30
Sep
2012

CSAW 2012 – Reversing 500

For this challenge, we’re given two files:


8086100f.mrom: BIOS (ia32) ROM Ext. (6*512)
8086100f.mrom.tmp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped

{Read More}

30
Sep
2012

CSAW 2012 – Reversing 400

Reversing 400 was a 64bit Linux ELF that you needed to crack/reverse. Let’s have a look.

blasty@fastbox:~/csaw2012$ file csaw2012reversing 
csaw2012reversing: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x012c3cf67d5aa15a9985ea064958921dc600c367, not stripped
blasty@fastbox:~/csaw2012$ ./csaw2012reversing 
Encrypted Key:  ??????????????

{Read More}

30
Sep
2012

CSAW 2012 – Reversing 200

Reversing 200 a .NET commandline executable (CSAWQualificationEasy.exe) that printed the following string: “Okay, going to compute the key. Have to remember to write it out at the end! I keep forgetting!”. After that it seems to wait for some input before exitting.. odd..

Let’s decompile this program and have a look what’s going on.
{Read More}

30
Sep
2012

CSAW 2012 – Reversing 100

Reversing 100 is a Windows 32bit PE executable. When you run it displays a MessageBox containing “Encrypted Key: “. Once you close the MessageBox the program exits.
{Read More}

30
Sep
2012

CSAW 2012 – Reversing 300

We’re given a Windows .NET executable (CSAWQualification.exe).

Let’s run it:
Do you really just run random binaries given to you in challenges?

{Read More}

29
Feb
2012

CODEGATE 2012 – Binary 300

In this challenge we’re asked to figure out the number of attacks (and related ports) carried out by a zombie host, provided a zombie client binary and an associated data file.

{Read More}

29
Feb
2012

CODEGATE 2012 – Binary 200

This challenge requires us to retrieve a plaintext string which would be eventually printed by the provided DLL. Our routine identification attempt tells us that the DLL has been packed using PEtite v2.1.

{Read More}

26
Feb
2012

CODEGATE 2012 – Binary 500

In the challenge’s zipfile we find two files:
- vm2x.exe, a simple Win32 GUI program with a handful of buttons
- vm2x.dat, python bytecode wrapped in a regular python script

The python file (vm2x.dat) loads a chunk of embedded python bytecode (in variable __code) and executes it. Let’s disassemble it, for which we first need to strip the last two lines (which execute and subsequently delete the embedded bytecode object).
{Read More}

11
Dec
2011

PHD CTF Quals 2011 – M100 (reversing/crypto)

One of the parts of the PHDays Quals was the ‘meteorite rain’ archive, containing many small and not so small challenges. One of these (M100) was tougher than most and quite interesting, so we decided to do a writeup.

The file M100 is a Windows console program written in C++. This means it’s a bit of a pain to reverse engineer. One of my teammates did the reverse engineering but then got stuck, so he asked if I could take a look at it. Basically the program looked like this when translated to a simple C program:

{Read More}