Solving MalwareTech String Challenges With Some Radare2 Magic!
MalwareTech has published some challenges on his blog that are really fun to play with. The goal is to crack these binaries and find the correct flag using static analysis only! Let’s jump right in!
Strings1
Extracting the strings with rabin2 throws a HUGE amount of possible flags. 4196 to be precise.
Let’s see how many entry points there are:
Good news: there’s only one. Let’s start our analysis there then. If we open the file in radare2 we can clearly see something interesting at 0x4022b4. It seems like there’s only one flag being loaded:
At address 0x4022b4 the correct flag is being loaded as an argument for the MD5 hash function. We can read the flag by issuing a simple grep to find the correct address using f ~ {grep filter} and printing the content using ps:
Strings2
Running rabin2 looking for strings doesn’t give us much this time so let’s jump into the disassembler view!
This time the entry point has a bunch of mov instructions that load some hardcoded values into the stack. The default view in radare2 allows us to quickly understand what’s going on since it shows the hex values as strings on the right:
Our winning flag is:
FLAG{STACK-STRINGS-ARE-BEST-STRINGS}Strings3
The main function is a little more complex than the previous challenges. We can make use of radare2 decompiler plugin r2dec to get pseudo-code (that’s pretty similar to C) using the pdd option:
We can check the official Microsoft documentation for the LoadStringA and FindResourceA functions to understand how it works.
This one is also useful if you are trying to understand what a “resource” is in this context and which type of resource is being fetched by this binary:
After reading the docs we can translate the parameters to their actual meaning.
HRSRC FindResourceA(
HMODULE 0x00, // from this binary
LPCSTR "rc.rc", // from .rsrc section
LPCSTR 272 // string-table entry
);int LoadStringA(
HINSTANCE 0x00, // load from this binary
UINT 0x06, // string identifier
LPSTR &buffer,
int 0x3ff // size of the buffer
);
The interesting part is this, where eax gets set up with the string identifier 0x110 (272):
0x004022da b801000000 mov eax, 1
0x004022df c1e008 shl eax, 8
0x004022e2 33d2 xor edx, edx
0x004022e4 42 inc edx
0x004022e5 c1e204 shl edx, 4
0x004022e8 0bc2 or eax, edxLooking into the resources entries using the resource hacker tool we can easily find the corresponding resource for the identifier 272
That’s all for now! I’ll publish a writeup on the shellcode challenges soon, stay tuned!
Here are some resources that you might find useful to understand the writeup:
