Open in app

Sign in

Write

Sign in

Malware Reverse Engineering CTFs

Nourhanelyamany
CyberScribers
Published in
4 min readNov 3, 2023

I did a writeup for Malware and Reverse Engineering challenges published on CyberTalents to improve malware analysis skills and reverse engineering. I will mention in every challenge the tools I used for solving each CTF with the steps.

Eye of Sauron

The challenge writer is providing us with executable file and asking for the pass of it.

Using the file command in linux, we can see that it’s .Net application.

So I will decompile this application to see the code using dnSpy which is a decompiler and .Net assembly editor. You can download it from here.

Now I want to check the function that takes the pass.

I found a function called ShallHePass() , the function is returning label texts.

Let’s see these labels in the initialization.

We can see that each label2, label3, label4, and label 5 carry texts.

But when the button is clicked, label3 is changes so we have to update it with the new value. Also when the form is loaded the value of label4 is also changed.

So by adding them together:

d0248b4e + 47996655 + 83f05689 + c154b6ea

d0248b4e4799665583f05689c154b6ea

The function ShallHePass() uses a reverse function for the addition of the labels, so we will reverse them using the rev tool in linux.

Let’s try to use the reversed pass to the executable.

Congratulations!

Getting Started

The challenge is giving us a file and asking for the flag.

First let’s see the file type using the file command in linux.

So this file can run on linux.

First let’s check the strings of the file using the strings command. I saw a strange value let’s check about it.

j}j1j_jljejvjejl_jojtj_jejmjojcjljejwj{jgjajljf

We can notice that the letter “j” is repeated between every letter, and the end of the word is starting with “f” then “j” then “l’’. It may be the flag!

I wrote a simple python script to remove the letter “j” from it:

def remove_letter_j(string):
    if string is None:
        return None
    return string.replace('j', '')

input_string = input("Enter a string: ")
result = remove_letter_j(input_string)
print("Result:", result)

let’s reverse the output using rev tool.

Here is it!

Get Rid of Them All

The challenge is giving us a jar file.

I searched for a java decompiler and I found an online one. Let’s use this decompiler. I found those interesting folders.

Let’ see ctf.java code first.

Okay we can figure that in this part of the code there is a flag string but looks like it has base64 characters.

Let’s use CyberChef to decode it.

Congratulations we got it!

Pure Luck

First I used the strings tool on the file and I found that the file is packed with UPX.

To unpack it we can use -d in linux with upx

using the strings and the grep tools, I can understand that I can find the flag in the form of 0x%x and I also can find it in the stack .

Let’s diassemble it with objdump

It looks like this is the form we are searching for!

They look like ASCII, let’s using echo to get their values by inserting \ between the values.

Here is the flag!

Ctf Writeup
Malware Analysis
Reverse Engineering
Cyber Talents
Capture The Flag

--

--

Nourhanelyamany
CyberScribers

Written by Nourhanelyamany

61 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams