RE101
Always open malware in a secure environment like a VM.
Q1. File: MALWARE000 - I've used this new encryption I heard about online for my warez; I bet you can't extract the flag!
Let's use
stringson themalware000file in order to find all the strings present.
$ strings malware000
--snip--;
ZmxhZzwwb3BzX2lfdXNlZF8xMzM3X2I2NF9lbmNyeXB0aW9uPgo=
--snip--;We can also use
Detect It Easyto open the program.
Let's look at all the
stringspresent in the program.
This string seems to be encoded with base64.
We can decode this string using
CyberChef.
Q4. File: Unzip Me - I zipped flag.txt and encrypted it with the password "password", but I think the header got messed up... You can have the flag if you fix the file
In this document, we can see the file header for a PKZip file.
We can see that the 10th and 11th byte in the second row denote the length of the file name. In our case the file name is
flag.txt, sos the length should be 8.Let's open
file.zip_brokeninwxHexEditorand check if this is the case.
The file name length is written as
58 58which is wrong. The correct value is08 00. W can replace the current value by clicking on theEditcheckbox.
Save the file as
file.zipand then extract it. The password ispassword.
Let's see what the
flag.txtfile holds.
Q6. File: MALWARE201 - Ugh... I guess I'll just roll my own encryption. I'm not too good at math, but it looks good to me!
Let's look at the
entrypoint of the program.
We can see that it calls the
mainfunction.Let's take a look at the
mainfunction.
There is reference to the bytes at
0040082b.
If we go to
Window > Bytes, we can access the hexadecimal representation.
Then there's the encryption function.
It starts counting from
0x00and makes an increment until it reaches the end of our string. Then this key isxored with the string.Afterwards the result is shifted left by 1 byte.
We will use Cyberchef to decode the data.
Last updated
Was this helpful?