THM-Basic Malware RE-WriteUp

Mohamed Ali

3 min readAug 20, 2024

This room aims towards helping everyone learn about the basics of “Malware Reverse Engineering”.

↓↓↓ Click here and earn $5 TryHackMe credit ↓↓↓

TryHackMe | Cyber Security Training

TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your…

tryhackme.com

Find The Room: Basic Malware RE

Strings :: Challenge 1

Let’s focus on the decompile window. We see a character pointer, which is typically used to point to a memory location that stores a string: char *lpText;

It looks like this points to a string transformed by an MD5 hashing function. Messy explanation, I know, but stick with me and let’s double- click on the string that ends in “_00432294”.

Strings :: Challenge 2

So same thing as the first one !, I tried running strings to see if I can find something but nothing important at all, so I upload the executable to ghidra again, and reading the pseudo code I noticed something really interesting, the variables that were assigned with hex values , when you convert them to ASCII you get a letter for example local_2b = 0x4c convert the 0x4c to ASCII and you get L and local_2c = ‘F’ which means the variables contain the letters which when all put together they make the flag!

So you could take all those hex values and then convert them manually or you can just open up cutter if you have it installed and it’ll show the flag right off the bat!

Strings 3 :: Challenge 3

It has only one function shown in ghidra and that is entry but taking a look at the pseudo code I see something interesting :

void entry(void)

{
  CHAR local_4a4;
  undefined local_4a3 [1027];
  char *local_a0;
  MD5 local_9c [144];
  HRSRC local_c;
  undefined4 local_8;
  
  MD5::MD5(local_9c);
  local_4a4 = '\0';
  memset(local_4a3,0,0x3ff);
  local_8 = 0;
  local_c = FindResourceA((HMODULE)0x0,"rc.rc",(LPCSTR)0x6);
  local_8 = 0x110;
  LoadStringA((HINSTANCE)0x0,0x110,&local_4a4,0x3ff);
  local_a0 = MD5::digestString(local_9c,&local_4a4);
  MessageBoxA((HWND)0x0,local_a0,"We\'ve been compromised!",0x30);
                    /* WARNING: Subroutine does not return */
  ExitProcess(0);
}

the defined-functions LoadStringA() and FindResourceA() are quiet interesting , but taking a look at the disassembled code to see how the LoadStringA() worked and as shown below it called the flag, but not only the flag it called the flag from a known location!

004022ff ff 15 0c        CALL       dword ptr [->USER32.DLL::LoadStringA]            = u"FLAG{RESOURCES-ARE-POPULAR-F
                 30 40 00

so we have to locate the string from where it’s called since we have the ID of the string it won’t be hard:

LoadStringA((HINSTANCE)0x0,0x110,&local_4a4,0x3ff);

he address as shown here is 0x110 coverting that to an integer:

whoami@mint:~/Desktop/THM-Lab/BasicMalwareRE$python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> hex = 0x110
>>> print(int(0x110))
272

it gives us 272 so that’s the string ID , now I just search it up: