For this challenge, we’re given two files:
8086100f.mrom: BIOS (ia32) ROM Ext. (6*512)
8086100f.mrom.tmp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
Reversing 400 was a 64bit Linux ELF that you needed to crack/reverse. Let’s have a look.
blasty@fastbox:~/csaw2012$ file csaw2012reversing csaw2012reversing: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x012c3cf67d5aa15a9985ea064958921dc600c367, not stripped blasty@fastbox:~/csaw2012$ ./csaw2012reversing Encrypted Key: ??????????????
Reversing 200 a .NET commandline executable (CSAWQualificationEasy.exe) that printed the following string: “Okay, going to compute the key. Have to remember to write it out at the end! I keep forgetting!”. After that it seems to wait for some input before exitting.. odd..
Let’s decompile this program and have a look what’s going on.
Reversing 100 is a Windows 32bit PE executable. When you run it displays a MessageBox containing “Encrypted Key:
We’re given a Windows .NET executable (CSAWQualification.exe).
Let’s run it:
Do you really just run random binaries given to you in challenges?
In this challenge we’re asked to figure out the number of attacks (and related ports) carried out by a zombie host, provided a zombie client binary and an associated data file.
This challenge requires us to retrieve a plaintext string which would be eventually printed by the provided DLL. Our routine identification attempt tells us that the DLL has been packed using PEtite v2.1.
In the challenge’s zipfile we find two files:
- vm2x.exe, a simple Win32 GUI program with a handful of buttons
- vm2x.dat, python bytecode wrapped in a regular python script
The python file (vm2x.dat) loads a chunk of embedded python bytecode (in variable __code) and executes it. Let’s disassemble it, for which we first need to strip the last two lines (which execute and subsequently delete the embedded bytecode object).
One of the parts of the PHDays Quals was the ‘meteorite rain’ archive, containing many small and not so small challenges. One of these (M100) was tougher than most and quite interesting, so we decided to do a writeup.
The file M100 is a Windows console program written in C++. This means it’s a bit of a pain to reverse engineer. One of my teammates did the reverse engineering but then got stuck, so he asked if I could take a look at it. Basically the program looked like this when translated to a simple C program: