Open in app

Sign in

Write

Sign in

Basic of Reverse Engineering | TryHackMe Basic Malware RE

Motasem Hamdan
2 min readDec 5, 2024

--

We covered the basics and fundamentals of reverse engineering using an example room from tryhackme. The post provides also an instructional guide on basic malware reverse engineering (RE). It provides step-by-step instructions for analyzing and extracting insights from three executable files.

COMPTIA Cyber Security Analyst (CySA+) Study Notes

Table of Contents:About The ExamExam Preparation TipsIntroductory ConceptsDomain 1: Security OperationsDomain 2…

www.buymeacoffee.com

HackTheBox Certified Defensive Security Analyst (CDSA) Study Notes

Table of Contents:- About The Exam - Exam Objectives - HTB Machines and Materials For Preparation- Necessary Tools To…

www.buymeacoffee.com

Overview:

Tools Used: The presenter uses tools like Ghidra to inspect the files and navigate through assembly and C code.

Purpose: The video focuses on understanding how to reverse engineer malware executables to extract specific flags.

Before We Begin

Requirements:

  • Basic knowledge of assembly and C programming.
  • Familiarity with debugging tools.

Objective:

  • Reverse engineer three executables.
  • Extract flags encoded within them.

Malware Analysis Process:

1. Executable 1:

  • Opened in Ghidra.
  • Starting at the entry function:
  • A variable iv_text is assigned an MD5 hash of a string.
  • The process involves finding the memory location of the string and identifying the flag.

Steps:

  • Double-click the string to locate it in memory.
  • Use defined strings to filter for the flag, which is directly retrievable as “can I make it any more obvious.”

2. Executable 2:

  • Analysis begins at the entry function.

Observations:

  • Variables store hexadecimal values.
  • These values, when converted to ASCII, form the flag.

Approach:

  • Traverse memory variables from local_2C upward (based on the stack).
  • Extract the flag by converting hexadecimal to ASCII.

3. Executable 3:

  • Involves modules like FindResourceA and LoadStringA.

Process:

  • Locate an address (110 in hexadecimal) where the flag is stored.
  • Trace the variable containing the flag value.
  • Use tools to find relevant **string resources containing “resources are popular.” This helps identify the flag.

Techniques Highlighted

Memory Navigation:

  • Identifying memory locations of variables and strings.
  • Using tools like string search and defined strings windows.

Hexadecimal to ASCII Conversion:

  • Translating hex values into readable ASCII characters.

Debugging Fundamentals:

  • Navigating through the assembly and understanding stack operations.

Flags

  • Each flag is extracted using a unique method tailored to the executable’s logic.
  • Techniques include directly reading strings, converting hexadecimal values, and interpreting module resources.

TryHackMe Windows Powershell Room Answers

Room answers can be found here

The post effectively demonstrates foundational reverse engineering techniques, making malware analysis approachable for beginners. The presenter concludes with an invitation for further exploration and a preview of more advanced topics.

Video Walkthrough

Malware
Malware Analysis
Tryhackme
Tryhackme Walkthrough
Tech

--

--

Motasem Hamdan
Motasem Hamdan

Written by Motasem Hamdan

541 Followers
10 Following

Motasem Hamdan is a content creator and swimmer who creates cyber security training videos and articles. https://www.youtube.com/@MotasemHamdan

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams