TryHackMe — BasicMalware RE Write-up
This is a write-up of the room Basic Malware RE from the Try Hack Me platform and is created by w4tchd0g. This room is for users to learn the basics of “Malware Reverse Engineering”. Although this room is pretty long old, but it is still pretty good room for users to learn from. Without further ado, let's get started!
Link to TryHackMe Basic Malware RE Room: https://tryhackme.com/room/basicmalwarere
Challenge 1
Download the file and unzip it with the password provided.
I use the “strings” command to see the executable but it seems to have many fake flags.
So, I run Ghidra. And on “Functions → entry”, we can see there is a hint of which flag we should use.
We can save the output of strings into a text file. Use the find function to search for the hint in the Ghidra.
Challenge 2
Method 1
Download the file and unzip it with the password provided.
Then, I start to run Ghidra as in the previous challenge. So, I get this.
In Functions -> entry, we can see a bunch of hexadecimal, so we can convert it to ASCII using other applications. And we can get:
This takes time, so I found another better and faster method.
METHOD 2
We can use radare2 to analyze the executable. Use command “aaa” to analyze the executable.
Then run command “pdf”.
Scroll down and we can see this:
Radare2 shows us the converted hexadecimal beside it. It saves time using this method.
Now, let’s move to the last section.
Challenge 3
Download the zip file and extract it using the same password.
Run Ghidra and analyze the executable. Go “”Functions -> entry”.
Then you can scroll down until the LoadStringA part. Then drag the scroll bar to the right, and you realize Ghidra actually solved it for us.
We get all the flags!
Thank you for reading this write-up, this write-up is based on my steps and there are more ways to be done and to be discovered.
Buy me a coffee to help me more: http://buymeacoffee.com/Cursemagic
