Binary reversing comic

posted Jul 14th 2009 3:40pm by Zach Banks
filed under: cons, downloads hacks, security hacks

b300

Last month, in preparation for Defcon 17, the qualifiers were held for capture the flag, one of Defcon’s most well known events. One participant, [mongii], did a writeup on how to solve problem B300. The challenge was to find the decryption key used by a program that had several twists that hindered debugging. After grappling with self-modifying code and junk instructions, the team was finally able to find the answer. This win helped Sapheads place in the top 10. Over at xchng.info, they are collecting solutions to the other problems. Sadly, they’re not all in comic form.

Comments [26]

tagged: b300, ctf, defcon, defcon17, hackerschool, mongii, sapheads

Reader Comments

ugg asm. This is why I don’t do all that security hacking crap. lol

Posted at 4:10 pm on Jul 14th, 2009 by TMH

Stuff like this makes me want to crawl out of my embedded shell.

Posted at 4:40 pm on Jul 14th, 2009 by paperboy

That comic was awesome! I always wandered what it would take to solve a problem of that calibre. The comic explained simply and was fun to read. MORE PLEASE!!! :)

Posted at 5:04 pm on Jul 14th, 2009 by Glich

that is a loooong comic,

complicated!

Posted at 5:38 pm on Jul 14th, 2009 by paul

if it doesn’t have a inline VM, macros, and anti-dump it’s just a noob level reversing.

Posted at 5:48 pm on Jul 14th, 2009 by TJHooker

Sometimes noob level stuff is harder than the complicated stuff. we tend to think right over it.

Posted at 6:03 pm on Jul 14th, 2009 by Simpleton

lol tjhooker stfu

Posted at 6:03 pm on Jul 14th, 2009 by bort

ASM cracking in a comic. Awesome.
This is why hackaday is the best.

Posted at 6:15 pm on Jul 14th, 2009 by AK

at least they didn’t have to deal with vm. anyways, epic comic.

Posted at 6:55 pm on Jul 14th, 2009 by Jamesy

I going to print this comic.

Posted at 7:22 pm on Jul 14th, 2009 by :D

vm isn’t that common… has anyone seen it in the wild?

Posted at 7:24 pm on Jul 14th, 2009 by cptfalcon

Very nice writeup of the problem and solution. My hat is off to these guys.

Posted at 10:48 pm on Jul 14th, 2009 by Daryl

@TJHooker wtf? they hacked comics with asm. I think thats no low lvl at all. thk theyr 1337 or dontyathk?

Posted at 3:21 am on Jul 15th, 2009 by triplecode

Brilliant !

Posted at 4:27 am on Jul 15th, 2009 by Brianmanden

@bort: Shouldn’t you be camping in /b/ over at 4chan waiting on the next super geek to show there skills by actively sharing kiddy porn?

@triplecode: I know, what’s funny is if you’ve known the old time defcon people any time at all you know they where in their prime when you could get pass login prompts with the escape key, and shellcode was as easy as a hello world. They’re all like ham ‘n’ egger consultants and techs now. The people who compete in their CTF comps are usually wet behind the ears or still in a university.

I think I know one person there good at reversing and pen testing and he thinks pretty much the same thing I do. Especially about that fat head tommee pickles. Whatever though, I’m sure I’m some kind of hater for pointing out what’s visually/verbally/literally obvious.

Posted at 4:49 am on Jul 15th, 2009 by TJHooker

It seems the comic disappeared and an excuse message has taken its place. Anyone care to shed light on what happened?

Posted at 6:13 am on Jul 15th, 2009 by Gabe

scroll dooooown

Posted at 7:30 am on Jul 15th, 2009 by bort

quit telling him to scroll down bort, the comic is up there. ^^

it seems the comic disappeared because you scrolled down to make a pointless comment about peoples ranting gabe. There needs to be chaos to compensate for all the boring people who flash mobbed the nets in the last decade and made it a consumer wasteland loaded full of solicitation just like the real world.

Posted at 11:58 am on Jul 15th, 2009 by TJHooker

@cptfalcon: yes, i have. the online game ‘hacking’ scene is very protective of their stuff.

Posted at 3:19 pm on Jul 15th, 2009 by Jamesy

Seems our comic write up did get around quite a lot more than I expected!

I’m thankful for all the positive criticism, seems like a lot of encouragement for my team to get more write ups out in this form :).

Glad to see you enjoyed the comic!

KOrUPt ~ Sapheads Binary analyst.

Posted at 6:14 pm on Jul 15th, 2009 by KOrUPt

@Jamesy, is this something you might be able to point to? I’ve been pretty interested how nasty the vms can get… is it to the point of randomized instructions per computer?

Posted at 7:59 pm on Jul 15th, 2009 by cptfalcon

@cptfalcon: from what I seen themida, vmprotect, noobyprotect, and securom 7 are the only ones with the feature. It’s done at run time inline in the pe using a few threads. There is the vm then there is code macros. they also mutate the import tables and do anti-dumpin on top of some; it’s all from userland too from what I’ve seen with a lot of obfuscated native calls.

themida/winlicense and vmprotect are probably the hardest to unpack with all the features enabled. Nobody on ‘the scene’ is doing inline patches of anything protected with them(as long as a strong vm and anti-dump are enabled.) underneath all that they have anti-debug. themida/winlicense usually update their engines a lot with new anti-debug and obfuscation algorithms; they do it all from userland too, and the latest completely avoids signature detection.

Posted at 12:01 am on Jul 16th, 2009 by TJHooker

thanks, now i have a few things to play around with. I found after a little digging that there have been trojans that have used themida, but I haven’t pinpointed which yet.

Posted at 11:29 pm on Jul 16th, 2009 by cptfalcon

the b300.exe is absent

Posted at 2:14 am on Jul 17th, 2009 by werejag

@cptfalcon: Yeah I’ve seen it too. 2.0.8.0 can’t be identified by PEID or any AV even with strong heuristics. You might be able to find something with GMER at runtime in the form of hooks and table modification.

Luckily it isn’t leaked. The malware authors have a license, or use the older versions.

I’ve only seen 3 people unpack the 2.x.x.x engines and they where way over the heads of the average crackers doing stuff for release teams.

Posted at 2:58 am on Jul 17th, 2009 by TJHooker

Seeing how all the anti-debug measures (garbage code, int 3 reroute, anti-breakpoint) take up most of the time in an overall reversing effort like this, I just wonder. Why do hackers insist on running the program on the very same CPU that they’re working on at the moment ? Why not do the entire reversing work “offline”, on some sort of a _model_ CPU ?

Call it a VM if you want, or call it an emulator, whatever. In my profession, it’s called a simulator; and it seems to me that it would make reversing so much easier. I’m positive that a cycle-accurate hardware model of the basic x86 architecture already exists, so it would suffice to write a “PE Loader” testbench for use in the freeware version of some simulator, to have a step-by-step timeline of what is actually going on in an executable.

Posted at 1:36 pm on Oct 5th, 2009 by Bokske_gmail_com

Binary reversing comic

Recent Posts

Reader Comments

Leave a Reply

Hacks

Resources

RSS newsfeeds

Most commented on (30 days)

Recent comments