Jump to content
Tuts 4 You

Malware Analysis & Reverse Engineering CTF


Recommended Posts

Posted

Hi, I'm studying Penetration Testing and part of the training obviously focuses on solving CTF challenges.
You must be asking yourself how the name of the title is related to PT? Well, it's probably not that related, but there is a challenge that really caught my attention and I've been trying to solve it for a long time without success.
The challenge contains a malicious file and the task is to investigate the file and find the FLAG hidden inside the file.


So I will detail a bit about the malware and what I was able to understand from the code:


Code details:
Assembly - https://pastebin.com/asWi6a2M (IDA PRO)
Decompiler - https://pastebin.com/4XmaQmZx (IDA PRO)


Reports about the software from the Internet:
https://www.hybrid-analysis.com/samp...8838953275522e
https://www.joesandbox.com/analysis/332270/0/html


What I understood:


First of all, this is an executable file for Windows (EXE) and when I run the software in CMD I get an error "An error occurred" and the operation ends.
Reading the code through IDA PRO you can see an Environment Variable called GREENIE, in my opinion everything starts here, and if I manage to discover the value of GREENIE I can move forward.
It is also possible to notice other generic errors that exist in the software.
I know that to solve the challenge, I would have to set up the environment properly and then follow the code, but I would need some direction because I am missing something.
I got some guidance from someone who told me to learn about ENDIANNES, with emphasis on LITTLE ENDIAN.
I read about it and the differences between BIG ENDIAN and LITTLE ENDIAN, but I couldn't really understand how it is reflected in the software.
I would appreciate and thank anyone who takes the time to help.


Download link for the software:
https://easyupload.io/ikpzq3

It is important to know that this is software that is detected as MALWARE by Windows Defender, so it is recommended to open it in a virtual system.
Thank you!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...