This guy is working for Silicon Realms !

hxxp://seclists.org/lists/honeypots/2004/Oct-Dec/0043.html
hxxp://www.honeynet.org/scans/scan33/index.html
apparently there are also anti-IDA tricks, checkout datarescue's message board
anyone working already on this one?
have fun

What is this 'Honeynet' organization?

I don't mind the idea of a challenge, but why the heck should I give away all my hard work to someone who makes protection systems? It's not worth the effort !


-nt20

Hi comrade, nice to see that some of the big names from the win32asm forum decides to come here after the win32asm forum incident, feel free to hang around.

About Honeynet:

nikolatesla20: don't worry, nobody ask you to do so. In fact, I think they don't care if you want to take the challenge or not . I find it funny that you would even think you are concerned. The challenge is targetted to professionnals or at least to people not concerned with their name being exposed. Not that your entry wouldn't have any value, but you seem to miss the point of being an OpenSource/Black Hat challenge. The fact the guy write protection systems for a living is coincidental in a way but however it seems to change drastically your view on the challenge itself and the organisation providing it.

Nevertheless, as an educational value (i.e. what those professionnals have under their sleeve...), you might want to have a look at it. Now nothing force you to release your results.

Anyway that's just my two cents.

Hello LD and others,

Let me clarify one thing. This challenge has *nothing* to do with my current work, and as you can see , my company isn't even listed on the challenge website.

I don't use Armadillo or any part of Armadillo on this binary.

Beside, i don't ask all your hard work, i can crack this challenge myself without
problems :-)

There are weakenesses on purpose, and it is actually not that complex, especially for people like the guys on this board, ie : lot of reverse engineering
experiences.

On the other hand, i think it's still nice to have some kind of *free* training and reports available for people who wants to learn that kind of stuff.

There are cracking tutorials of course, but many people are quite against
this idea, especially when they are working for big companies.

I don't ask you to participate, you can just break it for fun if you want, i
know that you can crack it without too much troubles, but i still think
its a funny challenge.

Anyway, just thought i could comment about it.

Have a good day.

Nico

Ps: And no, we don't steal your ideas/hard work either ;-)

I must commend you on Armadillo, although its a bit off subject.
I admire you work on it and I would rate it the best.
I have been unable to sucessfully unpack any version past 3.60.

Why doesn't Silicon Realms sponser something of this nature?

not only I agree with your wording , but I think it worthes to be smart posting signature.

Regards.

Hello %UNDEFINED%,

Thank you very much for your kind words, but as you said, its off topic.
I don't want to be flamed right away because i get compliments about Armadillo while i came to clarify the purpose of this challenge

Why Siliconrealms doesn't support this challenge?

Because we don't want to make publicity using a non-profit organization ,
that's why the name of my company isn't listed in the site. That would
be bad.

It will just be in the solution i will have to provide for this challenge, but you
won't see any fancy publicity.

I made this challenge because i am part of the french honeynet project, for which i do reverse engineering on binaries found on honeypots, such as worms, backdoors, trojans , virus etc. I wanted to contribute to the honeynet project with an interresting little challenge, which is breakable without too much troubles

Cheers,

Nico

Hello Nico,

Nice to see another RE challenge coming from you. I remember the one from secuobs/securitech which was very hard to break . I haven't take a look at this one now, but coming from you I think it will be hard again...

Anyway if I can't break trough, I'll wait 'till the solution will be posted, it's always a nice thing to learn from.

Regards, Neitsa.

Hey,

I think this one is a lot more funnier than the securitech one.
Don't worry, it is not that hard, but its pretty fun i think.
There are a lot of attacks points, and its nice to see how people attack
the same problem with different solutions.

I received a few interresting submissions already, and i think they are well worth reading

Have fun!

Nico

Evil Has No Boundaries, isn't it?
Regards, bilbo

Hi!



hehe this is a nice song actually :-)
now, you are on the "fun" part of the code. As i said, it is not hard for people with reverse engineering experiences, but the code you are on now is kind of fun.

Cheers!

Nico

I'm wondering...
If an evil hacker leaves a password protected program on a compromised system (which is obviously the case of this challenge) why bother with obsfucation at all? The best and most simple solution would be to use the supplied key to decrypt the payload (previously encrypted using a strong algorithm) => uncrackable malware!
Did i miss something?

Hi,



The password is just here to illustrate the protection.
I can't tell anything yet because the challenge is not yet finished.
I could have done something else, its not the point of this binary.

Beside, a lot of would be joe hackers, aren't really smart, and sometimes,
they will use easy to break algos, or patchable protection etc.
Of course you can make a Haval 256 hash of the entered password, and use the result in your favorite strong encryption algo to take care of it all, but that's not the point.

Don't focus on the password itself, this is really not the point of the challenge.

Nico

and Exploit for it doesn't matter )))
I think I can start finding the right password now

hehehe

I hope you don't concentrate too much on the password itself, without realising what's going on

Anyway, as i said, this little challenge is not hard for people with reverse engineering experiences

Thanks.. that was good ...Looking forward to read the nice solutions on honeynet.

Im glad you liked it.

I received very nice solutions, and i think, they are really interresting to read.
People will learn from it, definitely.. (Maybe not the skilled guys, but a good amount of people might

Cheers!

Nico

The solutions are finally online
Take a look:
http://www.honeynet.org/scans/scan33/

Regards,
Opcode

Hi

This should be excellent reading. Best Regards to Nico (who still has the heart of a reverser...), and to all those who submitted (now I see why Bilbo has been so quiet...)

Cheers,
Kayaker

Well, the matter is that I've spent all the holidays grabbing olives from trees and pressing them for oil... No Internet, no phone...
Now I feel a little rusty...

Anyway, I suggest the readings as a preliminary tutorial to a serious reversing of Armadillo protection: what I called Matrioska Layers and Garbage Patterns are found without not so many modifications in Armadilloed binaries too...

Regards,
bilbo

Thank you Kayaker and i hope you like it!

Cheers,

Nico

Hello Bilbo,

First, congratulations for your nice submission.
I liked it a lot, and you gave a lot of details, i enjoyed reading it.

I enjoyed the tutorial layout too, remember me old days...



Well, i know there are a few common points, but i would like to recall that, the
tiny ASM loader on Armadillo is just here to block a bunch of people, and i don't think it is really challenging for skilled people to bypass.

More over, the tinay ASM stub hasn't changed for year(s), i should update it some days. The layer generator used for this challenge is more recent, and i didn't use all options either, as you will learn from my submissions.

Armadillo protections are different from what you will learn from this challenge, and the ASM stub isn't really part of the Armadillo protection.

One can protect a binary without this stub if he wants, and it doesn't change much the security of the binary.

My two cents.

Have fun reading the submissions!

Nico

Congrats, Bilbo!

I was surprised not more people used IDC scripts to get rid of the junk. My IDC was almost exactly the same as Eloy's hide.idc... I just got lazy when I got to the opcode interpretter

Nice challenge there, Nico. Keep up the good work, and I'm sure we're all expecting to see more great stuff in Armadillo

Dear nico



well i was bitten by this problem once so everytime i load unknown executable i physically change the bytes at enty point to 0xeb 0xfe
and load it that way the executable will load and loop at single place
and pressing f12 or esc in olly would pause the target in the entry point
which can be changed

but i thought it was related to only abnormal imagebase but you have quoted as modifying the Loaderbase blah is the reason
do you have the relevent disassembly in ollydbg like you have for softice where olly checks for this Loader Flags and loads it eventually ??

also after reading your submission i dusted off the dll which ran without stopping at ep once and glanced at the relevent places in both
the 0x90 and dll the dll doesnt have the Loader Flags modified or Rva blah
modified

ive attached a screen shot i can send you the dll in question if you prefer so

any more details on this behaviour by ollydbg would be appreciated





thanks and regards

Hello,



This is a good practice, but i wouldn't trust it too much either.
One can run code before the entry point is executed, using a little TLS hack.
(Thread Local Storage). One could imagine, the TLS overwriting the bytes at Entry point, in order to make sure, everything runs fine



Unfortunately not, i loose my idb.
The imagebase in my case wasn't related. It also happens with a standard image base. I choose a weird imagebase, because i know a lot of reversers, that are used to "400000" and get crazy when they don't have their "marks".
It was just to tease them

For olly, i think it needs the modification of two fields in the PE header.

My original idea was having Olly to think it was a corrupted binary, thus,
it wouldn't load it. Unfortunately, it loads it nonetheless, but many people don't try to run it, after they see the bad message



There are probably other issues in Olly.



I will check it out, thanks.



I am not a huge fan of olly myself, so i don't really know anything more, beside what i said. I wish i still had that idb file..

All i did, was a quick and dirty reverse engineering of Olly to find this.

I mostly only use IDA, to do static analysis. And use Soft ICE when i need to.
Or IDA's debugger, to use its nice disassembly.



Best Regards,

Nico

Thank you very much.
I am glad, i get some positive feedback. Most of the time, people think i steal ideas from the board, and that i can't code a single line of assembly :-)

I hope Armadillo will change, but i am not the one who decides.. sadly.
It would be so different if i could.

Nico

thanks for your reply nico
i was hoping to get some pointers to the mystery but unfortunately it seems not