Solving MalwareTech String Challenges With Some Radare2 Magic!

Syscall59
Syscall59
Jun 1 · 4 min read

MalwareTech has published some challenges on his blog that are really fun to play with. The goal is to crack these binaries and find the correct flag using static analysis only! Let’s jump right in!


Strings1

Extracting the strings with rabin2 throws a HUGE amount of possible flags. 4196 to be precise.

can’t hold all these flags

Let’s see how many entry points there are:

Good news: there’s only one. Let’s start our analysis there then. If we open the file in radare2 we can clearly see something interesting at 0x4022b4. It seems like there’s only one flag being loaded:

At address 0x4022b4 the correct flag is being loaded as an argument for the MD5 hash function. We can read the flag by issuing a simple grep to find the correct address using f ~ {grep filter} and printing the content using ps:


Strings2

Running rabin2 looking for strings doesn’t give us much this time so let’s jump into the disassembler view!

This time the entry point has a bunch of mov instructions that load some hardcoded values into the stack. The default view in radare2 allows us to quickly understand what’s going on since it shows the hex values as strings on the right:

Our winning flag is:

FLAG{STACK-STRINGS-ARE-BEST-STRINGS}

Strings3

The main function is a little more complex than the previous challenges. We can make use of radare2 decompiler plugin r2dec to get pseudo-code (that’s pretty similar to C) using the pdd option:

We can check the official Microsoft documentation for the LoadStringA and FindResourceA functions to understand how it works.

This one is also useful if you are trying to understand what a “resource” is in this context and which type of resource is being fetched by this binary:

After reading the docs we can translate the parameters to their actual meaning.

HRSRC FindResourceA(
HMODULE 0x00, // from this binary
LPCSTR "rc.rc", // from .rsrc section
LPCSTR 272 // string-table entry
);
int LoadStringA(
HINSTANCE 0x00, // load from this binary
UINT 0x06, // string identifier
LPSTR &buffer,
int 0x3ff // size of the buffer
);

The interesting part is this, where eax gets set up with the string identifier 0x110 (272):

0x004022da      b801000000     mov eax, 1
0x004022df c1e008 shl eax, 8
0x004022e2 33d2 xor edx, edx
0x004022e4 42 inc edx
0x004022e5 c1e204 shl edx, 4
0x004022e8 0bc2 or eax, edx

Looking into the resources entries using the resource hacker tool we can easily find the corresponding resource for the identifier 272



syscall59

Shellcode for the masses

Syscall59

Written by

Syscall59

Twitter: @syscall59 | medium.syscall59.com | syscall59@protonmail.com

syscall59

syscall59

Shellcode for the masses

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade