Reverse Engineering Challenge Status: OPEN

The Reverse Engineering challenge is now available. The rules are included in the associated zip file. All submissions should be sent to kyrecon@athcon.org and the deadline is 30/04/2013.

Download Rev. Challenge 2013: -Athcon2013_RE_Challenge-
Challenge Creator: Kyriakos Economou & Nikolaos Tsapakis

Под капотом "всеми любимая" виртуальная машина на более чем 200 команд, однотипные но все-же.

Welcome

-----
127.0.0.1, sweet 127.0.0.1

| Сообщение посчитали полезным:

i) A free ticket for the 2-days conference AthCon 2013 ( Athens/Greece 6-7 June 2013).
ii) A 100 euros Amazon voucher. -Sponsored by the authors of the challenge-
малавата будет (с) падал прошлогодний снег


| Сообщение посчитали полезным: ARCHANGEL

5 виртуальных машин, легли как одна

-----
127.0.0.1, sweet 127.0.0.1

| Сообщение посчитали полезным: r_e, SReg, _ruzmaz_, HandMill, ELF_7719116

OKOB тебя спалили на брут форсе


| Сообщение посчитали полезным:

reversecode пишет:
OKOB тебя спалили на брут форсе
AMD RADEON 6990 ?

| Сообщение посчитали полезным:

охлаждение охуенно, и сторона солнечная

| Сообщение посчитали полезным:

--> Link <-- выбирайте где чья ферма

| Сообщение посчитали полезным:

reversecode пишет:
OKOB тебя спалили на брут форсе

Зачем попалил, теперь орги требуют развернутое решение.

Dear OKOB,

Thank you very much for your submission. I will check your keygen as soon as possible.

Would you mind to share with us a few words about how you did it?

In addition we would like to know if you are interested in the prizes. In that case as mentioned in the readme, just the keygen is not enough in order to claim them.

However, since you are the first to submit a solution you have the priority to submit a fairly documented report about how you did it with a few keypoints regarding the challenge and anything else you think that would be cool to include in your report.

In the meantime, please keep your solution private in order to keep the contest active.

Kind Regards,
Kyriakos Economou

PS: Oh...I almost forgot! CONGRATULATIONS!!!

-----
127.0.0.1, sweet 127.0.0.1

| Сообщение посчитали полезным: Oott, HandMill, hors, TryAga1n, r_e

OKOB

since you are the first to submit a solution ...
А я в исходе как-то сразу не сомневался.

Я правильно понимаю - за 100 евро им надо рассказать и показать, как всё было сделано? Вот хитромудровыпиленные типы.

-----
Stuck to the plan, always think that we would stand up, never ran.

| Сообщение посчитали полезным:

Накатал шорт репорт и насунул писаные скрипты. Так пацаны пошли по магазинам за ваучером.

Dear Vladimir,

You are officially the winner of the 100 euros voucher.

What happens now, is that I need to talk with the other author (Nikolaos Tsapakis) and buy the voucher for you. I suppose we can just buy the voucher and only send you its code so that you can use it online.

Please be patient, as we will have to go through some Bank related processes in order to complete this purchase since the prize is bought 50-50 from us.

At this point I would like to personally thank you on behalf of the authors for dedicating some of your time to this challenge. It really means a lot to us.


Kind Regards,
Kyriakos

ЗЫ: После 30/04/2013 налью решение и сюда.

-----
127.0.0.1, sweet 127.0.0.1

| Сообщение посчитали полезным: -Sanchez-, tihiy_grom

vm_common.py
Python script for collect common information about VM

vm_infos
information about placement VM

compare_vm.idc
- IDA script for comparing body of VM without PCODE block

vm_ov.py
Python script for converting switch-case values to VM opcodes

get_functbl.py
Python script for geting values from relative offset table in
subsystem length-disassm for native x86 code execution
(in form Python array - for using in func_val.py)

func_val.py
Python script for converting relative offset to real address
of function in subsystem length-disassm for native x86 code
execution

native_tracer.osc
OlyDbg script for tracelog of execution native x86 code

<DEVM>vm_diz.py, BeaEnginePython.py, BeaEngine.dll
Python script for devirtualization-disassembling pcode VM
Uses: python vm_diz.py <Number of VM (1..5)>

ntdll_list.py
Python script for hashing name of export ntdll.dll

vm1.lst, vm2.lst, vm3.lst, vm4.lst, vm5.lst
Listing of code under VM's

vm1.analise
Listing of deobfuscated code under VM1 with some analise

vm2.py
Python script - analog of code under VM2 with check
destination address

8DF489AC-0C9AEF51-9DCA468B-09AE2B76
- source values of magic XOR

A41889B9-22BEEF5E-B3EE4698-1FD22B83
- values of magic XOR after one pass VM4

1624000D
- one pass VM4 delta

1 C3EC8A62-4292F007-D3C24741-3FA62C2C - 14 pass
--------
2 C3EC8A62-4292F007-D3C24741-3FA62C2C - 14 pass
--------
3 DA108A6F-58B6F014-E9E6474E-55CA2C39 - 15 pass
--------
4 DA108A6F-58B6F014-E9E6474E-55CA2C39 - 15 pass
--------
- values of magic XOR in place of use

key_gen.py
Python script for keygening

g
Example of valid keyfile

SuccessMessageBox.png
Grabscreen of success message window



0435_09.05.2013_EXELAB.rU.tgz - report.rar

-----
127.0.0.1, sweet 127.0.0.1

| Сообщение посчитали полезным: ZaZa, HandMill, DimitarSerg, _ruzmaz_, -=AkaBOSS=-, r_e, mak, Coderess