Author Archives: lazydaemon

PAN LabyREnth CTF – Windows #6

Sample: 3968259859f056853fc7efd2b858b3fcf0d7147a9c7f40049e5c2e131718a1d7 (PW: infected) file Ambrosius.exe Ambrosius.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit In this challenge, you have to find the correct key to encrypt the flag. The flag is encrypted with RC4 and can be found in an … Continue reading

Posted in Reverse Engineering | Tagged , | Comments Off on PAN LabyREnth CTF – Windows #6

PAN LabyREnth CTF – Windows #5

Sample: f919ed81cd4b78fdff54f8f34ac10e07079814e2eaee08bb3fb4fc19c3301f26 (PW: infected) file RGB.exe RGB.exe: PE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly Compared to the challenge before, this one was pretty easy. You need to adjust the controllers to the right value in order to get the … Continue reading

Posted in Reverse Engineering, Uncategorized | Tagged , | Comments Off on PAN LabyREnth CTF – Windows #5

PAN LabyREnth CTF – Windows #4

Sample: 3dd0d247d51df1e9c8ae594089c82608792f6bbc376e102aee52ad7c1baa91ab (PW: infected) file JugsOfBeer.exe JugsOfBeer.exe: PE32+ executable for MS Windows (GUI) Mono/.Net assembly This is a x64 Binary which is asking for a valid serial number. So you need to find the function which is checking input. In order to … Continue reading

Posted in Reverse Engineering | Tagged , | Comments Off on PAN LabyREnth CTF – Windows #4

PAN LabyREnth CTF – Windows #3

Sample: 57174eac6975871458d393301bbaa67e799e85ed66fefb912875152581eb2f79 (PW: infected) file SquirtleChallenge.exe SquirtleChallenge.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit Starting the sample, you will be prompted for a password. So the next thing is to find out the password. After loading the file in IDA … Continue reading

Posted in Reverse Engineering | Tagged , | Comments Off on PAN LabyREnth CTF – Windows #3

PAN LabyREnth CTF – Windows #2

Sample: 351ff406e49f28518315e99a87e5020ec031883c69c291f86b6abe99b2d7c4ef (PW: infected) file BabbySay.exe BabbySay.exe: PE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly The second sample was a really funny one. Starting the file will show a keyboard and after hard thinking I came to the conclusion that … Continue reading

Posted in Reverse Engineering | Tagged , | Comments Off on PAN LabyREnth CTF – Windows #2

PAN LabyREnth CTF – Windows #1

Sample: 61921d13ef1be2285301fceafa6ecd3d0a01d45f71fe620149975d63e92d3612 (PW: infected) file AntiD.exe AntiD.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit The file is packed with UPX but unfortunately, it cannot be unpacked the easy way with UPX. You must unpack it manually. However, there are … Continue reading

Posted in Reverse Engineering | Tagged , | Comments Off on PAN LabyREnth CTF – Windows #1

How to set up a BinaryPig Multi-Node Cluster

Based on my BinaryPig Single-Node cluster tutorial, I’ll now explain how to set up a Multi-Node cluster. It’s necessary that your Single-Node cluster is running properly. I changed the username to “hadoop” to avoid confusions but you can keep the … Continue reading

Posted in Malware Analysis | Tagged , | Comments Off on How to set up a BinaryPig Multi-Node Cluster

Flare-On 2015 #5

First we’ll check the PCAP to see what’s going on. We can see that there are a couple of HTTP packets so let’s filter for http: We can see that the last 4 bytes of each packet must be … Continue reading

Posted in Reverse Engineering | Tagged | Comments Off on Flare-On 2015 #5

Flare-On 2015 #4

Ok let’s start the sample first: Well, 2 +2 = 4, that’s right. Let’s have a look on the Imports: That’s not very much. Maybe it’s packed!? Let’s check it with ExeinfoPe: Seems to be packed with UPX. This … Continue reading

Posted in Reverse Engineering | Tagged | Comments Off on Flare-On 2015 #4

Flare-On 2015 #3

Starting the executable will result in a very nice picture but no real hint to start with. We can see that the file size of that executable is unsually big. Anyways, we’re doing some basic stuff like strings and let’s … Continue reading

Posted in Reverse Engineering | Tagged | Comments Off on Flare-On 2015 #3