We covered the basics and fundamentals of reverse engineering using an example room from tryhackme. The post provides also an instructional guide on basic malware reverse engineering (RE). It provides step-by-step instructions for analyzing and extracting insights from three executable files.
COMPTIA Cyber Security Analyst (CySA+) Study Notes
HackTheBox Certified Defensive Security Analyst (CDSA) Study Notes
Overview:
Tools Used: The presenter uses tools like Ghidra to inspect the files and navigate through assembly and C code.
Purpose: The video focuses on understanding how to reverse engineer malware executables to extract specific flags.
Before We Begin
- Requirements:
- Basic knowledge of assembly and C programming.
- Familiarity with debugging tools.
- Objective:
- Reverse engineer three executables.
- Extract flags encoded within them.
Malware Analysis Process:
1. Executable 1:
- Opened in Ghidra.
- Starting at the entry function:
- A variable
iv_textis assigned an MD5 hash of a string. - The process involves finding the memory location of the string and identifying the flag.
- A variable
- Steps:
- Double-click the string to locate it in memory.
- Use defined strings to filter for the flag, which is directly retrievable as “can I make it any more obvious.”
2. Executable 2:
- Analysis begins at the entry function.
- Observations:
- Variables store hexadecimal values.
- These values, when converted to ASCII, form the flag.
- Approach:
- Traverse memory variables from
local_2Cupward (based on the stack). - Extract the flag by converting hexadecimal to ASCII.
- Traverse memory variables from
3. Executable 3:
- Involves modules like FindResourceA and LoadStringA.
- Process:
- Locate an address (
110in hexadecimal) where the flag is stored. - Trace the variable containing the flag value.
- Use tools to find relevant **string resources containing “resources are popular.” This helps identify the flag.
- Locate an address (
Techniques Highlighted
- Memory Navigation:
- Identifying memory locations of variables and strings.
- Using tools like string search and defined strings windows.
- Hexadecimal to ASCII Conversion:
- Translating hex values into readable ASCII characters.
- Debugging Fundamentals:
- Navigating through the assembly and understanding stack operations.
Flags
- Each flag is extracted using a unique method tailored to the executable’s logic.
- Techniques include directly reading strings, converting hexadecimal values, and interpreting module resources.
TryHackMe Windows Powershell Room Answers
What is the flag of which that MD5 gets generated?
FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIOUS}
What is the flag of which that MD5 gets generated?
FLAG{STACK-STRINGS-ARE-BEST-STRINGS}
What is the flag of which that MD5 gets generated?
FLAG{RESOURCES-ARE-POPULAR-FOR-MALWARE}
Conclusion
The post effectively demonstrates foundational reverse engineering techniques, making malware analysis approachable for beginners. The presenter concludes with an invitation for further exploration and a preview of more advanced topics.
