Flare-On 11 Writeup: CATBERT - Cracking UEFI Ransomware Protected by VM-Based Obfuscation

2024-11-09 | #category_ctf #toic_vm_dispatcher #topic_decompiler #topic_disassembler #topic_flare_on_11 #topic_ida_flirt #topic_inline_assembly #topic_obfuscation #topic_qemu #topic_ransomware #topic_uefi #topic_vm

This challenge - CATBERT Ransomware - requires participants to analyze and reverse engineer a UEFI firmware, and defeat a Virtual Machine based obfuscation technique to retrieve decryption keys. This write-up walks you through the entire process and provides technical details on how to identify and analyze the VM dispatcher, write a disassemble, and leverage a x86 decompiler to enable a thorough examination of the VM code.

Continue reading 


Flare-On 11 Writeup: Web3 -Abusing Blockchains to Deliver (Malicious) Payloads

2024-11-09 | #category_ctf #topic_blockchains #topic_Ethererum #topic_evm #topic_flare_on_11 #topic_javascript #topic_obfuscation #topic_powershell #topic_web3

Blockchains has been abused by threat actors to deliver malicious payloads due to the decentralized nature, which makes it harder to monitor and regulate. This challenge highlights the need for enhanced security measures within blockchains ecosystems. I also tried to include some related resources in this blog if you are new to Ethereum blockchains and want to read further.

Continue reading 


Flare-On 11 Writeup: Fullspeed - Native Ahead Of Time .NET and ECDH Cryptanalysis

2024-11-09 | #category_ctf #topic_cryptanalysis #topic_diffie_hellman #topic_dot_net #topic_elliptic_curves #topic_flare_on_11 #topic_ida_flirt #topic_native_oat_dot_net

This challenge is indeed a .NET binary, but it is not a conventional .NET sample, so standard .NET decompilers will not be effective. I divided the challenge into three stages. The first stage focuses on reverse engineering a Native Ahead of Time (AOT) .NET binary. The second stage involves cryptanalysis of the Elliptic Curve Diffie–Hellman (ECDH) algorithm to recover the secret key. The final stage consists of extracting encrypted messages from captured data and performing a replay attack using the same secret key to recover an exfiltrated flag.

Continue reading 


Flare-On 11 Writeup: SSHD - Uncovering A Supply Chain Attack

2024-11-09 | #category_ctf #topic_core_dump #topic_emulation #topic_flare_on_11 #topic_forensic #topic_gdb #topic_shellcode #topic_supply_chain_attack #topic_unicorn

The challenge prompt contains some important keywords that help you know where to start: sshd, crashed, stole. By combining these key terms, you can quickly identify the main task in this challenge: Investigate a core dump of sshd from a file system to see what happened and what data (flag) was stolen.

Continue reading 


Reverse Engineering Made Easy: Operand Offset Structs in IDA

2024-05-06 | #category_ida_tips #topic_ida_offset_struct

1. Motivations

Struct, short for structure, is an important concept in many programming languages. A struct can contain different variables, each of which can be a different data type. Struct allows programmers to group many fields into a structured group for easier processing, storage, and access. Therefore, structs are used in almost all applications.

Continue reading 


Writing Windows Shellcode to Spawn a Process: Explained

2024-03-15 | #category_shellcode #topic_pe_header #topic_peb #topic_stack_string #topic_teb #topic_windows_internals #topic_x86

1. What Is A shellcode?

The name shellcode came from its original use to spawn a system shell in exploits after attackers successfully exploit vulnerabilities in software and redirect execution to the injected code. In general, a shellcode is a set of instructions that can be loaded and executed at any memory address (i.e. Position-independent code). Therefore, it cannot contain hard-coded addresses and must use reliable techniques to load or resolve addresses of the APIs/functions it needs.

Continue reading 


Hello World in x86

2024-02-01 | #category_assembly #topic_calling_convention #topic_decompiler #topic_inline_assembly #topic_machine_code #topic_stack #topic_stack_string #topic_x86

Hello, World!

Programming is one of the most important skills in computer science. Typically, beginners take their first step into a new programming language by writing the iconic “Hello, World!” program. To maintain this tradition and encourage beginners to establish a strong foundation for their future work, my first blog post will be about a “Hello, World!” program, this time written in x86 assembly.

Continue reading 


Tagging Strategy

2024-01-22 | #category_house_keeping

Why

A “tag” is a keyword or label assigned to a post to categories it and make it easier to organise and search for. Tags help in classifying content based on its subject matter or key topics. Therefore, sharing my tagging strategy will help you navigate this blog and fully utilise its contents.

Continue reading 