Flare-On 11 Writeup: CATBERT - Cracking UEFI Ransomware Protected by VM-Based Obfuscation
2024-11-09 | #category_ctf #toic_vm_dispatcher #topic_decompiler #topic_disassembler #topic_flare_on_11 #topic_ida_flirt #topic_inline_assembly #topic_obfuscation #topic_qemu #topic_ransomware #topic_uefi #topic_vm

This challenge - CATBERT Ransomware - requires participants to analyze and reverse engineer a UEFI firmware, and defeat a Virtual Machine based obfuscation technique to retrieve decryption keys. This write-up walks you through the entire process and provides technical details on how to identify and analyze the VM dispatcher, write a disassemble, and leverage a x86 decompiler to enable a thorough examination of the VM code.