This room is made with challenges aimed to learning more on static analysis, the challenges are Windows executables , yeah scary , but luckily, you don't need a windows machine to solve this room ; it has 3 challenges namely strings1 , strings2, and strings3!
I'll be using Ghidra , and Cutter for all of these challenges!
Description:
We are given an executable and it prints an MD5 hash when executed , can we grab the exact flag?:) well yes we can !
I first downloaded the executable file and then try checking strings , since the challenge name is strings :) and I found alot of flags , didn't expect that one lol!
strings strings1.exe_
but not usefull , so I upload the executable to ghidra so as I can read the disassembled code and the pseudocode ! And I was able to find some interesting line of codes in the entry
function!
We can now understand what's being hashed to MD5, so looking again at the disassembled code , I find this :
and this line: EAX,[PTR_s_FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIO_00 = 00424828
shows the location of the flag which is 00424828
, so what I do next is to find that location and see what the full flag is :
And there we have our flag:
Description:
So same thing as the first one !, I tried running strings to see if I can find something but nothing important at all, so I upload the executable to ghidra again, and reading the pseudo code I noticed something really interesting, the variables that were assigned with hex values , when you convert them to ASCII you get a letter for example local_2b = 0x4c
convert the 0x4c to ASCII and you get L
and local_2c = 'F'
which means the variables contain the letters which when all put together they make the flag!
So you could take all those hex values and then convert them manually or you can just open up cutter if you have it installed and it'll show the flag right off the bat!
And we have the flag :
Description:
And same description again, wow , so this time I didn't wanna waste my time checking strings lol, so I just shoot it up straight to ghidra!
It has only one function shown in ghidra and that is entry
but taking a look at the pseudo code I see something interesting :
the defined-functions LoadStringA()
and FindResourceA()
are quiet interesting , but taking a look at the disassembled code to see how the LoadStringA()
worked and as shown below it called the flag, but not only the flag it called the flag from a known location!
so we have to locate the string from where it's called since we have the ID of the string it won't be hard:
the address as shown here is 0x110
coverting that to an integer:
it gives us 272 so that's the string ID , now I just search it up:
And the flag is :
Twitter : tahaafarooq
Github : tahaafarooq
Email : tahacodez@gmail.com