MalwareTech Malware Reversing Challenges — Hide and Seek (Strings)
Hello folks, we’re here for some more CTF challenges — this time malware reverse engineering. MalwareTech (aka Marcus Hutchins) is a computer researcher and malware analyst, if his alias hadn’t helped you guess, who is famous for stopping the infamous WannaCry ransomware, which affected (and infected) over 200,000 devices, in over 150 countries, which included critical national infrastructure (CNI). It may surprise you but many organisations do not have any patch management in place and are still vulnerable to these obsolete cyber campaigns, even years on. If you’re interested in reading more about Marcus Hutchins, I highly recommend reading his interview with Wired.
Let’s get stuck in, the challenges can be found here. They are all static malware analysis challenges and will therefore require a disassembler. I have chosen to use Ghidra as this is a relatively new tool (developed by the NSA), although IDA Pro is an equally excellent disassembler.
Strings 1:
strings1.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?
Initially opening up Ghidra, we can make a search of all strings using the ‘Search For Strings’ function. From here we see there are multiple strings with ‘flag’ indicating this is a deadend:
Using Ghidra, we can see the binary show in the entry function:
We see a flag and if we double click on the EAX instruction line:
Answer: FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIOUS}
Easy — moving on.
Strings 2:
strings2.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?
Opening up the strings 2 executable into Ghidra, we notice the function entry area shows a long string created within the stack. If this is converted from hex to characters, we get the following:
The string combined gives us the flag.
Answer: FLAG{STACK-STRINGS-ARE-BEST-STRINGS}
Strings 3:
strings3.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?
The final string challenge is slightly different. The function turns the flag into an MD5 hash.
Looking at the entry function again via a decomplication within Ghidra:
The FindResource determines the location of the resource of a .rc file. Following on from this a string is then loaded with 0x110, which in decimal is 272. From this it is then hashed as seen below:
The LoadStringA function loads a string resource from the executable file associated with a specified module, copying the string into a buffer and appends a terminating null character. We see that this is picked after several register instructions are carried out to give 0x110 in low-level language from the decompiler.
From this we know that the 272th string is in fact the flag from the rc file… if we look at the defined strings and go to string ID 272 we have a match:
Answer: FLAG{RESOURCES-ARE-POPULAR-FOR-MALWARE}
That completes the reverse engineering string challenges. As always, stay safe!
