All things reversed

All things reversed

Insomni'Hack Teaser 2023

This weekend, Insomni'hack 2023 teaser took place. During the contest, I solved the two RE challenges. rev1 The challenge was, an iOS application written in Swift. The .ipa file is in fact a zip archive which we can unpack and get access to the actual binary plus some extra metadata

HITCON 2022 - Checker

HITCON 2022 - Checker

just a deep and normal checker We have two files in this task: a Windows executable named checker.exe and a .sys file—a driver file named checker_drv.sys. Loading the first one into Ghidra, does not show much code that we can work with. There's a line that

HITCON 2022 - Meow Way

HITCON 2022 - Meow Way

Reverse-engineering like the meow way! We are given a Windows 32-bit executable that we can load into Ghidra. In the initial peak into the main, we can see the following (*DAT_0040544c)(iVar3,iVar3 >> 0x1f,iVar3,iVar3 >> 0x1f,0xc4,0,&local_10,&local_10 >> 0x1f); iVar2 = iVar3 + 1; (*DAT_004053a8)

SECCON 2022 - eguite

reverse engineering

SECCON 2022 - eguite

We are give an ELF and EXE file (the same challenge - you can pick your enemy) with the simple task to crack it license. Not sure if it's on purpose (or due to using sandbox/VM) but running it fails so we can't get any more information from running

Flare-on 2022 - in a tweet + images

Flare-on is a yearly competition that focuses on reverse engineering. In 2022 we could compete in the 9th edition solving 11 challenges. Here's a really, really short version how we could approach and solve them.

The Gambler - Midnight Sun CTF 2022

The Gambler - Midnight Sun CTF 2022

The secret is 'Knowin' what the cards were'. Apart from the message we are give the file, with the instruction to run it with mono the_gambler.exe. This alone gives away the fact that, this is a .NET assembly and we can skip any initial analysis and go straight

Tinybit - 1337up CTF

Tinybit - 1337up CTF

Just try a little bit harder! Brb, shouting intigriti.rocks! 🔗 Download link: mw.linux 🔗 Download link: mw.darwin 🔗 Download link: mw.windows 🚩 No flag format. The flag starts with z and ends with ! ✍️ Created by Hazcod Note: The shouting part was only added in the middle of the CTF. Three

Bitcoins for Flags

Bitcoins for Flags

BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP BIP 🔗 Download link: BitcoinsForFlags.zip 🚩 Flag format: CTF{} ✍️ Created by Ferib Hellscream

Insomni'Hack - Corona Virus

Insomni'Hack - Corona Virus

A devastating computer virus infected millions of machines around the world. Security experts were able to capture a sample, but the virus seems to be looking for something specific, and acts frustrated if it is not happy. Who knows the horrors it may unleach onto the world if...or when

babyRust - N1CTF

babyRust - N1CTF

This fun, little challenge was RE challenge during N1CTF. We are given the following Rust source code: macro_rules! check { (@s n1ctf{$Never:tt}) => { check!(stringify!($Never)) }; (@e ($Never:expr,$Gonna:expr,$Give:expr); (Never gonna give you up $($code:tt)*)) => { $Give += true as usize; check!(@e ($Never,$Gonna,$Give)

Flare-On 8 - Antioch

Flare-On 8 - Antioch

To solve this challenge, you’ll need to …AAARGH This challenge was really AAARGH for me. In retrospect I wonder why I didn't see what I was supposed to see and due to that lost almost a week on this fairly easy challenge. But let's start from the beginning. We

Flare-On 8 - Flare VM

Flare-On 8 - Flare VM

Because of your superior performance throughout the FLARE-ON 8 Challenge, the FLARE team has invited you to their office to hand you a special prize! Ooh – a special prize from FLARE ? What could it be? You are led by a strong bald man with a strange sense of humor into

Flare-On 8 - known

Flare-On 8 - known

We need your help with a ransomware infection that tied up some of our critical files. Good luck. With the second challenge, it's a bit step up in the difficulty. We are given an EXE with some files (different types; images images and text) that has been encrypted. Opening file

Flare-On 8 - credchecker

The first task in this year competition. It is a single HTML file. Inside we can find a simple check for credentials. function checkCreds() { if (username.value == "Admin" && atob(password.value) == "goldenticket") { var key = atob(encoded_key); var flag = ""; for (let i = 0; i < key.length; i++) { flag += String.fromCharCode(

Flare-On 8 - Beelogin

Flare-On 8 - Beelogin

In this challenge we are given a huge, 3.10 MB html file. Opening it, we can see there's a HTML form, and a lot of JavaScript. A lot. It's obfuscated too. Looking closer, it appears that it contains mostly the garbage and only some parts are relevant. From the

Flare-On 8 - Pet the Kitty

Flare-On 8 - Pet the Kitty

Hello, Recently we experienced an attack against our super secure MEOW-5000 network. Forensic analysis discovered evidence of the files PurrMachine.exe and PetTheKitty.jpg; however, these files were ultimately unrecoverable. We suspect PurrMachine.exe to be a downloader and do not know what role PetTheKitty.jpg plays (likely a second-stage

Don't trust the decompilers

Don't trust the decompilers

Decompilers can be your greatest ally or your greatest enemy. Basing the analysis only by the result of only one tool can fail you greatly. See for yourself. Prefer to watch? Check out this video. Recently, I was solving one of the challenge from ångstromCTF 2021 and after opening the

Solving Geanu

Geanu was a simple RE challenge from MidnightsunCTF. The task starts by print the following ASCII-art of Keanu and awaits our input. After getting user input it finishes. Let's fire up Ghidra and load the binary. Since the binary is written in Go, we can apply 'golang_renamer.py` to

Debugging r2 - child processes

Debugging r2 - child processes

If you ever want to debug r2 while it is debugging another process (so basically debug while debug r2 -d /bin/ls or when using ood) remember about few important things. Radare2 will create a new process so it is important to be sure if gdb is set to attach

Debugging r2

This will be a short one. If you ever need to debug Radare2, and after running it under dbg you can't get into the debugger after hitting ^C as it should, remember that r2 handles this shortcut and this won't work. Instead use this: kill -SIGTRAP $(pidof r2) This cause

Automating Ghidra - part 3

Automating Ghidra - part 3

In the third installment of this series (if you haven't read/seen here's - part 1 & part 2) we will be reconstructing program flow. This is useful for tasks such as Towel's armageddon. Note: If you prefer watching, have a look at my YouTube channel. The difficulty of this crackme

net user /times

net user /times

net user /times

You probably know this but in case you don't, Windows has built in feature for setting up allowed login days and hours for a particular account. It can be done in the following way net user account_name /times:[{times | ALL}] but when I used it to restrict my kids

Rusty - Technical background

Rusty - Technical background

This post a technical part to the challenge Rusty. If you haven't read the post you can do it here. Technical background I had few difficulties when creating it. So it might be interesting for some people to read how I've managed to overcome them. The process was done in

Rusty

So I had my debut as an author of a task for a public CTF event. I've created a challenge called Rusty, and let's say it collected some mixed reactions. I've labeled it as an easy RE challenge, but only ten teams managed to solve it in the end -

radare2 can do java

radare2 can do java

I was once asked on my YT channel to do a Java crackme. It only took 7* months to fulfill this request. So, wile waiting for Part 4, Professor this is for you. We will do a Java crack-me, but an easy one created by me. This is as I