Kayaker
August 3rd, 2007, 11:44
The 2007 version of this enjoyable challenge has started up...
http://www.khallenge.com/
http://www.khallenge.com/
View Full Version : F-Secure Reverse Engineering Challenge
Thug4Lif3
August 3rd, 2007, 14:33
Really funny 
LLXX
August 3rd, 2007, 17:12
Quote:
| Level 1 291 0 hours 1 minutes |
Well, I completed it in ~3 minutes...
on to level 2!
TiGa
August 3rd, 2007, 17:28
Level 3 gets annoying really fast.
LLXX
August 3rd, 2007, 18:53
Yes, a job more suited to manual labor than intelligence... unless there's a way around that mess of jumps 
fr33ke
August 3rd, 2007, 19:25
What I did is writing a little IDC script that follows the flow and outputs the instructions without the jumps. Still, it's not very fun to plow through 8kb text of almost exclusively mov's and add's.
whocares
August 4th, 2007, 15:44
solved level 3.. but its really REALLY annoying..
upb
August 5th, 2007, 17:18
spoiler 
llxx: by intelligence you can avoid the manual labour
llxx: by intelligence you can avoid the manual labour
fr33ke
August 5th, 2007, 18:08
Nice upb. 
I wrote something similar, it creates even more understandable code, but it's kinda hacky/buggy/with limitations.
Didn't finish level 3 though. After 3 hours, I thought first part was if(strlen(key) == 0) {bail out}; but it didn't seem to work that way when I checked it in olly. Then I quit, I'm doing this for fun, not to torture myself.
On another note, did anyone else got a bug in level 2? The "xor ah, bh" seemed to assume bh was zero, but in fact it was randomly 00, 10, 20 .. F0 on my computer (they used it unitialized).
And on yet another note, I had to patch IDA to show more than 1000 nodes in graph mode. I think that says something about level 3
I wrote something similar, it creates even more understandable code, but it's kinda hacky/buggy/with limitations.Didn't finish level 3 though. After 3 hours, I thought first part was if(strlen(key) == 0) {bail out}; but it didn't seem to work that way when I checked it in olly. Then I quit, I'm doing this for fun, not to torture myself.
On another note, did anyone else got a bug in level 2? The "xor ah, bh" seemed to assume bh was zero, but in fact it was randomly 00, 10, 20 .. F0 on my computer (they used it unitialized).
And on yet another note, I had to patch IDA to show more than 1000 nodes in graph mode. I think that says something about level 3
TiGa
August 5th, 2007, 18:17
Level 2 had anti-"lazy unpacking" code.
With upx -d, I got oep 40135A but with manual unpacking I got 401352 instead.
Even without that, the password was guessable anyway.
TiGa
With upx -d, I got oep 40135A but with manual unpacking I got 401352 instead.
Even without that, the password was guessable anyway.
TiGa
upb
August 5th, 2007, 18:24
level2 had an interesting TLS callback ;-)
LLXX
August 5th, 2007, 21:55
Quote:
| [Originally Posted by fr33ke;67595]On another note, did anyone else got a bug in level 2? The "xor ah, bh" seemed to assume bh was zero, but in fact it was randomly 00, 10, 20 .. F0 on my computer (they used it unitialized). |
Quote:
| level2 had an interesting TLS callback ;-) |
TQN
August 6th, 2007, 01:03
No, it is only one file. The UPX packed file have a TLS callback, and in this proc, it check BeingDebugged bit by PEB. If debugger was not found, it will modify the jump to real OEP, and the real OEP is 401352, not 40135A, have xor ebx, ebx code at beginning.
I am playing with level 3 ??!!
Best regards,
I am playing with level 3 ??!!
Best regards,
Thug4Lif3
August 6th, 2007, 02:02
Yes, level has it TLS but the TLS callback code's purpose is just to whether debugger is present or not. Its a lil bit tricky:
If debuggin detected, we land on this and even if the parameter input is C3P0 or not, it wont display the correct email:
else
A simple trick but because maybe we all use some kind of Olly modz so this trick isnt a problem at all.
Code:
UPX2:004070A4 ; after LdrpCallInitRoutine is call, we land on this
UPX2:004070A4
UPX2:004070A4 public TlsCallback_0
UPX2:004070A4 TlsCallback_0 proc near ; DATA XREF: UPX2:TlsCallbackso
UPX2:004070A4
UPX2:004070A4 arg_4 = dword ptr 8
UPX2:004070A4
UPX2:004070A4 83 7C 24 08 01 cmp [esp+arg_4], 1
UPX2:004070A9 75 1E jnz short locret_4070C9 ; Reason = DLL_PROCESS_ATTACH ?
UPX2:004070AB 50 push eax
UPX2:004070AC 64 A1 18 00 00 00 mov eax, large fs:18h ; eax = address of TEB
UPX2:004070B2 8B 40 30 mov eax, [eax+30h] ; eax = address of PEB
UPX2:004070B5 0F B7 40 02 movzx eax, word ptr [eax+2] ; Being debugged?
UPX2:004070B9 83 F8 00 cmp eax, 0 ; setting ZF
UPX2:004070BC 0F 94 C0 setz al ; al = ZF
UPX2:004070BF 6B C0 08 imul eax, 8 ; eax = 0 if being debugged,
UPX2:004070BF ; eax = 8 if not
UPX2:004070C2 28 05 BD 63 40 00 sub byte ptr ds:loc_4063BC+1, al ; self-modify code. Change the flow of the program.
UPX2:004070C8 58 pop eax
UPX2:004070C9
UPX2:004070C9 locret_4070C9: ; CODE XREF: TlsCallback_0+5j
UPX2:004070C9 C3 retn
UPX2:004070C9 TlsCallback_0 endp
If debuggin detected, we land on this and even if the parameter input is C3P0 or not, it wont display the correct email:
Code:
UPX1:004063BC loc_4063BC: ; DATA XREF: TlsCallback_0+1Ew
UPX1:004063BC E9 99 AF FF FF jmp near ptr word_40135A
Code:
0040135A 50 PUSH EAX
0040135B 35 08714200 XOR EAX,427108
00401360 1BC2 SBB EAX,EDX
00401362 870424 XCHG DWORD PTR SS:[ESP],EAX
00401365 8F05 64204000 POP DWORD PTR DS:[402064]
0040136B 68 00104000 PUSH FSC_Leve.00401000
00401370 C3 RETN
else
Code:
UPX1:004063BC loc_4063BC: ; DATA XREF: TlsCallback_0+1Ew
UPX1:004063BC E9 91 AF FF FF jmp near ptr dword_401000+352h
Code:
00401352 33DB XOR EBX,EBX
00401354 68 5A134000 PUSH FSC_Leve.0040135A
00401359 C3 RETN
A simple trick but because maybe we all use some kind of Olly modz so this trick isnt a problem at all.
LLXX
August 6th, 2007, 02:37
In all of the runs I did with level 2, OEP was the "wrong" one (0040135a) but EBX upon that "wrong" OEP was 00530000, so two wrongs made a right?
I was using SoftICE 4. No hiding.
I was using SoftICE 4. No hiding.
binjo
August 6th, 2007, 03:46
With level 2, I was using Ida to debug, it's not very fun, all need is patience.
With level 3, still, it's not very fun, all need is patience.
With level 3, still, it's not very fun, all need is patience.
Kayaker
August 6th, 2007, 04:19
Quote:
| [Originally Posted by LLXX;67608]so two wrongs made a right? |
No, but sometimes 3 do
Not that is has anything to do with the challenge directly, but post-Win9x the value of EBX for a PE at the Entry Point is the PEB, set during ntdll!LdrpInitializeProcess:
Code:
.text:7C921ABC ; __stdcall LdrpInitializeProcess(x, x, x, x, x)
...
.text:7C921B36 mov eax, large fs:18h ; TEB
.text:7C921B3C mov EBX, [eax+30h] ; PEB
.text:7C921B3F lea edi, [ebx+8] ; PEB.ImageBaseAddress
.text:7C921B42 push dword ptr [edi]
.text:7C921B44 call _RtlImageNtHeader@4 ; RtlImageNtHeader(x)
...
Hence the variable value for BH at the xor ah, bh instruction
Kayaker
Kamil
August 6th, 2007, 11:51
Nice work guys, especially UPB ;-)
ZaiRoN
August 6th, 2007, 14:10
Here is the pack containing the 3 Khallenges.
rizzy
August 6th, 2007, 15:29
Quote:
| [Originally Posted by ZaiRoN;67622]Here is the pack containing the 3 Khallenges. |
Anyway you can download them from the official site ("http://www.f-secure.com/security_center/asm.html").
ZaiRoN
August 6th, 2007, 15:33
Quote:
| Anyway you can download them from the official site. |
Link please
rizzy
August 6th, 2007, 15:36
Quote:
| [Originally Posted by ZaiRoN;67624]Link please |
http://www.f-secure.com/security_center/asm.html ("http://www.f-secure.com/security_center/asm.html")
ZaiRoN
August 6th, 2007, 15:56
Thank you rizzy.
Nico
August 7th, 2007, 10:27
Man, the command line parsing for level 2 is really lame.
you can have infinite solutions because of it. (congrats message, but email is wrong of course)
you can have infinite solutions because of it. (congrats message, but email is wrong of course)
Kayaker
August 7th, 2007, 11:54
In theory that's true, I went off in that direction too and have the unconfirmed emails to show for it ;-)
Since most debuggers will run a PE no matter what the extension is (or even if it doesn't have one), then yeah there are infinite solutions. (Well, probably not but I wouldn't want to calculate the possibilities)
If the restriction is that it must be a file extension recognized by Windows, therefore able to be run outside of a debugger, then I think there can only be one solution.
However, since reversing is about breaking the rules, not following them, I vote for the ∞ solution
Since most debuggers will run a PE no matter what the extension is (or even if it doesn't have one), then yeah there are infinite solutions. (Well, probably not but I wouldn't want to calculate the possibilities)
If the restriction is that it must be a file extension recognized by Windows, therefore able to be run outside of a debugger, then I think there can only be one solution.
However, since reversing is about breaking the rules, not following them, I vote for the ∞ solution
Nico
August 7th, 2007, 12:09
Well it's not only the extensions, try this:
FSC_Level2.exe 4N4" Mbfa
there is some hidden joke in the selected first parameter, a few people will get it ;-)
This will work, and show a valid congratulation message as well.
FSC_Level2.exe 4N4" Mbfa
there is some hidden joke in the selected first parameter, a few people will get it ;-)
This will work, and show a valid congratulation message as well.
Kayaker
August 7th, 2007, 12:14
Good point. OK, there are infinite solutions.
ZaiRoN
August 7th, 2007, 12:29
Hey Nico
FSC_Level2.exe put some random infinite words 4N4" Mbfa
FSC_Level2.exe put some random infinite words 4N4" Mbfa
Nico
August 7th, 2007, 12:32
Hey Z
Yeah indeed, that's why i said the command line parsing sucks ;p
They will pretend it was made on purpose ;-)
Yeah indeed, that's why i said the command line parsing sucks ;p
They will pretend it was made on purpose ;-)
ZaiRoN
August 7th, 2007, 12:39
Quote:
| that's why i said the command line parsing sucks |
"For those of you still working with Level 2 – it's possible to debug the binary and produce a dialog box with "lucky numbers". But you need to fully reverse engineer it to determine to one true parameter that produces a valid e-mail address. That's part of challenge. Hint: use the original binary with your parameter to test."
Nico
August 7th, 2007, 12:48
My parameters above works on the original binary, as well as unpacked one.
Their comment isn't really good, in order to get bogus "congrats", u got to completely reverse engineer it, anyway. you are just feeding chars to make the binary happy.
Anyway, number 3 was funnier.
Their comment isn't really good, in order to get bogus "congrats", u got to completely reverse engineer it, anyway. you are just feeding chars to make the binary happy.
Anyway, number 3 was funnier.
LLXX
August 8th, 2007, 01:12
Indeed, I was a bit puzzled by that. There would theoretically be ~3 billion "solutions", all of which would pass the check. But then I noticed the " and the space, and the GetCommandLineA result caught my attention...
CNT
August 12th, 2007, 11:43
The level 3 also has many solutions key, but the email's still unique.
Nico
August 17th, 2007, 07:44
Yeah level 3 also has many solutions, but less than level 2
And as you said, it doesn't change the email, so it's not a real problem.
Level 3 is easy, it's just a bit weird at first sight..
And as you said, it doesn't change the email, so it's not a real problem.
Level 3 is easy, it's just a bit weird at first sight..
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.