Passwords for archives: MalwareTech

using ghidra:

strings1.exe_

Just check the entry function

strings2.exe_

This one is a bit more challenging

Check the entry function again, and get multiple variables declarations

first the char variable is assigned ‘F’ (like in FLAG)

then the undefined variables are added one by one later after the pointer declaration

probably the others characters of the flag. I used cyberchef to decode the hex

strings3.exe_

The hardest to understand…but ironically grabbing the flag is easy

after analysis even if you get a vague idea of what is going on

checking the variable in the message box reveal the value from the ’loadstringA’ function

from the User32 library, which is the flag.