Page 1 of 3 123 LastLast
Results 1 to 15 of 34

Thread: F-Secure Reverse Engineering Challenge

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5

    F-Secure Reverse Engineering Challenge

    The 2007 version of this enjoyable challenge has started up...

    http://www.khallenge.com/

  2. #2
    Thug4Lif3
    Guest
    Really funny
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Level 1 291 0 hours 1 minutes
    lol wut.

    Well, I completed it in ~3 minutes...

    on to level 2!

  4. #4
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    Level 3 gets annoying really fast.
    Attached Images Attached Images  

  5. #5
    Yes, a job more suited to manual labor than intelligence... unless there's a way around that mess of jumps

  6. #6
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    What I did is writing a little IDC script that follows the flow and outputs the instructions without the jumps. Still, it's not very fun to plow through 8kb text of almost exclusively mov's and add's.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  7. #7
    whocares
    Guest
    solved level 3.. but its really REALLY annoying..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Registered User upb's Avatar
    Join Date
    May 2003
    Posts
    50
    Blog Entries
    4
    spoiler

    llxx: by intelligence you can avoid the manual labour
    Attached Files Attached Files

  9. #9
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    Nice upb. I wrote something similar, it creates even more understandable code, but it's kinda hacky/buggy/with limitations.

    Didn't finish level 3 though. After 3 hours, I thought first part was if(strlen(key) == 0) {bail out}; but it didn't seem to work that way when I checked it in olly. Then I quit, I'm doing this for fun, not to torture myself.

    On another note, did anyone else got a bug in level 2? The "xor ah, bh" seemed to assume bh was zero, but in fact it was randomly 00, 10, 20 .. F0 on my computer (they used it unitialized).

    And on yet another note, I had to patch IDA to show more than 1000 nodes in graph mode. I think that says something about level 3
    Attached Files Attached Files
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  10. #10
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    Level 2 had anti-"lazy unpacking" code.

    With upx -d, I got oep 40135A but with manual unpacking I got 401352 instead.

    Even without that, the password was guessable anyway.

    TiGa

  11. #11
    Registered User upb's Avatar
    Join Date
    May 2003
    Posts
    50
    Blog Entries
    4
    level2 had an interesting TLS callback ;-)

  12. #12
    Quote Originally Posted by fr33ke View Post
    On another note, did anyone else got a bug in level 2? The "xor ah, bh" seemed to assume bh was zero, but in fact it was randomly 00, 10, 20 .. F0 on my computer (they used it unitialized).
    BH was 00 here. My OS was Windows 98SE 4.10.2222A.
    level2 had an interesting TLS callback ;-)
    It had one? I didn't even notice that and I solved it anyway. Are we getting different files here?

  13. #13
    No, it is only one file. The UPX packed file have a TLS callback, and in this proc, it check BeingDebugged bit by PEB. If debugger was not found, it will modify the jump to real OEP, and the real OEP is 401352, not 40135A, have xor ebx, ebx code at beginning.
    I am playing with level 3 ??!!
    Best regards,

  14. #14
    Thug4Lif3
    Guest
    Yes, level has it TLS but the TLS callback code's purpose is just to whether debugger is present or not. Its a lil bit tricky:

    Code:
    UPX2:004070A4                         ; after LdrpCallInitRoutine is call, we land on this
    UPX2:004070A4
    UPX2:004070A4                                         public TlsCallback_0
    UPX2:004070A4                         TlsCallback_0   proc near               ; DATA XREF: UPX2:TlsCallbackso
    UPX2:004070A4
    UPX2:004070A4                         arg_4           = dword ptr  8
    UPX2:004070A4
    UPX2:004070A4 83 7C 24 08 01                          cmp     [esp+arg_4], 1
    UPX2:004070A9 75 1E                                   jnz     short locret_4070C9 ; Reason = DLL_PROCESS_ATTACH ?
    UPX2:004070AB 50                                      push    eax
    UPX2:004070AC 64 A1 18 00 00 00                       mov     eax, large fs:18h ; eax = address of TEB
    UPX2:004070B2 8B 40 30                                mov     eax, [eax+30h]  ; eax = address of PEB
    UPX2:004070B5 0F B7 40 02                             movzx   eax, word ptr [eax+2] ; Being debugged?
    UPX2:004070B9 83 F8 00                                cmp     eax, 0          ; setting ZF
    UPX2:004070BC 0F 94 C0                                setz    al              ; al = ZF
    UPX2:004070BF 6B C0 08                                imul    eax, 8          ; eax = 0 if being debugged,
    UPX2:004070BF                                                                 ; eax = 8 if not
    UPX2:004070C2 28 05 BD 63 40 00                       sub     byte ptr ds:loc_4063BC+1, al ; self-modify code. Change the flow of the program.
    UPX2:004070C8 58                                      pop     eax
    UPX2:004070C9
    UPX2:004070C9                         locret_4070C9:                          ; CODE XREF: TlsCallback_0+5j
    UPX2:004070C9 C3                                      retn
    UPX2:004070C9                         TlsCallback_0   endp

    If debuggin detected, we land on this and even if the parameter input is C3P0 or not, it wont display the correct email:
    Code:
    UPX1:004063BC                         loc_4063BC:                             ; DATA XREF: TlsCallback_0+1Ew
    UPX1:004063BC E9 99 AF FF FF                          jmp     near ptr word_40135A
    Code:
    0040135A    50              PUSH EAX
    0040135B    35 08714200     XOR EAX,427108
    00401360    1BC2            SBB EAX,EDX
    00401362    870424          XCHG DWORD PTR SS:[ESP],EAX
    00401365    8F05 64204000   POP DWORD PTR DS:[402064]
    0040136B    68 00104000     PUSH FSC_Leve.00401000
    00401370    C3              RETN
    else

    Code:
    UPX1:004063BC                         loc_4063BC:                             ; DATA XREF: TlsCallback_0+1Ew
    UPX1:004063BC E9 91 AF FF FF                          jmp     near ptr dword_401000+352h
    Code:
    00401352    33DB            XOR EBX,EBX
    00401354    68 5A134000     PUSH FSC_Leve.0040135A
    00401359    C3              RETN
    A simple trick but because maybe we all use some kind of Olly modz so this trick isnt a problem at all.
    Last edited by Thug4Lif3; August 6th, 2007 at 02:04.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    In all of the runs I did with level 2, OEP was the "wrong" one (0040135a) but EBX upon that "wrong" OEP was 00530000, so two wrongs made a right?

    I was using SoftICE 4. No hiding.

Similar Threads

  1. Honeynet Forensic Challenge 8 - "Malware Reverse Engineering"
    By Sunk in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: May 13th, 2011, 08:42
  2. CSI x Reverse Engineering
    By funtikar in forum Off Topic
    Replies: 24
    Last Post: September 8th, 2009, 22:59
  3. F-Secure Reverse Engineering Challenge (September 7th)
    By Kayaker in forum Mini Project Area
    Replies: 3
    Last Post: September 13th, 2007, 08:32
  4. Reverse Engineering Challenge
    By HeX in forum Linux RCE
    Replies: 2
    Last Post: November 2nd, 2006, 16:18
  5. Reverse Engineering C++ DLL
    By tabacky in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: June 6th, 2005, 15:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •