1. Spy (Easy/Medium):
Basic xor decryption of a string with a (normally unreachable) method
for obtaining the key included in the provided binary. User supplies MD5 of
plaintext for the win. This one might be challenging.
Key can be determined through static analysis (specifically, by
looking at the getKey() function). However obtained, the key is then provided as a command
line argument to get the plaintext.
Key: 2935
Hints:
1) Little hint: The key is in something similar to pi
2) Big hint: Build a bridge to an island of unreachable code
Plaintext result with correct key:
(metaphorical) ladykiller, (real) mankiller.
MD5 of correct result:
61b7d4e5fc2ec41612dba5fae356e268
2. Sniper (Easy)
Patch an executable or alter its execution in a debugger correctly on
your first try for the win here. This one isn't intended to be too hard.
It isn't too difficult to pull the plaintext out if the (simple) ciphering algorithm is reversed, but it is much easier to run this through a debugger
and make the executable call saveMe() instead of deleteMe(). However, if the
user doesn't get it right on the first try, the file deletes itself -
forfeiting any advantage that could be gained by solving this puzzle
(unless they made a backup first).
Hints:
1) Little hint: The ciphering algorithm isn't *that* hard
2) Big hint: If you can't reverse the cipher, redirect execution to it
Plaintext result:
Thanks for standing still, wanker!
MD5 of correct result:
142baa46b11cc0a785066dcdc1158b82
3. Pyro (Medium)
The binary provided here actually contains two binaries. The first one
is an unpacker which decrypts the second binary, which is then temporarily
written to disk and run with execl(). The unpacked binary takes over the
original process image and takes control, deletes the temporary on-disk
copy of the unpacked binary, and won't spit out the victory string
unless sent the appropriate signal.
Plaintext result:
Mmrroommm! Mmmmmrrrrrr! *fwooosh!*
MD5 of correct result:
6fadffd2d794a52d230cd245796693a1
Hints:
1) Little hint: That is a pretty big binary.
2) Big hint: Did I see a file drop?
4. Scout (Medium/Hard)
This one is short, but tricky. The _start entry (responsible for calling
main() ) has been modified post-compilation to push the address of a function
other than main() to be the executable's entrypoint. However, IDA Pro still
labels the fake main() as the analysis start point, and the code that actually
runs isn't listed under IDA's function entrypoints. Only those that break on
_start or analyze the address being pushed for main() will catch this one :)
In addition, I intentionally include a false ret in the real main,
which confuses disassemblers. Users will have to manually mark the section
as code, which then obscures the data values contained within it.
Answer: I B 4 5 6 7 8 9 10 11 12 13 14 15 16
Plaintext result:
*Bonk!*
MD5 of correct result:
f590f8752a6763294861a2a3cfee9d6a
Hints:
1) Little hint: Your disassembler might be hindering your progress.
2) Big hint: This is not the main you are looking for ;)
5. Engineer (Hard)
This is another puzzle that is meant to frustrate people relying on
debuggers and disassemblers to do the work for them. There are two techniques
used to alter execution in ways that require comprehension of the instructions
in order to solve this puzzle. The first overwrites a libc standard function
at runtime by overwriting exit()'s entry in the Global Offset Table with
my own function. Static analysis will show exit() or _exit() being called,
but the runtime behavior is different. If this is caught by the reverser
and they attempt to use a debugger to follow the behavior, an anti-debugging
technique is used to keep the original exit() call in place.
The stealth exit() has had its disassembly obfuscated as well,
and the final string will only be decrypted if the user supplies the correct
argument - in this case, the integer 110.
Answer:
110
Plaintext result:
I'm an engineer. Which means I solve problems.
MD5 of correct result:
4f9bcd9bf846343f3b676a792cce8f
Hints:
1) Little hint: The end is just as important as the beginning!
2) Big hint: The parameter from the command line is the exit code.
6. Heavy (Easy)
This is a very straightforward problem which will require people to
brute-force the key. The idea is to break people away from straight reversing,
and require people to write a script to break the cipher. Hints will play
a huge part in people solving this quickly - especially the big hint,
as it will reveal four bytes of the key (the word 'is,' surrounded by spaces),
which contestents can use for automatic verification of decryption attempts.
Answer:
q R t u
Plaintext result:
Entire team is babies!
MD5 of correct result:
741c5db1c767bcd69c6a1c409a0ac320
Hints:
1) Little hint: No tricks here, brute force the key.
2) Big hint: the answer contains the word 'is'.
7. Demoman (Easy/Medium)
This is relatively simple - a socket is opened and listens for a
string. Upon receiving the string, the answer is decrypted and returned.
Answer:
eyelander
Plaintext result:
All o ya are dandies, prancin about with your heads full of eyeballs!
MD5 of correct result:
69bef23e85f507f147e012379b3559eb
Hints:
1) Little hint: Strings
2) Big hint: Netcat
8. Soldier (Easy)
Another easy one - just change the executable name to the correct string
before running to get the answer.
Answer:
Rename file to 'PuppySnuggy' before running.
Plaintext result:
And from that day forward any time a bunch of animals are gathered in one place it's called a zoo.
MD5 of correct result:
b7cec2e0e5dfec327140cbc841b55ff5
Hints:
1) Little hint: What is in a name?
2) Big hint: /proc is an incredibly useful mount.