Jump to content
Tuts 4 You

ESET Malware Researcher...


Teddy Rogers

Recommended Posts

Teddy Rogers

ESET Malware Researcher

The program eset_reversing_challenge_1.exe was designed to test your skills in reverse engineering. The task is aimed at candidates for the position "Malware Researcher". Adequate programming knowledge and reverse engineering (code disassembling) skills are necessary for a successful completion of the task.

Your goal is to perform an analysis of the code of this executable. The analysis of the code should produce information about the payload of the program, conditions necessary for the execution of certain actions, etc.

Don’t get discouraged, put off, nor fooled! The program code can contain hidden files and text strings, conditional tasks, anti-debugging techniques and so on. If you don’t manage to overcome all obstacles, don’t despair, but send in your partial solution. Don’t forget that it’s also necessary to describe the procedure of your analysis, as your way of thinking can tell us more about your abilities than the results themselves. Send your results, analyses or comments to: analyst@eset.sk

Good luck with your investigation! :-)


/>http://joineset.com/w4-download/The_letter_to_applicant.pdf
/>http://joineset.com/researcher.html

Ted.

eset_reversing_challenge_1.zip

The_letter_to_applicant.pdf

  • Like 2
Link to comment
Share on other sites

solving this using patching is easy, but i honestly dont see a way to do ti without. :dunno:

anyways, got the link for challenge #2. :)

Thanks for the post, Teddy!

Link to comment
Share on other sites

did anyone else work on this?

#2.1 is not gennable, imo....does anyone know weather patching is allowed/genning is possible?

Link to comment
Share on other sites

did anyone else work on this?

#2.1 is not gennable, imo....does anyone know weather patching is allowed/genning is possible?

The application's executable cannot be modified.

The application's memory cannot be modified.

Haven't looked at it yet but it sounds intriguing :sweat:

Link to comment
Share on other sites

chickenbutt

lots of custom+crypted crypto routines, fake symbol table and imports, section with encrypted custom-routine key, EP trick. It's mostly encryption and allocation stuff, probable some dropper with a hidden message somewhere. No VM or emulation outside IT stuff though. I think they map another PE underneath crypto. It's pretty much a patched up Delphi dropper or loader.

I didn't look further, If you don't have at least one masters it's probably not worth the time if you're doing it for a career. If they wanted talent it'd have some encrypted VM or heavy packed driver obfusc and patching.

Edited by chickenbutt
Link to comment
Share on other sites

I didn't look further, If you don't have at least one masters it's probably not worth the time if you're doing it for a career. If they wanted talent it'd have some encrypted VM or heavy packed driver obfusc and patching.

hmmm if only the corporate world was looking for talent.

I doubt many people with a masters degree are checking this out.

Edited by quosego
Link to comment
Share on other sites

  • 1 month later...

hey guys, anyone solved second password(stage 2)? Is there any way to reverse the algorithm? Because brutefoce isnt effectiv in that case.

Link to comment
Share on other sites

2boni11

You must solve matrix equation =) There are some pitfalls, but it is easy.

2chickenbutt

in first stage only simple string obfuscation and antidebugging tricks, nothing hard. In last stage there are simple vm in driver (not obfuscated, but one trick used =)) look deeply).

It`s not so hard if you have some exp in re. Unfortunately i think, i had very bad english to join to company =/ In my country very small job market for reverse engineers =(

Link to comment
Share on other sites

  • 3 weeks later...

I'll take a look today, it looks interested. Matrix is something very easy, as long as you know basic multiplication of matrices you can do it.

Link to comment
Share on other sites

  • 2 years later...
  • 4 months later...

@Holy

"After some time thinking I decided to open .zip file in hex viewer and realized that it wasn’t a .zip file but an .exe :D!."

...

 

I tried to create a PE of these four files: UPX1, UPX0, CERTIFICATE ...
I never had the idea that this ZIP is EXE.

Link to comment
Share on other sites

I remember attempting the CrackMe a long while ago back in July. Unfortunately, I got stuck at the "Nope you didn't" message on the second stage. Haven't attempted it again since then. The .NET part looks the most fun though, since that is what I specialise in.


Link to comment
Share on other sites

really looking forward to crackme2014. liked this one. getting the correct password for the DLL took me the longest time. rest was kinda straightforward. however it was much fun.


Link to comment
Share on other sites

  • 1 month later...

hmmm if only the corporate world was looking for talent.

I doubt many people with a masters degree are checking this out.

 

I'm sure they want at least a bachelors and some paid experience like the rest.. But yeah, as long as there are dumb infrastructure descisions there are choice vulnerabilities and weak DRM.. Some guy who read the PE/COF doc and can pass a 'what kind of beer do you like?' HR interview, but sucks at basic mathematics and basic research, is always going to be lead dev at these 'ultimate protection' companies.. Even the concept of subscription based signature engines shows a good bit of illiteracy in game theory, economics, and basic software engineering, and how many times have DRM engines been defeated because someone doesn't know basic number systems and flake crypto implementations?

 

 

Regarding Actual working DRM for virtual binary formats: VM is the end game in pure software DRM. I don't see why anyone is messing with simple anti-debug anymore. Use stmettric key entry to make virtual chain of trust for all VM unwrapping and allocation, and watch everyone fail to defeat your protection.. Just don't do the crypto wrong like everyone else has for some reason.. The only way to defeat this is side channel and unlikely brute force on [VM HANDLER COUNT] keys..

Edited by chickenbutt
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...