RE101
Last updated
Last updated
Always open malware in a secure environment like a VM.
We will be using the REMnux distribution which is specifically made for reverse engineering.
Q1. File: MALWARE000 - I've used this new encryption I heard about online for my warez; I bet you can't extract the flag!
Let's use strings
on the malware000
file in order to find all the strings present.
We can also use Detect It Easy
to open the program.
Let's look at all the strings
present in the program.
This string seems to be encoded with base64.
We can decode this string using CyberChef
.
Q4. File: Unzip Me - I zipped flag.txt and encrypted it with the password "password", but I think the header got messed up... You can have the flag if you fix the file
In this document, we can see the file header for a PKZip file.
We can see that the 10th and 11th byte in the second row denote the length of the file name. In our case the file name is flag.txt
, sos the length should be 8.
Let's open file.zip_broken
in wxHexEditor
and check if this is the case.
The file name length is written as 58 58
which is wrong. The correct value is 08 00
. W can replace the current value by clicking on the Edit
checkbox.
Save the file as file.zip
and then extract it. The password is password
.
Let's see what the flag.txt
file holds.
Q6. File: MALWARE201 - Ugh... I guess I'll just roll my own encryption. I'm not too good at math, but it looks good to me!
Let's look at the entry
point of the program.
We can see that it calls the main
function.
Let's take a look at the main
function.
There is reference to the bytes at 0040082b
.
If we go to Window > Bytes
, we can access the hexadecimal representation.
Then there's the encryption function.
It starts counting from 0x00
and makes an increment until it reaches the end of our string. Then this key is xor
ed with the string.
Afterwards the result is shifted left by 1 byte.
We will use Cyberchef to decode the data.