Binary Reversing Comic


Last month, in preparation for Defcon 17, the qualifiers were held for capture the flag, one of Defcon’s most well known events. One participant, [mongii], did a writeup on how to solve problem B300. The challenge was to find the decryption key used by a program that had several twists that hindered debugging. After grappling with self-modifying code and junk instructions, the team was finally able to find the answer. This win helped Sapheads place in the top 10.  Over at, they are collecting solutions to the other problems. Sadly, they’re not all in comic form.

26 thoughts on “Binary Reversing Comic

  1. @bort: Shouldn’t you be camping in /b/ over at 4chan waiting on the next super geek to show there skills by actively sharing kiddy porn?

    @triplecode: I know, what’s funny is if you’ve known the old time defcon people any time at all you know they where in their prime when you could get pass login prompts with the escape key, and shellcode was as easy as a hello world. They’re all like ham ‘n’ egger consultants and techs now. The people who compete in their CTF comps are usually wet behind the ears or still in a university.

    I think I know one person there good at reversing and pen testing and he thinks pretty much the same thing I do. Especially about that fat head tommee pickles. Whatever though, I’m sure I’m some kind of hater for pointing out what’s visually/verbally/literally obvious.

  2. quit telling him to scroll down bort, the comic is up there. ^^

    it seems the comic disappeared because you scrolled down to make a pointless comment about peoples ranting gabe. There needs to be chaos to compensate for all the boring people who flash mobbed the nets in the last decade and made it a consumer wasteland loaded full of solicitation just like the real world.

  3. Seems our comic write up did get around quite a lot more than I expected!

    I’m thankful for all the positive criticism, seems like a lot of encouragement for my team to get more write ups out in this form :).

    Glad to see you enjoyed the comic!

    KOrUPt ~ Sapheads Binary analyst.

  4. @Jamesy, is this something you might be able to point to? I’ve been pretty interested how nasty the vms can get… is it to the point of randomized instructions per computer?

  5. @cptfalcon: from what I seen themida, vmprotect, noobyprotect, and securom 7 are the only ones with the feature. It’s done at run time inline in the pe using a few threads. There is the vm then there is code macros. they also mutate the import tables and do anti-dumpin on top of some; it’s all from userland too from what I’ve seen with a lot of obfuscated native calls.

    themida/winlicense and vmprotect are probably the hardest to unpack with all the features enabled. Nobody on ‘the scene’ is doing inline patches of anything protected with them(as long as a strong vm and anti-dump are enabled.) underneath all that they have anti-debug. themida/winlicense usually update their engines a lot with new anti-debug and obfuscation algorithms; they do it all from userland too, and the latest completely avoids signature detection.

  6. thanks, now i have a few things to play around with. I found after a little digging that there have been trojans that have used themida, but I haven’t pinpointed which yet.

  7. @cptfalcon: Yeah I’ve seen it too. can’t be identified by PEID or any AV even with strong heuristics. You might be able to find something with GMER at runtime in the form of hooks and table modification.

    Luckily it isn’t leaked. The malware authors have a license, or use the older versions.

    I’ve only seen 3 people unpack the 2.x.x.x engines and they where way over the heads of the average crackers doing stuff for release teams.

  8. Seeing how all the anti-debug measures (garbage code, int 3 reroute, anti-breakpoint) take up most of the time in an overall reversing effort like this, I just wonder. Why do hackers insist on running the program on the very same CPU that they’re working on at the moment ? Why not do the entire reversing work “offline”, on some sort of a _model_ CPU ?

    Call it a VM if you want, or call it an emulator, whatever. In my profession, it’s called a simulator; and it seems to me that it would make reversing so much easier. I’m positive that a cycle-accurate hardware model of the basic x86 architecture already exists, so it would suffice to write a “PE Loader” testbench for use in the freeware version of some simulator, to have a step-by-step timeline of what is actually going on in an executable.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.