Presentation is loading. Please wait.

Presentation is loading. Please wait.

5th Reversing CTF Takeaways

Published byともなり かつま Modified over 5 years ago

Similar presentations

Presentation on theme: "5th Reversing CTF Takeaways"— Presentation transcript:

1 5th Reversing CTF Takeaways
Joachim De Zutter

2 Who am I Cyber security researcher
Solved 11 out of 12 challenges of this year’s Flare- On Reverse Engineering CTF

3 Flare-On Challenge www.flare-on.com
FireEye Labs Advanced Reverse Engineering team’s annual capture the flag (CTF) contest 12 challenges, 6 weeks 5th CTF (2018) is over => all challenges & solutions are publicly available

4 #1 & #2: Minesweeper challenges
#1 Java Archive (JAR) JD-GUI #2 .NET executable Telerik JustDecompile

5 #3: FLEGGO 48 Windows 32-bit PE executables
Password in the resource section of each executable

6 #4: binstall .NET ConfuserEx → NoFuserEx / de4dot
Installs DLL that hooks browser Webinjects to add “su” command in JavaScript code of “shell” on flare-on website Technique used by banking trojans (MiTB)

7 #5: web2point0 WebAssembly (*.wasm) runs inside a browser
Chrome DevTools for single-stepping

8 #6: Magic 64-bit Linux ELF asking for 666 keys
Each key checked 33 times with 7 different validation functions (CRC32/modified base64/RC4/Fibonacci/…) => needs automation GDB scripting (breakpoint commands) or IDAPython

9 “Heaven’s Gate” to execute 64-bit code
#7: WOW “Heaven’s Gate” to execute 64-bit code from 32-bit executable

10 #8: leet_editr VBScript code decrypted at runtime using vectored exception handler

11 #9: doogie hacker First sectors of a floppy disk (use f.e. Qemu+IDA)
Date in BCD format obtained using INT 0x1A was used as a partial key for hidden message

12 #10: golf Win32 *.exe running fhv.sys 64-bit kernel driver which starts software hypervisor using Intel VMX instructions Solved by running Windows 7 (64-bit) inside Qemu in 64- bit Linux with KVM and nested VMX enabled

13 #11: Malware skillZ pcap + executable
Executable received through DNS TXT records, which get decoded and decrypted with modified RC4 (mod 255 instead of mod 256) AES encrypted C2/LM communication and ZIP file String obfuscation using LCG for DLL names & ROR13 hashes for function names, see

14 #12: Suspicious Floppy Disk image, 16-bit code
DOS INT 0x21, AH = 0x3F behaving strange  Interrupt handler with “spy program” could be reversed using Bochs/Qemu + IDA Inside interrupt handler: subleq OISC emulator running an RSSB OISC emulator to verify password

15 THANK YOU

Download ppt "5th Reversing CTF Takeaways"

Similar presentations

Cracking the Code of Mobile Application OWASP APPSEC USA 2012

Cracking the Code of Mobile Application OWASP APPSEC USA 2012
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.

Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Buffer Overflow Attacks Figure 9-21. (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.

Buffer Overflow Attacks Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.
Build an Operating System

Build an Operating System
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Sikuli Ivailo Dinkov QA Engineer PhoneX Team Telerik QA Academy.

Sikuli Ivailo Dinkov QA Engineer PhoneX Team Telerik QA Academy.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Live Forensics Investigations Computer Forensics 2013.

Live Forensics Investigations Computer Forensics 2013.

Similar presentations

Ads by Google