This month's challenge is to analyze an unknown binary, in an effort to
reinforce the value of reverse engineering, and improve (by learning from
the security community) the methods, tools and procedures used to do it. This
challenge is similar to SotM 32. However,
this binary has mechanisms implemented to make the binary much harder to analyze, to
protect against reverse engineering.
Submissions are due no later than 23:00 GMT, Friday, 03 December, 2004, and the results
will be released Monday, 10 January (NOTE: This is a change, *again*). Review the challenge
submission rules at the SOTM homepage before submitting your results.
Skill Level: Advanced/Expert
All we are going to tell you about the binary is that it was 'found' on a
WinXP system and has now be sent to you for analysis. You will have to analyse
it in-depth and get as much information as possible about its inner working, and
what is the goal of the binary. The main goal of
this challenge is to teach people how to analyse heavily armored binaries. Such
techniques could be used in the future, and its time to get used to them.
Top Three winners get a signed copy of the book
Know Your Enemy: 2nd Edition.
Download the Image (17 KB)
MD5 (0x90.exe) = 7daba3c46a14107fc59e865d654fefe9
Ensure you document the procedures, tools and methods used.
- Identify and explain any techniques in the binary that protect it from being
analyzed or reverse engineered.
- Something uncommon has been used to protect the code from beeing
reverse engineered, can you identificate what it is and how it works?
- Provide a means to "quickly" analyse this uncommon feature.
- Which tools are the most suited for analysing such binaries, and why?
- Identify the purpose (fictitious or not) of the binary.
- What is the binary waiting from the user? Please detail how you found it.
- What techniques or methods can you think of that would make the binary harder
to reverse engineer?
This months challenge image and questions are lead by Nicolas Brulez
of the French Honeynet Project. You can find his official writeup here.
Writeup from the Security Community
First of all, we would like to apologize for the delay, the end of the year
has been very busy here. Also, the submissions were extremely difficult to
judge due to the excellent quality. The rankings have been done by following
the SOTM rules, which means that not only do you have
to be technical but also have an easy to read submission, and a good presentation
of your methods, so people can actually learn from you. Thus, a very technical
document being hard to follow won't be ranked as good as someone having a clear
document, showing his methods for people to learn from, and with an average technical
level. Last, we changed the Top3 to Top5 for this challenge, as they were all extremely
close. All of the Top5 submissions will be receiving a signed copy of the
2nd Edition of the Know Your Enemy book.