> For the complete documentation index, see [llms.txt](https://kunalwalavalkar.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kunalwalavalkar.gitbook.io/write-ups/cyberdefenders/re101.md).
# RE101
{% hint style="warning" %}
Always open malware in a secure environment like a VM.
{% endhint %}
{% hint style="info" %}
We will be using the [REMnux](https://remnux.org/) distribution which is specifically made for reverse engineering.
{% endhint %}
##
> Q1. File: MALWARE000 - I've used this new encryption I heard about online for my warez; I bet you can't extract the flag!
* Let's use `strings` on the `malware000` file in order to find all the strings present.
```
$ strings malware000
--snip--;
ZmxhZzwwb3BzX2lfdXNlZF8xMzM3X2I2NF9lbmNyeXB0aW9uPgo=
--snip--;
```
* We can also use `Detect It Easy` to open the program.
* Let's look at all the `strings` present in the program.
* This string seems to be encoded with base64.
* We can decode this string using `CyberChef`.
##
> Q4. File: Unzip Me - I zipped flag.txt and encrypted it with the password "password", but I think the header got messed up... You can have the flag if you fix the file
* In [this](https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html) document, we can see the file header for a PKZip file.
* We can see that the 10th and 11th byte in the second row denote the length of the file name. In our case the file name is `flag.txt`, sos the length should be 8.
* Let's open `file.zip_broken` in `wxHexEditor` and check if this is the case.
* The file name length is written as `58 58` which is wrong. The correct value is `08 00`. W can replace the current value by clicking on the `Edit` checkbox.
* Save the file as `file.zip` and then extract it. The password is `password`.
```
$ unzip file.zip
Archive: file.zip
[file.zip] flag.txt password:
extracting: flag.txt
```
* Let's see what the `flag.txt` file holds.
```
$ cat flag.txt
flag
```
##
> Q6. File: MALWARE201 - Ugh... I guess I'll just roll my own encryption. I'm not too good at math, but it looks good to me!
* Let's look at the `entry` point of the program.
* We can see that it calls the `main` function.
* Let's take a look at the `main` function.
* There is reference to the bytes at `0040082b`.
* If we go to `Window > Bytes`, we can access the hexadecimal representation.
* Then there's the encryption function.
* It starts counting from `0x00` and makes an increment until it reaches the end of our string. Then this key is `xor`ed with the string.
* Afterwards the result is shifted left by 1 byte.
```
String:
0x6d 0x78 0x61 0x6c 0xdd 0x7e 0x65 0x7e 0x47 0x6a 0x4f 0xcc 0xf7 0xca 0x73 0x68 0x55 0x42 0x53 0xdc 0xd7 0xd4 0x6b 0xec 0xdb 0xd2 0xe1 0x1c 0x6d 0xde 0xd1 0xc2
Key:
0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8 0xb9 0xba 0xbb 0xbc 0xbd 0xbe 0xbf
```
* We will use [Cyberchef](https://gchq.github.io/CyberChef/) to decode the data.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kunalwalavalkar.gitbook.io/write-ups/cyberdefenders/re101.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.