TryHackMe — Basic Malware RE Room Writeup
This is a TryHackMe room for Malware Reverse Engineering challenges. The room has been split up into three challenge tasks where you will be asked to perform “Static Analysis” on three Windows executable files to obtain the flag for each challenge. If you are new to Malware RE, this room may take about approximately 1.5 hours to complete.
Tools Required
You will require the following tools to complete the various tasks in the room.
- IDA Freeware (https://hex-rays.com/ida-free/)
- Resource Hacker (http://www.angusj.com/resourcehacker/)
Task #1 — Introduction
This task introduces you to the challenge. Please note the password for the ZIP files.
Task #2 — Strings :: Challenge 1
Open IDA Freeware disassembler and at the start screen (see below), select “New”, navigate to your extracted “strings1.exe_” file and open it.
You’ll be presented with a Load new file window. Select OK.
After disassembly, to your left, there should be a Functions menu outlining the various functions found during the process. Select the “start” function.
This should take you to the entry point of the program. If you scroll down a bit, you should find the first flag as a string (see below).
Task #3 — Strings :: Challenge 2
In IDA Freeware disassembler, open your extracted “strings2.exe_” file. You’ll be presented with a Load new file window. Select OK.
In the Functions menu, select the “start” function to go to the beginning of the program.
This executable is a bit different to the previous one, where the flag is not assigned to one variable. If you scroll down a bit, you should find the second flag as a characters assigned to multiple variables (see below).
Task#4 — Strings :: Challenge 3
In IDA Freeware disassembler, open your extracted “strings3.exe_” file. You’ll be presented with a Load new file window. However, ensure you check “Load Resources” before selecting OK (see highlighted below).
In the Functions menu, select the “start” function to go to the beginning of the program.
Similar to our previous challenge, this application is different, where the flag is not easily found at the start of the executable. At the start of the executable we find two (2) functions, FindResourceA and LoadStringA (see below).
A bit of Google searching for these Win32 functions, yields the following:
- FindResourceA (Link) determines the location of a resource with the specified type and name in the specified module.
- LoadStringA (Link) loads a string resource from the executable file associated with a specified module and either copies the string into a buffer with a terminating null character or returns a read-only pointer to the string resource itself.
Therefore, we should concentrate on the LoadStringA function since it will determine which string (i.e. flag) is being loaded. Hovering our mouse over the function will provide a tool tip with an overview of its parameters (see below).
Reviewing these parameters and the documentation, we can determine that a string is loaded based on a location provide by the uID parameter. From the review of the stack, we can determine that the uID parameter is calculated after the FindResourceA function but, prior to the LoadStringA function.
It took me a while to discover the uID value because you’ll need a bit of assembly knowledge to calculate it (see below).
mov eax, 1 ; eax = 1
shl eax, 8 ; shift bit 8 times to the left, eax = 256
xor edx, edx ; edx = 0
inc edx ; increment edx by 1, edx = 1
shl edx, 4 ; shift bit 4 times to the left, edx = 16
or eax, edx ; eax or edx = 256 or 16 = 256 + 16 = 272
mov [ebp+uID],
eax ; set uID value, uID = 272
Now that we know the uID value that is used to load the string, lets take a look at the executable local resources to determine what string was loaded. On you keyboard, use the command “Ctrl+s” to jump to a segment in the code. Select “.rsrc” and OK, as seen below.
This should load the resources that are locally stored by the executable. However, we start to notice that there are several flags and there is no easily decipherable way to obtain the flag based on our calculated uID value.
This makes it difficult to determine which flag is the correct one. This is where Resource Hacker comes into the analysis. Open the “strings3.exe_” file in Resource Hacker. In the left window, scroll down and select the various resources until you find the string resource for the uID value of 272. This is your flag for the final challenge.
Conclusion
This challenge was a solid one and the third challenge took me a while to solve. If it wasn’t for Resource Hacker, I would not have found the flag. I would suggest you get some basic understanding of assembly language before attempting this room.