Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Panda Reversing Challenge

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

I sent you a PM, just to make sure not to spoil anything for the others :) . I completed reversing as well after a day, even though I spent most time trudging through what turned out to be the initialization of the runtime... :p Will write my program tomorrow.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

is interesting to play with it?
dion
Member
Posts: 61
Joined: Tue Jul 31, 2007 8:38 am

Post by dion »

is this really packed or a bogus? never played with encryptpe tho. if it was packed, why there is console API in the beginning and can see strings clearly?
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

evaluator: I'm having fun with this, yes. I didn't expect the type of challenge that the program contains. It even contains some of its own antidebug this time, although most of the protection is again in the (third party) packer.

dion: let's just say that as with most packers/protectors, EncryptPE can be used to selectively protect certain functions. You will know it when you see it.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

wow, unpacking need!? =)
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

It's not really encrypted at all. Just lots and lots of junk code inserted.
dion
Member
Posts: 61
Joined: Tue Jul 31, 2007 8:38 am

Post by dion »

well, it surely junking debugview. wierd, is it supposed to made it crash? but it didn't :p
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

That is anti-Olly. Those huge format strings exploit a bug in Ollydbg to make it crash, it's a very common trick. Correspondingly there are also many options available for fixing it.
wtbw
Member
Posts: 93
Joined: Sun Feb 06, 2005 9:55 pm

Post by wtbw »

Second?! Argh. Must try harder tomorrow ;)
dion
Member
Posts: 61
Joined: Tue Jul 31, 2007 8:38 am

Post by dion »

the hard one... looks a bit 'malicious'. it peeks my boot sector and hash them. still stuck on it tho.
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

I'm pretty stumped on this one as well. If the message is not inside the program as the challenge description states, then where is it? They can't really make assumptions about specific other files with specific contents existing on the drive... Even ntdlr probably changes between Windows versions :confused:

Reversing the hashes is pretty hopeless as well, considering the length of the input data (255 bytes most times)...
dion
Member
Posts: 61
Joined: Tue Jul 31, 2007 8:38 am

Post by dion »

from what said, it is closer to you than it seems, i took liberty to point 'it' to the panda file itself. dunno, it runs 2 times, watched in filemon, and nothing more... maybe overflowed inside :p
xwings

Post by xwings »

dion wrote:from what said, it is closer to you than it seems, i took liberty to point 'it' to the panda file itself. dunno, it runs 2 times, watched in filemon, and nothing more... maybe overflowed inside :p
saw alots of fork() there. my wild guess could be overflowed. :) well. i got no idea how it works.
Locked