
"41",
"43",
"4b",
"2d",
"53",
"54",
"52",
"49",
"4e",
"47",
"53",
"2d",
"41",
"52",
"45",
"2d",
"42",
"45",
"53",
"54",
"2d",
"53",
"54",
"52",
"49",
"4e",
"47",
"53",
"7d",
]
for i in range(len(chars)):
print(bytes.fromhex(chars[i]).decode("ASCII"), end='')
and after i ran this i got the flag