The hint is referring to the singular string required for the challenge YARA rule.

We are given the following instructions in the directions.txt file:

Given the included archive of malware samples:

Find the longest, contiguous, most efficient rule to catch all of them.

The rule must use the hexadecimal format.

The rule CANNOT fire on any other samples. ONLY the 48 provided.

The wildcard ("?" or "??") is allowed but not jumps "[1-6]". See
http://yara.readthedocs.io/en/latest/writingrules.html#hexadecimal-strings

The samples are included in yara_samples.7z password is "infected"

The rule must follow this example format:

rule yara_challenge

{

strings:

$yara_challenge = { de ad b? ef ?? ??}

condition:

all of them

}

You will change the contents of $yara_challenge from "de ad b? ef ??
??" to a hex formatted rule that will catch all 48 samples.

Use this template when submitting your rule:

rule yara_challenge

{

strings:

$yara_challenge = { ** ** ** ** ** ** }

condition:

all of them

}

Hint:

There are 52 wildcard "?"'s within the answer

Malware samples have the following sha256 hashes:

0050e14f8e6bca0b2b99708f0659e38f407debec5ab7afc71de48fb104508a60

04a23b3cb2d6361df66ca94a470ffa1017a8e5cd3255ce342219765d7d4619bc

104a657a127f86f7b3c0266374d3c8190089600649bfec9d022a1db5a593ff05

10611281e1ccbdbb578b5d5e2b5d3bb101b137313f30488859d33efc0b0a2d49

16efd909ed255628ad4da000cb7a2d1efda45ba3c549cb6c89017f92ffe3661f

190759abb680efcc7e3ae3321089b43dbf3fa96a5d23a1cfb67b0eac4479bd7e

1bbeca916a642737c0a0366afdf5054b4c34763f3ef182ce02fbd47330df08a5

1d0d00c76353c8a1d2e33af602238244f0e0417193d7f65cfca4f4b576107071

2037ffebd0249c148a7aace14bddb1e722676449a1fb2e242c54de9507aa9891

383f0d2cbf8914c3ecb23ea82bff38e1c048980806e37d75e3539362d105675c

3c14b486b84574dddb44e6090bea99f1635271aa9d2b34e121b9a6a7c63e20eb

495a0660bbeebdf5c97066962a188b2df761f73ccd0056491a1a66a02f7d8b22

4f0532e15ced95a1cebc13dd268dcbe7c609d4da237d9e46916678f288d3d9c6

584da5ab12cecc1346990260edbddff27c6a8beb64fddb43e4a5e4c3c7aeafed

5db8bb1cff115c3d984a560508dea374163d1579d61c64c5f8339bed21247858

5dcdf2e8f1b9348bfd3330a31a70a4b5fc03dd86e45553dca9d85f74f9d8ec6c

637aef27fca11245278a48f70535902570ef526ba19bcb8a675f07cdc7788993

64a373487c4cc2b8b60687ecc01150b546b18be7069981c5fe5d48075190f1ff

693f08996d40c0c2bdb25ae5457d44f9df694a8972a70fe989312753c7fe9ab4

7c7700a4b8e19a168f7befb37155cdb133fec1fd5944e4ad57d483be40f9f5d5

7d40062e8399a547f5578d462d3d864abf44a52a251f3d6dc0e3d0f2919b9b06

7d5f4c2030022ca5db32716635f8b2f850fe74531d0dc1dc859e86dc9afdd411

7e732e41d93b613cac1ba979d7f7c98c8603f65a50bbf6b6198f1ee396dc7174

837485ae1a0d843692bac9f91ad3f3c77f576414c2f1abc477b053dbc3302939

873276d9f8cbf3206408319f5579048663b30cb8f36b1a1a0a08e74a2685c688

8cea8428c05a2845315cbdd64daa9bfcfc6ee49f935923786452db8b7e395662

98fe63c98c8865781a7ef52b8b105dd3eeb444dfe3242468af0211eadd4076a5

a0d777ff492a90ec6d9eff93e38e7b35cf0ff70111b7723dc48a88ccd468d1fa

a4ef1ce4dd797047944605ab1d94b6e7e091949635b04ffb4cb929e1c13a93b5

a52762177877479859e4f88a13f605ad1e69d759019cf49dcf026781375b74a7

bb4f09d5fb61d65e48bfc235657a895280ebe9c0bb20ddff112edb6ab5a6114a

c8acb5eab3b6019fda9609b2badd902d7be9ebdd042e2c244018589ff1398355

cc170c55c076d3c280752bfb55b25b28cc4fa56c730a2df64e636f92b737ce01

d8a6e6bace789a863e537f814cca587ae697e9a5533ae43288d76f3fcad4491f

dbbd5d7944b1791027762a40a70b3c74772a9d31b5c67b6519394a1705edabcc

df391f2ffc4e001b1572bb0386504a2e6bc56b0446575be4035cb617f8f0c579

e03bd4b39cf7bc80a5177abe797dd896df1c97c59ede45728a245f7b912def33

e6a2b6355fd513a8ce24deef488ee3cc39f5d736915965875c54f81c19e52971

e96de8414e0e438184d2352be17d1f31f2f309fe5f4c7c167dd4375fa28f96b0

e9af4018616e4275c6b6af5531bb988431c1454d8567cc4f6c7d2b4dc63440aa

e9d191e5a9565068627795d74eb6605f3878b6c5655955f72f69dffa5076e495

ea96636e1c8741efac1eefb673726087261fa23c680a8556abf36ec13409253f

ef3b6b3060ef897724cea9ac2080b1201d08c9e6a0dad0ecf492c08441a4f604

f3b82f2c80c2ea5496407200bab1cc04f3679b80c74608aa03bfae37e62f992e

f48db6b5d9d34ead2dc736cd7f8af15b7b6fb3e39fe0baf5eac52e1e3967795c

f6a180cc3b31693739089a9966dd1feb107bb49216f1e3ed11baab8e4f6b5226

f737829e9ad9a025945ad9ce803641677ae0fe3abf43b1984a7c8ab994923178

fc2751ff381d75154c76da7a42211509f7cc3fd4b50956e36e53b4f7653534d5

So lets unzip the included archive and take a look at the included files.

Based off of the above conditions, it appears that the rule must be exclusive to this set of 48 files. That rules out common repeating elements of a PE file, like header, padding etc. So I’m going to look at data and functionality within the binaries.

My approach to this problem would be to diff the two smallest files in the archive and see what code lines up. (If you have a paid version of IDA-Pro, you can use a free plugin, BinDiff.) We’ll diff the two smallest files:

  • fc2751ff381d75154c76da7a42211509f7cc3fd4b50956e36e53b4f7653534d5

  • e96de8414e0e438184d2352be17d1f31f2f309fe5f4c7c167dd4375fa28f96b0

Let’s sort the diffed files by basic block count, this will give us the longest functions in the binaries.

It looks like they’re 100% the same according to bindiff. Looks promising.

Opening up both files at sub_10001000 in Hex View in IDA we can see that they’re practically identical.

Since we’re going to convert this hex to a yara rule lets open up these files in bash and convert them to text. Then do a silly grep for the beginning of the hex that matches and almost everything after that.

This gives us a nice text file with all of the similar hex bytes:

There are 48 unique lines, so it looks like we’re on the right track. Next step is to write a python script to figure out the placement of those 52 wildcards.

This script checks line by line, then character by character to see if the hex text matches, if not it’s replaced with a “?”. It then cuts off the rule after the 52^nd^ occurrence of the “?” and prints out the rule:

We end up with a yara rule that catches all 48 samples:

rule yara_challenge
{
	strings:
		$yara_challenge = { 
5153568B742414B9030000008BC633DB99F7F93BD375048BC6EB1683FA0175058D4602EB0C8
3FA028D460174048B4424088D0C8500000000B856555555F7E98B4C241C8BC2C1E81F03D049
3BCA7D065E33C05B59C3558D5601575289742414895C2428E8?E??00008BCE8B74241C8BE88B
C18BFD83C404C1E902F3A58BC883E103F3A48B4C241C8B74242083F903C60429000F8C870000
00B8ABAAAAAAF7E1D1EA8D04522BC8894C24108B7C242483C3048A0C2F83C703C1F90283E1
3F897C24248A81?0???0?088441EFC8A4C2FFD8A442FFE83E103C1F804C1E10483E00F0BC88A8
9?0???0?0884C1EFD8A442FFF8A4C2FFEC1F80683E10F83E003C1E1020BC18A80?0???0?08844
1EFE8A4C2FFF83E13F4A8A81?0???0?088441EFF758B8B44241083F802754E8B4424248A0C288
D7C2801C1F90283E13F8A91?0???0?08814338A04288A0F83E003C1F904C1E00483E10F0BC18
A90?0???0?0885433018A0783E00F8A0C85?0???0?0884C3302C64433033DEB3883F80175368B
4424248A1428C1FA0283E23F8A8A?0???0?0880C338A142883E203C1E2048A82?0???0?088443
301B03D884433028844330383C30455C6043300E8?5??000083C4048BC35F5D5E5B59C390909
09090909090909053568B74240C578BFE83C9FF33C0F2AEF7D1498BF98BC7250300008079054
883C8FC4074065F5E33C05BC368?4 }
	condition:
		 all of them 
}

Submitting the rule above will result in the key: PAN{8oogI3_WonD3rL4nd}

BONUS:

If you combine the keys from all three yara challenges, they write out a Haiku about the Labyrinth Movie.