Log in

View Full Version : F-Secure Khallenge


Kayaker
August 5th, 2006, 12:31
3 khallenges, from the mind of a 17 year old no less..

ASSEMBLY'06 REVERSE ENGINEERING CHALLENGE
http://www.khallenge.com


If you haven't punished yourself enough lately then don't miss the T2'05 and T2'06 challenges also from F-Secure:

http://www.t2.fi/pahkina.en.html


Have fun,
Kayaker

Silver
August 5th, 2006, 13:11
That's so depressing. Assembly used to be a true demoscene event, and just look at their front page for proof of what's happened. I'm amazed this challenge even ran, the place is full of gamers who can just about double-click the Counterstrike icon...

Anyway thanks for the link Kayaker

SiGiNT
August 6th, 2006, 16:51
Geesh,

For level1 all you need is notepad, and a mind that takes things literally.

SiGiNT

LLXX
August 6th, 2006, 23:29
Quote:
[Originally Posted by sigint33]Geesh,

For level1 all you need is notepad, and a mind that takes things literally.

SiGiNT
LOL... how very true

NeOXOeN
August 8th, 2006, 13:59
yes but first 2 are really easy... 3 its just time consuming...

SiGiNT
August 8th, 2006, 21:08
I didn't even realize they were available, I assumed the Khallenge was closed - hmmm - maybe when I get some time.

SiGiNT

Kayaker
August 9th, 2006, 00:05
T2'05 was interesting, it's more of a challenge in which you need to figure out *what* the program is doing, as opposed to *how* it is doing it. Figure out the [what] and the [how] becomes easier.

T2'06 however...that seems more the opposite. I have a feeling, I think, of [what] the challenge is doing, the difficulty lies in determining the [how]. In one portion it makes several (as in thousands not hundreds) of indirect calls to a table of call addresses (about 60 of them but many duplicated). This indirect call seems to play a pivotal role in the challenge.

I've been trying to figure out a method of automated analysis in order to pull out a pattern in the calls. I wrote an Ollyscript which logged the stack return address and parameter values for the call table addresses. This helped a little bit in that I could see there was a pattern, though I could make no immediate sense of it.

I suspect many of the calls are red herrings/diversions and do nothing useful unless the parameters are just right, so what I'm trying to do is find out where to focus attention.

I've also tried ProcessStalker, this may prove useful but again it is difficult to interpret the results.

I would like to be able to come up with some form of automated analysis which could help clarify the code execution, mostly to see if it *can* be done and so it could be applied to other situations where indirect calls to a call table is used for example.

Ultimately the solution may be in repeated tracing until the little lightbulb goes on over your head and the Zen kicks in


I'm curious just in general if anyone else has any success stories in using automated analysis, be it plugin, script or standalone tool, for a real-life reversing problem. Yeah I know there are a million ollyscripts for find the OEP of every packer under the sun, but I'm thinking of anything other than that!

Cheers,
Kayaker

Maximus
August 9th, 2006, 04:41
t2'06 is a VM, if I remember well. You sought the dispatcher that cycled thru the instructions. I gave a very quick look time ago, but was that. I recall it seemed to swap the vm context switching instructions or something like that (don't really rem. well, honestly).

Silkut
August 22nd, 2006, 14:31
Quote:
[Originally Posted by Silver]That's so depressing. Assembly used to be a true demoscene event, and just look at their front page for proof of what's happened. I'm amazed this challenge even ran, the place is full of gamers who can just about double-click the Counterstrike icon...

Anyway thanks for the link Kayaker


Goto Breakpoint !

Kayaker
August 28th, 2006, 16:11
For those interested here is a solution for Khallenge #3

http://www.the-interweb.com/serendipity/?/archives/76-F-Secure-Khallenge-Level-3.html

Turns out it was a 2D labyrinth, see here for a picture of it.

http://www.f-secure.com/weblog/archives/archive-082006.html#00000943


Phew, glad I stopped at Khallenge #2

0rp
August 29th, 2006, 14:44
yes, its a vm
just go to func around 004022AD, and youll find some generic opcodes like add, sub, xor, shl...

basically its decrypting a message using a hash of the input

ZaiRoN
August 29th, 2006, 15:26
Well, maybe it's time to create some new projects

I was thinking to leave this thread for the 3 khallenges from F-Secure while we can use the other 2 threads I created for talking about t205 and t206. Ok, they are really interesting and not so easy so... it's time to have some serious reversing sessions!

t206: http://woodmann.com/forum/showthread.php?t=9445
t205: http://woodmann.com/forum/showthread.php?t=9444

Quote:
just go to func around 004022AD, and youll find some generic opcodes like add, sub, xor, shl...
Are you sure? Inside the call at 4021D2 I would say

0rp
August 29th, 2006, 15:55
yes:

16bit add
.text:004022B3 and esi, 0FFFFh
.text:004022B9 and eax, 0FFFFh
.text:004022BE add esi, eax

8bit
.text:004022CB and esi, 0FFh
.text:004022D1 and ecx, 0FFh
.text:004022D7 add esi, ecx


8bit sub
.text:00402324 and eax, 0FFh
.text:00402329 and esi, 0FFh
.text:0040232F sub esi, eax


16bit and
.text:004023AC and esi, 0FFFFh
.text:004023B2 and eax, 0FFFFh
.text:004023B7 and esi, eax


shl
.text:0040248F mov esi, edi
.text:00402491 and esi, 0FFFFh
.text:00402497 shr esi, cl



....

Maximus
August 29th, 2006, 19:19
eheh I cannot resist

The .22 is a multi-generic macroinstruction that does many things, namely:
Code:

long_case dd offset VM_ADD_case_multi_0
.text:004026DC ; DATA XREF: VM_Multiple_op2+70r
.text:004026E0 dd offset VM_SUB_case_multi_1
.text:004026E4 dd offset VM_IDIV_REST_34h_is_divisor_case_multi_5
.text:004026E8 dd offset VM_XOR_case_multi_3
....


...but it is not the only way of doing things in that VM