Within Code - YARA Writeup (CyberTalents)

# Within Code >>> CyberTalents # Within Code Writeup ## Introduction Ladies and gentlemen, welcome to the YARA-mazing world of malware analysis! It's like playing hide-and-seek with digital miscreants, only instead of counting to ten, we're counting to 01001000 01100101 01111000! So, put on your virtual detective hats, because we're about to unmask some binary bandits, and trust me, these ones don't look good in stripes! ## Challenge Description Flag rises within the code. Our developer thinks encoding is safe, try to find the location flag format: Flag{location} - [https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/Within+Code.zip](#-) ## Solution We will begin by downloading and extracting the folder that's hosted in the link above. After downloading and extracting the folder we find that the directory contains binary files. To try solve this we need to really understand what the instructions really wants us to do Here is an extract from the challenge description , ***Flag rises within the code***. From my understanding this would mean that maybe in this binary files we might have the word FLAG burried somewhere in there. In the description there is also talk of ***ENCODING*** meaning that the word ***FLAG*** will probably be encoded. Since we are beginners at this cybersec thing, i'd like to assume that they wouldn't throw us into the deep end of encryptions and that they might start us off with a simple encryption algorithm such as ***base64.*** Meaning we will first need to encode the word flag into base64 and then start writing the yara rule. After encoding "***Flag***" into *base64*, we need to write a yara rule that will be seaching for the file that has the base64 format of our search word and maybe we will hit a jackpot. So lets begin. ### Step 1 - Encoding to base64 We will begin by encoding the word "Flag" into base64 using https://www.base64encode.org/ There are several online tools to use so you can use the tool you like most. Encoding Flag into base64 gives us **RmxhZw==** Now we can write the yara rule. ![](https://hackmd.io/_uploads/Hy0PIXDA3.png) ### Step 2 - Yara Rule We are now going to create a Yara rule that we will use to find our flag. Below is the rule that i'll be using. ![](https://hackmd.io/_uploads/rJVjLSP0n.png) We are then going to run call on this Yara rule on terminal. ![](https://hackmd.io/_uploads/B1lGuBwC2.png) From the results above we get 2 things: 1.WithinCode/6645 - The filename that contains the base64 2.0x2460 - The hex location of the base64 string ### Step 3 - Converting the hexcode into decimal characters. Now that we have the hexcode, we need to convert it back into decimal characters. For this i'll be using the following website https://www.rapidtables.com/convert/number/hex-to-ascii.html ![](https://hackmd.io/_uploads/H1_cKSvA3.png) And we now get our flag. ***flag{9312}*** --- **Author:** Gr3yW0lff **Date:** September 2023