Binary reversing comic

b300

Last month, in preparation for Defcon 17, the qualifiers were held for capture the flag, one of Defcon’s most well known events. One participant, [mongii], did a writeup on how to solve problem B300. The challenge was to find the decryption key used by a program that had several twists that hindered debugging. After grappling with self-modifying code and junk instructions, the team was finally able to find the answer. This win helped Sapheads place in the top 10.  Over at xchng.info, they are collecting solutions to the other problems. Sadly, they’re not all in comic form.

Comments

  1. TMH says:

    ugg asm. This is why I don’t do all that security hacking crap. lol

  2. paperboy says:

    Stuff like this makes me want to crawl out of my embedded shell.

  3. Glich says:

    That comic was awesome! I always wandered what it would take to solve a problem of that calibre. The comic explained simply and was fun to read. MORE PLEASE!!! :)

  4. paul says:

    that is a loooong comic,

    complicated!

  5. TJHooker says:

    if it doesn’t have a inline VM, macros, and anti-dump it’s just a noob level reversing.

  6. Simpleton says:

    Sometimes noob level stuff is harder than the complicated stuff. we tend to think right over it.

  7. bort says:

    lol tjhooker stfu

  8. AK says:

    ASM cracking in a comic. Awesome.
    This is why hackaday is the best.

  9. Jamesy says:

    at least they didn’t have to deal with vm. anyways, epic comic.

  10. :D says:

    I going to print this comic.

  11. cptfalcon says:

    vm isn’t that common… has anyone seen it in the wild?

  12. Daryl says:

    Very nice writeup of the problem and solution. My hat is off to these guys.

  13. triplecode says:

    @TJHooker wtf? they hacked comics with asm. I think thats no low lvl at all. thk theyr 1337 or dontyathk?

  14. Brianmanden says:

    Brilliant !

  15. TJHooker says:

    @bort: Shouldn’t you be camping in /b/ over at 4chan waiting on the next super geek to show there skills by actively sharing kiddy porn?

    @triplecode: I know, what’s funny is if you’ve known the old time defcon people any time at all you know they where in their prime when you could get pass login prompts with the escape key, and shellcode was as easy as a hello world. They’re all like ham ‘n’ egger consultants and techs now. The people who compete in their CTF comps are usually wet behind the ears or still in a university.

    I think I know one person there good at reversing and pen testing and he thinks pretty much the same thing I do. Especially about that fat head tommee pickles. Whatever though, I’m sure I’m some kind of hater for pointing out what’s visually/verbally/literally obvious.

  16. Gabe says:

    It seems the comic disappeared and an excuse message has taken its place. Anyone care to shed light on what happened?

  17. bort says:

    scroll dooooown

  18. TJHooker says:

    quit telling him to scroll down bort, the comic is up there. ^^

    it seems the comic disappeared because you scrolled down to make a pointless comment about peoples ranting gabe. There needs to be chaos to compensate for all the boring people who flash mobbed the nets in the last decade and made it a consumer wasteland loaded full of solicitation just like the real world.

  19. Jamesy says:

    @cptfalcon: yes, i have. the online game ‘hacking’ scene is very protective of their stuff.

  20. KOrUPt says:

    Seems our comic write up did get around quite a lot more than I expected!

    I’m thankful for all the positive criticism, seems like a lot of encouragement for my team to get more write ups out in this form :).

    Glad to see you enjoyed the comic!

    KOrUPt ~ Sapheads Binary analyst.

  21. cptfalcon says:

    @Jamesy, is this something you might be able to point to? I’ve been pretty interested how nasty the vms can get… is it to the point of randomized instructions per computer?

  22. TJHooker says:

    @cptfalcon: from what I seen themida, vmprotect, noobyprotect, and securom 7 are the only ones with the feature. It’s done at run time inline in the pe using a few threads. There is the vm then there is code macros. they also mutate the import tables and do anti-dumpin on top of some; it’s all from userland too from what I’ve seen with a lot of obfuscated native calls.

    themida/winlicense and vmprotect are probably the hardest to unpack with all the features enabled. Nobody on ‘the scene’ is doing inline patches of anything protected with them(as long as a strong vm and anti-dump are enabled.) underneath all that they have anti-debug. themida/winlicense usually update their engines a lot with new anti-debug and obfuscation algorithms; they do it all from userland too, and the latest completely avoids signature detection.

  23. cptfalcon says:

    thanks, now i have a few things to play around with. I found after a little digging that there have been trojans that have used themida, but I haven’t pinpointed which yet.

  24. werejag says:

    the b300.exe is absent

  25. TJHooker says:

    @cptfalcon: Yeah I’ve seen it too. 2.0.8.0 can’t be identified by PEID or any AV even with strong heuristics. You might be able to find something with GMER at runtime in the form of hooks and table modification.

    Luckily it isn’t leaked. The malware authors have a license, or use the older versions.

    I’ve only seen 3 people unpack the 2.x.x.x engines and they where way over the heads of the average crackers doing stuff for release teams.

  26. Bokske_gmail_com says:

    Seeing how all the anti-debug measures (garbage code, int 3 reroute, anti-breakpoint) take up most of the time in an overall reversing effort like this, I just wonder. Why do hackers insist on running the program on the very same CPU that they’re working on at the moment ? Why not do the entire reversing work “offline”, on some sort of a _model_ CPU ?

    Call it a VM if you want, or call it an emulator, whatever. In my profession, it’s called a simulator; and it seems to me that it would make reversing so much easier. I’m positive that a cycle-accurate hardware model of the basic x86 architecture already exists, so it would suffice to write a “PE Loader” testbench for use in the freeware version of some simulator, to have a step-by-step timeline of what is actually going on in an executable.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,799 other followers