All things rǝvǝrsǝd

ghidra

Scripting Ghidra - Set Equate

In the third installment of this series (if you haven't read/seen here's - part 1, part 2 and part 3) we will be using the Set Equate functionality in an automatic fashion. Note: If you prefer watching, have a look at my YouTube channel. Looking

insomnihack

Insomni'Hack 2024 Teaser - Trompe Loeil - Ready 2 Run

New video is out 👇 This time it's about challenge from InsomniHack 2024 teaser - Trome Loeil that featured a nice trick that's coming new to .NET binaries - Ready 2 Run. Go have a look.

insomnihack

Insomni'Hack Teaser 2023

This weekend, Insomni'hack 2023 teaser took place. During the contest, I solved the two RE challenges. rev1 The challenge was, an iOS application written in Swift. The .ipa file is in fact a zip archive which we can unpack and get access to the actual binary plus some

hitcon

HITCON 2022 - Checker

just a deep and normal checker We have two files in this task: a Windows executable named checker.exe and a .sys file—a driver file named checker_drv.sys. Loading the first one into Ghidra, does not show much code that we can work with. There's a

hitcon

HITCON 2022 - Meow Way

Reverse-engineering like the meow way! We are given a Windows 32-bit executable that we can load into Ghidra. In the initial peak into the main, we can see the following (*DAT_0040544c)(iVar3,iVar3 >> 0x1f,iVar3,iVar3 >> 0x1f,0xc4,0,&local_10,&local_10

reverse engineering

SECCON 2022 - eguite

We are give an ELF and EXE file (the same challenge - you can pick your enemy) with the simple task to crack it license. Not sure if it's on purpose (or due to using sandbox/VM) but running it fails so we can't get any

flare-on

Flare-on 2022 - in a tweet + images

Flare-on is a yearly competition that focuses on reverse engineering. In 2022 we could compete in the 9th edition solving 11 challenges. Here's a really, really short version how we could approach and solve them.

midnightsun

The Gambler - Midnight Sun CTF 2022

The secret is 'Knowin' what the cards were'. Apart from the message we are give the file, with the instruction to run it with mono the_gambler.exe. This alone gives away the fact that, this is a .NET assembly and we can skip any initial analysis

1337up

Tinybit - 1337up CTF

Just try a little bit harder! Brb, shouting intigriti.rocks! 🔗 Download link: mw.linux 🔗 Download link: mw.darwin 🔗 Download link: mw.windows 🚩 No flag format. The flag starts with z and ends with ! ✍️ Created by Hazcod Note: The shouting part was only added in the middle of the CTF. Three

1337up

Bitcoins for Flags

BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP 🔗 Download link: BitcoinsForFlags.zip 🚩 Flag format: CTF{} ✍️ Created by Ferib Hellscream

insomnihack

Insomni'Hack - Corona Virus

A devastating computer virus infected millions of machines around the world. Security experts were able to capture a sample, but the virus seems to be looking for something specific, and acts frustrated if it is not happy. Who knows the horrors it may unleach onto the world if...or when

ctf

babyRust - N1CTF

This fun, little challenge was RE challenge during N1CTF. We are given the following Rust source code: macro_rules! check { (@s n1ctf{$Never:tt}) => { check!(stringify!($Never)) }; (@e ($Never:expr,$Gonna:expr,$Give:expr); (Never gonna give you up $($code:tt)*)) => { $Give += true as usize; check!(@e ($Never,

flare-on 8

Flare-On 8 - Antioch

To solve this challenge, you’ll need to …AAARGH This challenge was really AAARGH for me. In retrospect I wonder why I didn't see what I was supposed to see and due to that lost almost a week on this fairly easy challenge. But let's start

flare-on 8

Flare-On 8 - Flare VM

Because of your superior performance throughout the FLARE-ON 8 Challenge, the FLARE team has invited you to their office to hand you a special prize! Ooh – a special prize from FLARE ? What could it be? You are led by a strong bald man with a strange sense of humor into

flare-on 8

Flare-On 8 - known

We need your help with a ransomware infection that tied up some of our critical files. Good luck. With the second challenge, it's a bit step up in the difficulty. We are given an EXE with some files (different types; images images and text) that has been encrypted.

flare-on 8

Flare-On 8 - credchecker

The first task in this year competition. It is a single HTML file. Inside we can find a simple check for credentials. function checkCreds() { if (username.value == "Admin" && atob(password.value) == "goldenticket") { var key = atob(encoded_key); var flag = ""; for (let i

flare-on

Flare-On 8 - Beelogin

In this challenge we are given a huge, 3.10 MB html file. Opening it, we can see there's a HTML form, and a lot of JavaScript. A lot. It's obfuscated too. Looking closer, it appears that it contains mostly the garbage and only some parts

flare-on

Flare-On 8 - Pet the Kitty

Hello, Recently we experienced an attack against our super secure MEOW-5000 network. Forensic analysis discovered evidence of the files PurrMachine.exe and PetTheKitty.jpg; however, these files were ultimately unrecoverable. We suspect PurrMachine.exe to be a downloader and do not know what role PetTheKitty.jpg plays (likely a second-stage

decompilation

Don't trust the decompilers

Decompilers can be your greatest ally or your greatest enemy. Basing the analysis only by the result of only one tool can fail you greatly. See for yourself. Prefer to watch? Check out this video. Recently, I was solving one of the challenge from ångstromCTF 2021 and after opening the

midnightsun

Solving Geanu

Geanu was a simple RE challenge from MidnightsunCTF. The task starts by print the following ASCII-art of Keanu and awaits our input. After getting user input it finishes. Let's fire up Ghidra and load the binary. Since the binary is written in Go, we can apply 'golang_

r2

Debugging r2 - child processes

If you ever want to debug r2 while it is debugging another process (so basically debug while debug r2 -d /bin/ls or when using ood) remember about few important things. Radare2 will create a new process so it is important to be sure if gdb is set to attach

r2

Debugging r2

This will be a short one. If you ever need to debug Radare2, and after running it under dbg you can't get into the debugger after hitting ^C as it should, remember that r2 handles this shortcut and this won't work. Instead use this: kill -SIGTRAP

ghidra

Automating Ghidra - part 3

In the third installment of this series (if you haven't read/seen here's - part 1 & part 2) we will be reconstructing program flow. This is useful for tasks such as Towel's armageddon. Note: If you prefer watching, have a look at my

net user /times

net user /times

You probably know this but in case you don't, Windows has built in feature for setting up allowed login days and hours for a particular account. It can be done in the following way net user account_name /times:[{times | ALL}] but when I used it to restrict

rusty

Rusty - Technical background

This post a technical part to the challenge Rusty. If you haven't read the post you can do it here. Technical background I had few difficulties when creating it. So it might be interesting for some people to read how I've managed to overcome them. The