CTFReverse Engineering

MalwareTech’s Strings 3 : Static Analysis walkthrough

This is a walkthrough for MalwareTech’s Static Analysis Challange for beginners. The first two challanges strings 1 and strings 2 are pretty simple and don’t require a walkthrough. Strings 3 is also quite easy but it is not so easy for complete beginners without proper tools and understanding.

Challange Statement:

strings3.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag? 

-MalwareTech

You can download the sample from MalwareTech’s site here. The password to the zip file is MalwareTech.

Okay lets load the downloaded sample strings3.exe in IDA.

Screenshot (115)

In the beginning part of the code we find nothing interesting, just a bunch of declarations and assignments like buffersize, e.t.c. But down there in the end we see a call made to FindResource. So we take note of this and take it as a hint that our FLAG might be somewhere inside resources. Let’s scroll down.

Screenshot (116)

What we see here is some more assignments and a call made to LoadStringA. Let’s take a look at what LoadStringA API does.

loads

Now we know it loads a string resource from executable file and uID is the identifier of the string to be loaded.

Let us find the value assigned to uID before calling the function which will help us to find the hidden FLAG.

Screenshot (116)

mov eax,1  At first 1 is moved to EAX.

Then shl eax,8 (left shift the EAX register 8 times) leaves us with 100 in EAX.

 EDX is cleared out in the next step by XORing the EDX with EDX. (one of the best way to clear out a register)

inc edx increments the value of EDX by 1. (0+1 is 1 ; so EDX = 1)

shl edx,4 (left shift the EDX register 4 times) leaves us with 10 in EDX.

or eax, edx leaves us with 110 on EAX. (100 OR 10 = 110)

mov [ebp+uID], eax sets the value of uID as EAX that is 110h. (HexaDecimal)

Converting 110h to decimal gives  us 272d. So we now know the identifier of the resource we are looking for is 272.

It is pretty difficult to find the appropriate resource from IDA as you can see in the HEX-View that there are a lot of FLAGS to confuse us.

Screenshot (117)

So, we will be making use of Resource Hacker to find the correct flag because Resource Hacker will show each resource along with it’s identifier. Let’s load the executable in Resource hacker to find the resource identified by 272.

Screenshot (118)

There we go. The resource identified by 272 is our required flag. FLAG{RESOURCES-ARE-POPULAR-FOR-MALWARE}.

Now we check the flag to see if it is correct. 😉 And we get,

Screenshot (119)

Buy me a coffeeBuy me a coffee

One thought on “MalwareTech’s Strings 3 : Static Analysis walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *