This room is made with challenges aimed to learning more on static analysis, the challenges are Windows executables , yeah scary , but luckily, you don't need a windows machine to solve this room ; it has 3 challenges namely strings1 , strings2, and strings3!

I'll be using Ghidra , and Cutter for all of these challenges!

String 1

Description:

This executable prints an MD5 Hash on the screen when executed. Can you grab the exact flag?

Note: You don't need to run the executable!

We are given an executable and it prints an MD5 hash when executed , can we grab the exact flag?:) well yes we can !

I first downloaded the executable file and then try checking strings , since the challenge name is strings :) and I found alot of flags , didn't expect that one lol!

strings strings1.exe_

but not usefull , so I upload the executable to ghidra so as I can read the disassembled code and the pseudocode ! And I was able to find some interesting line of codes in the entry function!

void entry(void)

{
  char *lpText;
  
  lpText = md5_hash(PTR_s_FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIO_00432294);
  MessageBoxA((HWND)0x0,lpText,"We\'ve been compromised!",0x30);
                    /* WARNING: Subroutine does not return */
  ExitProcess(0);
}

We can now understand what's being hashed to MD5, so looking again at the disassembled code , I find this :

        004022b4 a1 94 22        MOV        EAX,[PTR_s_FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIO_00   = 00424828
                 43 00
        004022b9 50              PUSH       EAX=>s_FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIO_00424828 = "FLAG{CAN-I-MAKE-IT-ANYMORE-OB
        004022ba e8 d1 ff        CALL       md5_hash                                         char * md5_hash(char * param_1)
                 ff ff

and this line: EAX,[PTR_s_FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIO_00 = 00424828 shows the location of the flag which is 00424828, so what I do next is to find that location and see what the full flag is :

And there we have our flag:

FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIOUS}

String 2

Description:

This executable prints an MD5 Hash on the screen when executed. Can you grab the exact flag?

Note: You don't need to run the executable!

So same thing as the first one !, I tried running strings to see if I can find something but nothing important at all, so I upload the executable to ghidra again, and reading the pseudo code I noticed something really interesting, the variables that were assigned with hex values , when you convert them to ASCII you get a letter for example local_2b = 0x4c convert the 0x4c to ASCII and you get L and local_2c = 'F' which means the variables contain the letters which when all put together they make the flag!

So you could take all those hex values and then convert them manually or you can just open up cutter if you have it installed and it'll show the flag right off the bat!

And we have the flag :

FLAG{STACK-STRINGS-ARE-BEST-STRINGS}

String 3

Description:

This executable prints an MD5 Hash on the screen when executed. Can you grab the exact flag?

Note: You don't need to run the executable!

And same description again, wow , so this time I didn't wanna waste my time checking strings lol, so I just shoot it up straight to ghidra!

It has only one function shown in ghidra and that is entry but taking a look at the pseudo code I see something interesting :

void entry(void)

{
  CHAR local_4a4;
  undefined local_4a3 [1027];
  char *local_a0;
  MD5 local_9c [144];
  HRSRC local_c;
  undefined4 local_8;
  
  MD5::MD5(local_9c);
  local_4a4 = '\0';
  memset(local_4a3,0,0x3ff);
  local_8 = 0;
  local_c = FindResourceA((HMODULE)0x0,"rc.rc",(LPCSTR)0x6);
  local_8 = 0x110;
  LoadStringA((HINSTANCE)0x0,0x110,&local_4a4,0x3ff);
  local_a0 = MD5::digestString(local_9c,&local_4a4);
  MessageBoxA((HWND)0x0,local_a0,"We\'ve been compromised!",0x30);
                    /* WARNING: Subroutine does not return */
  ExitProcess(0);
}

the defined-functions LoadStringA() and FindResourceA() are quiet interesting , but taking a look at the disassembled code to see how the LoadStringA() worked and as shown below it called the flag, but not only the flag it called the flag from a known location!

        004022ff ff 15 0c        CALL       dword ptr [->USER32.DLL::LoadStringA]            = u"FLAG{RESOURCES-ARE-POPULAR-F
                 30 40 00

so we have to locate the string from where it's called since we have the ID of the string it won't be hard:

  LoadStringA((HINSTANCE)0x0,0x110,&local_4a4,0x3ff);

the address as shown here is 0x110 coverting that to an integer:

┌─[tahaafarooq@cyberwarriors]─[~/Desktop/tryhackme/basicmalware_re]
└──╼ $python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> hex = 0x110
>>> print(int(0x110))
272

it gives us 272 so that's the string ID , now I just search it up:

And the flag is :

FLAG{RESOURCES-ARE-POPULAR-FOR-MALWARE}

Contact

Twitter : tahaafarooq
Github : tahaafarooq
Email : tahacodez@gmail.com