> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/projects/reverse-engineering-lab-re101.md).

# Reverse Engineering Lab – RE101

**Title:** Static Malware Analysis & Obfuscation Techniques\
**Author:** Omar\
**Lab Source:** CyberDefenders RE101\
**Focus:** Real-world static RE challenges featuring base64 obfuscation, JSFuck, Brainfuck, file format exploitation, and XOR-based encryption.

### 📘 Overview

This lab simulates a real-world malware triage workflow, analyzing multiple obfuscated binaries using **only static analysis techniques**. The objective is to reverse-engineer obfuscation layers, decrypt embedded payloads, and uncover hidden logic — all without executing the samples.

The challenges were designed to feature:

* Anti-debugging and anti-analysis methods (e.g., stack strings)
* Malformed file structures (e.g., ZIP header corruption)
* Uncommon encoding and scripting formats (JSFuck, Brainfuck)
* XOR-based encryption with custom logic

***

### 🧪 Challenge 1: `malware000` — PE File with Base64 Payload

**Tools:** PEStudio, CyberChef

* Opened the sample in **PEStudio**
* Discovered a long Base64-encoded string in the resource section
* Decoded using **CyberChef**’s Base64 decode module

🔎 **Insight:** Malware often hides payloads in string sections. Decoding obvious obfuscation like Base64 is a quick win.

<figure><img src="/files/XXft8nVhjdgMXGYx0gwI" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/KNa649R3Ryu3Y6FMHU5f" alt=""><figcaption></figcaption></figure>

***

### 🧪 Challenge 2: `Just some JS` — JSFuck Obfuscation

**Tools:** Text editor, JSFuck decoder

* Opened the file and noticed only `[]()+!` characters — a clear sign of **JSFuck**
* Copied and pasted into a JSFuck decoder
* Revealed clear-text JavaScript logic and embedded string

🔎 **Insight:** JSFuck is still used in phishing campaigns to hide malicious JS payloads. Recognizing it by syntax saves time.

<figure><img src="/files/hFlGq5mmZPVmlnS46Df2" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/zICPijTRTeFgFaR7SX5G" alt=""><figcaption></figcaption></figure>

***

### 🧪 Challenge 3: `this_is_not_js` — Brainfuck Script

**Tools:** Text editor, Brainfuck interpreter

* Initially looked like minified JS but turned out to be **Brainfuck**
* Used an interpreter to decode the logic and output a readable string

🔎 **Insight:** Always inspect the character set. Unfamiliar syntax may indicate esoteric languages used for obfuscation.

<figure><img src="/files/0CEzycWZGarr5DBTryhX" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/n9I3ovluTDGpI9s0oKUo" alt=""><figcaption></figcaption></figure>

***

### 🧪 Challenge 4: `file.zip_broken` — Corrupted ZIP Header

**Tools:** Hex editor (HxD), ZIP spec reference

* Couldn’t unzip due to header issues
* Compared with a valid ZIP header (should start with `50 4B 03 04`)
* Detected and corrected mismatch in file name length: changed `58 58` to `08 00`
* Repackaged and extracted the archive with a password

🔎 **Insight:** Knowing internal file structure is essential. Even small header corruption can hide malicious files.

<figure><img src="/files/ZxY2mRcv2QAvJDognee7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/gtbtm6BNF6Ye4ChryGKf" alt=""><figcaption></figcaption></figure>

***

### 🧪 Challenge 5: `malware101` — Stack Strings Anti-Analysis

**Tools:** IDA Pro

* Loaded binary and analyzed `main()` function
* Observed multiple `mov` instructions pushing characters to the stack
* Rebuilt the hidden string manually from stack assignments

🔎 **Insight:** Stack strings are used to hide suspicious strings from static scanners. You don’t need a debugger if you recognize the pattern.

<figure><img src="/files/1ZIPxDFWVT7N5M7uYfRy" alt=""><figcaption></figcaption></figure>

***

### 🧪 Challenge 6: `malware201` — XOR + Shift Encrypted Buffer

**Tools:** IDA Pro, CyberChef

* Identified `unk_40082B` as the encrypted buffer
* Reverse engineered the `sub_400620` function
* Logic:
  * XOR each byte with `key[i % 0xFF] | 0xA0`
  * Bitwise right shift by 1
* Recreated the decryption logic in **CyberChef** using custom modules

🔎 **Insight:** XOR encryption combined with bitwise operations is common in malware loaders. CyberChef makes this type of decryption fast and repeatable.

encry\_flag=\[0x6d,0x78,0x61,0x6c,0xdd,0x7e,0x65,0x7e,0x47,0x6a,0x4f,0xcc,0xf7,0xca,0x73,0x68,0x55,0x42,0x53,0xdc,0xd7,0xd4,0x6b,0xec,0xdb,0xd2,0xe1,0x1c,0x6d,0xde,0xd1,0xc2]

Then enter `sub_400620` to get the final thoughts of this challenge and see the pseudocode. We see that's `XORing` the encry\_flag with `the xor_key` and then `shifting right` with `1`. The xor\_key comes from `(i % 0FF) | 0xA0`.

<figure><img src="/files/VseiuYCxAVyQqmmUeYPq" alt=""><figcaption></figcaption></figure>

xor\_hey = \[0xa0,0xa1,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,0xa8,0xa9,0xaa,0xab,0xac,0xad,0xae,0xaf,0xb0,0xb1,0xb2,0xb3,0xb4,0xb5,0xb6,0xb7,0xb8,0xb9,0xba,0xbb,0xbc,0xbd,0xbe,0xbf].

<figure><img src="/files/GxErsnV6RWVeSfhDJLA6" alt=""><figcaption></figcaption></figure>

***

### 🧠 Key Takeaways

| Area                     | Key Learning                                     |
| ------------------------ | ------------------------------------------------ |
| Static Analysis          | Powerful even without running the malware        |
| File Format Forensics    | Essential to repair broken headers and ZIPs      |
| Anti-Analysis Techniques | Stack strings, XOR logic, custom obfuscation     |
| Rare Encodings           | JSFuck & Brainfuck are still relevant in malware |
| Tool Familiarity         | CyberChef, IDA, hex editors, string extractors   |

***

### 🛠️ Tools & References

* [PEStudio](https://www.winitor.com/)
* IDA Pro
* CyberChef
* JSFuck Decoder
* Brainfuck Interpreter
* ZIP File Format Spec

📌 Original challenge:\
🔗 [RE101 on CyberDefenders](https://cyberdefenders.org/blueteam-ctf-challenges/re101/)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://omar-4.gitbook.io/omar-khalid/pages/projects/reverse-engineering-lab-re101.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.