Reverse Engineering

Hello, here’s my take on the picoCTF2019 reverse engineering asm challenges. If you don’t know assembly, please watch a few tutorials on it: asm1 – Points: 200 CMP: Compares the first source operand with the second source operand and sets the status flags in the EFLAGS register according to the results. The comparison is performed by subtracting the second operand from the first operand and then setting the status flags in the same manner as the SUB instruction....

I’m always late to the party but here’s my solutions to the PicoCTF2019 Vault Doors challenges from the reverse engineering section. I did it this mainly to improve my skills and hopefully to learn some new things. vault-door-training – Points: 50 Your mission is to enter Dr. Evil’s laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open....

Hello, Here’s a quick article on how to bypass calls to ptrace when debugging a Linux executable. By calling ptrace with the PTRACE_TRACEME option, a process can detect if it’s being debugged and execute different instructions. This an effective anti-debugging technique. For example, take the following C program: int main() { if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) { printf("I'm being debugged!n"); } else { printf("Normal flown"); } return 0; } If we execute the program from above we get Normal flow on our screen but if we debug it with gdb we get Err: I'm being debugged!...

Hello, In this article I will describe how I solved the GB – Basic GameBoy crackme challenge from Root-Me. Before reading this article you should attempt to solve the challenge on your own. Start by reading/skimming through the GameBoy CPU manual then download an emulator such as mGba and play with the ROM. To disassemble the ROM I’ve used Ghidra and mgbdis. After reading through the GameBoy CPU manual, I’ve opened the file in Ghidra and found these interesting strings:...

I had some fun this weekend messing around with Ghidra. Having such a powerful tool for free is truly a game changer. To start scripting in Ghidra, I downloaded the latest Eclipse for Java Developers Version: 2019-09 R (4.13.0), Ghidra and Open JDK, I believe any JDK version 11+ will work. After downloading the JDK, extract the zip, put it somewhere and modify your PATH and JAVA_HOME environment variables to point to it:...

Hello, In this article I will describe how I solved the PE x86 – Xor Madness challenge from Root-Me This challenge will ask you for a password and the password is also used to validate the flag. What makes this challenge interesting is that it only uses xor, sub, call and ret. Here’s how I approached the challenge: Since the binary had a few function and some strings were in plain text, I tried to figure out the big picture and labeled all the function accordingly: win, lose, check and so on....

Hello, In this article I’ll present you my solution on the Chapter 5 CTF from the book Practical Binary Analysis. For this binary, the hint is to fix four broken things. Running file gives us the following response: binary@binary-VirtualBox:~/ctf$ file ./lvl3 ./lvl3: ERROR: ELF 64-bit LSB executable, Motorola Coldfire, version 1 (Novell Modesto) error reading (Invalid argument) And the readelf command gives us: binary@binary-VirtualBox:~/ctf$ readelf -h ./lvl3 ELF Header: Magic: 7f 45 4c 46 02 01 01 0b 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: Novell - Modesto ABI Version: 0 Type: EXEC (Executable file) Machine: Motorola Coldfire Version: 0x1 Entry point address: 0x4005d0 Start of program headers: 4022250974 (bytes into file) Start of section headers: 4480 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 9 Size of section headers: 64 (bytes) Number of section headers: 29 Section header string table index: 28 readelf: Error: Reading 0x1f8 bytes extends past end of file for program headers At this moment, it was clear that the ELF header is broken, in order to fix it I opened up Wikipedia and the elf specification....

I always wanted to play around with a binary analysis framework but most of the time I was turned off by how difficult it was to install and use it. Just recently I’ve thought to give angr a try and now I want to share my experience with you! I will present you a two scripts that solve two challenges, if you wish to dig deeper and learn Angr then you should visit it’s official documentation....

It’s been some time since I’ve done some Reverse Engineering and today I’ve completed a simple challenge on . The filename of the challenge is crackme_wtf and here are some hints to get you started: Determine type of FILEs. Don’t be afraid to patch and use a debugger. Try to eliminate the randomness. Maybe some functions that have to do with time, random numbers or the current process’s id. If the last hint doesn’t yield any results… Is the required password really needed to get to the flag?...

Hello, In this article I present you the solution to nice and short cracking challenge from Root-Me. After opening it up in Ghidra, I saw that the challenge is easy to solve, all you need is to find the password, which is in plain text. Basically just copy paste and you get the flag, but wait, there’s a twist! I should have learned my lesson from the other challenge from Root-Me, which also had a twist....