Aah, January, a month where resolutions usually flare out spectacularly before we get back to the couch in February. We’d like to help you along your way with a reverse engineering challenge put together by Siavosh as an introduction to reversing, and a bit of fun.
The Setup
This simple reversing challenge should take 4-10+ hours to complete, depending on your previous experience. The goal was to create an interactive challenge that takes you through different areas of the reverse engineering process, such as file format reverse engineering, behavioural and disassembly analysis.
Once you reached the final levels, you might need to spend some time understanding x86 assembly or spend some time refreshing it depending on your level. To help out, Siavosh created a crash course tutorial in x86 assembly for our malware workshop at 44con last year, and you can download that over here.
The zip file containing the reversing challenge and additional bytecode binaries could be found here.
Send your solution(s) to challenge at sensepost.com
The Scenario
You’ve been called into ACME Banks global headquarters to investigate a breach. It appears Evilgroup has managed to breach a server and deploy their own executable on it (EvilGroupVM.exe). The executable is software that accepts bytecode files and executes them, similar to how the Java Virtual Machine functions. Using this technique, Evilgroup hopes they can evade detection by antivirus software. Their OPSEC failure meant that both the virtual machine executable and several bytecode files were left behind after the cleanup script ran and it’s your job to work out the instruction set of EvilGroupVM.exe.
Disclaimer: When using the term “virtual machine” we mean something like the Java Virtual Machine. A software based architecture that you can write programs for. This particular architecture, EvilGroupVM.exe, has nine instructions whose operation code (opcode) you need to find through binary reverse engineering.
The tools you will require are:
- A hex editor (any will do)
- A disassembler like IDA (the free version for Windows will work if you don’t have a registered copy)
- A debugger, Olly or WinDBG on Windows, Gnu GDB or EDB on Linux https://www.gnu.org/software/gdb/
Basic Usage: Unzip the reverseme folder, open a command line and cd to it. Depending on operating system, type
Windows: EvilGroupVM.exe <BytecodeFile> Ubuntu Linux: ./EvilGroupVM <BytecodeFile>
For example, to run the helloworld bytecode file on Windows, you would type:
EvilGroupVM.exe helloworld
IMPORTANT: Note that the EvilGroupVM.exe architecture has debugging capabilities enabled. This means, it has one instruction that shows you the thread context of a binary when it is hit. Once you start developing your own bytecode binaries, it is possible to debug them (but you need to find the debug instruction/opcode first).
The outcome of this exercise should include the following key structures in your report:
- A description of the binary file format. For example:
- What does the bytecode file header look like?
- What determines where execution will start once the bytecode is loaded in the VM?
- Does the architecture contain other parts of memory (like a stack) where it can store data and operate on them?
- The instruction set including their impact on the runtime memory. You should:
- Find all instructions that the EvilGroupVM.exe accepts
- Analyse each of them and understand how they make changes to the runtime memory of the bytecodes thread
- Write a proof of concept self modifying bytecode file that prints your name to the screen. The binary must be self modifying, that is, you may not use the “print_char” instruction directly, rather, the binary must modify itself if it wants to make use of “print_char”.
- For the advanced challenge, if you have the ability and time, send us back a C file that, when compiled, will give an almost exact match compared to EvilGroupVM (Ubuntu Linux) or EvilGroupVM.exe (Windows). Focus on getting pointer arithmetic and data structures correct.
In case you missed it earlier, the zip file containing the reversing challenge and additional bytecode binaries could be found here.
Send your solution(s) to challenge at sensepost.com
Good luck!