Post

TrainingDay

Posted
Preview Image
By Heland
views 2 min read
TrainingDay

CHALLENGE DESCRIPTION

A fresh new day, a well-rested cybersecurity professional—ready to learn something new after a chaotic week. Scrolling through challenges, they stumble upon TrainingDay, download the artifacts, and boom—three different binaries, each doing its own thing. Do they panic? Nope. This is exactly what they signed up for—some good old-fashioned reversing fun. If this sounds like you, what are you waiting for? Grab your debugger and dive in!

SOLUTION

We will use VirusTotal to analyze these malwares.

What is sha256sum hash of argument_baby_1.exe ?

Answer dc6267608ddfcc5c80571ccd46475a03fb667baf8620d0e91c93ccacacf97ef6

Can you find development enviroment of malware author (e.g:ide) ? Click on Details tab, scroll down and we will see VS2022, which means …

Answer Visual Studio

What CPU architecture was argument_baby_1.exe compiled for ?

Search CPU [filename] and click on first link, scroll down and we can notice something. Hybrid-analysis.

Answer 32 bit

Is argument_baby_1.exe a symbol-stripped binary?

1

file [filename]

If it shows stripped, it’s true.

Answer false

Retrieve the full PDB file path from the debug information of argument_baby_1.exe Ctrl F to find PDB

Answer C:\Users\HTB\Desktop\argument\Release\argument.pdb

The malware author was using a Windows OS. What was the associated username? Scroll down to File Details section.

Answer HTB

What calling convention is used in argument_baby_1.exe ?

1

objdump -d [filename]
Answer cdecl

How is the 1st argument passed to the function in argument_baby_1.exe?

Answer esp

How is the 2nd argument passed to the function in argument_baby_1.exe?

Answer esp+4

How is the 3rd argument passed to the function in argument_baby_1.exe?

Answer esp+8

How is the 4th argument passed to the function in argument_baby_1.exe?

Answer esp+c

How is the 5th argument passed to the function in argument_baby_1.exe?

Answer esp+10

Which CPU register holds the function’s return value in argument_baby_1.exe?

Answer eax

What calling convention is used in argument_baby_2.exe ?

Answer fastcall

How is the 1st argument passed to the function in argument_baby_2.exe?

Answer ecx

How is the 2nd argument passed to the function in argument_baby_2.exe?

Answer edx

How is the 3rd argument passed to the function in argument_baby_2.exe?

Answer esp

How is the 4th argument passed to the function in argument_baby_2.exe?

Answer esp+4

How is the 5th argument passed to the function in argument_baby_2.exe?

Answer esp+8

What CPU architecture was argument_baby_3.exe compiled for ?

Answer 64 bit

How is the 1st argument passed to the function in argument_baby_3.exe?

Answer rcx

How is the 2nd argument passed to the function in argument_baby_3.exe?

Answer rdx

How is the 3rd argument passed to the function in argument_baby_3.exe?

Answer r8

How is the 4th argument passed to the function in argument_baby_3.exe?

Answer r9

How is the 5th argument passed to the function in argument_baby_3.exe?

Answer rsp+20

In the case of argument_baby_3.exe, which CPU register stores the function’s return value?

Answer rax
HTB-sherlock, Malware-Analysis, easy
CTF writeup malware