Description
Analyze a suspicious Windows executable, identify unique strings, and craft a YARA rule that catches the sample when submitted to the remote harness.
Unzip the sample (password: picoctf) and note it’s a UPX-packed PE (`MZ` header, strings mention UPX).
Install `strings`, `socat`, and `upx` locally so you can inspect and submit your rule.
sudo apt install socat upx -y
unzip suspicious.zip
strings suspicious.exe > file.txt
upx -d suspicious.exe
Solution
- Step 1Collect indicatorsRunning `strings` before and after unpacking reveals unique bytes: the `MZ` magic, “YaraRules0x100”, “UPX”, “NtQuery”, and the phrase “debugger process”. These make excellent rule strings.
- Step 2Write the YARA ruleCombine the indicators into a rule that looks for the `MZ` header plus YaraRules0x100 and either UPX or NtQuery, or alternatively the entire “debugger process” string.rule Rule { strings: $mz = {4D 5A} $name = "YaraRules0x100" $packer = "UPX" $ntquery = "NtQuery" $phrase = "debugger process" wide ascii condition: ($mz and $name and ($packer or $ntquery)) or $phrase }
- Step 3Submit via socatSave the rule to `sample.txt` (or any filename) and pipe it to the grading service with socat. If it matches all test cases, the server returns the flag.socat -t60 - TCP:standard-pizzas.picoctf.net:59919 < sample.txt
Flag
picoCTF{yara_rul35_r0ckzzz_216...}
Any rule that nails at least one unique string plus the PE header works; the combination above passed all server tests.