Introduction During christmas, I had some spare time, decided to give pwnable.tw another try and began solving challenge #6: You can connect to a service using nc chall.pwnable.tw 10101 The service binary dubblesort and its libc are available for download Your goal is to send malicious input and spawn a shell So, let’s connect to […]
Reverse Engineering, Capture the Flag Challenges, etc.
Writeup for Pwnable.tw #4
Introduction Last reversing CTF was so much fun, I started directly with the next challenge. For me, it was a very hard one and it took me several weeks (although I recognized, after reading other peoples solutions my approach was far too complex ;). Nevertheless, it is still interesting and I want to describe the […]
Writeup for Pwnable.tw #3
Introduction On our last hackathon, Malfunction, Scotch and me tried to beat several CTFs. This article sums up the results of challenge #3 on pwnable.tw. The basic settings are: A calculator service runs on chall.pwnable.tw, port 10100. The corresponding calc binary can be downloaded for analysis. Send malicious input to the calculator to spawn a […]
Microsoft x64 Calling Convention with FASM
Introduction At the moment, I am working on a new Hyperion version with 64 bit support. The decryption stub of Hyperion is written using the flat assembler for 32 bit platforms. Therefore, the whole code needs to be ported. And this is where the fun begins ;). Two major aspects of the x86-64 architecture are […]
LoadLibrary and the PE Loader
I recently stumbled upon an interesting behaviour of the PE loader. Before releasing a new Hyperion version, I usually test it with several executables on different Windows platforms. In my old XP VM, everything went fine. Therefore, I started a Windows 7 instance and encrypted calc.exe with the following command: The options k and s […]