Jump to content
Tuts 4 You
Sign in to follow this  
Teddy Rogers

ESET Malware Researcher...

Recommended Posts

Teddy Rogers

ESET Malware Researcher

The program eset_reversing_challenge_1.exe was designed to test your skills in reverse engineering. The task is aimed at candidates for the position "Malware Researcher". Adequate programming knowledge and reverse engineering (code disassembling) skills are necessary for a successful completion of the task.

Your goal is to perform an analysis of the code of this executable. The analysis of the code should produce information about the payload of the program, conditions necessary for the execution of certain actions, etc.

Don’t get discouraged, put off, nor fooled! The program code can contain hidden files and text strings, conditional tasks, anti-debugging techniques and so on. If you don’t manage to overcome all obstacles, don’t despair, but send in your partial solution. Don’t forget that it’s also necessary to describe the procedure of your analysis, as your way of thinking can tell us more about your abilities than the results themselves. Send your results, analyses or comments to: analyst@eset.sk

Good luck with your investigation! :-)


/>http://joineset.com/w4-download/The_letter_to_applicant.pdf
/>http://joineset.com/researcher.html

Ted.

eset_reversing_challenge_1.zip

The_letter_to_applicant.pdf

  • Like 2

Share this post


Link to post
-Alex-

*removed*


Edited by -Alex- (see edit history)

Share this post


Link to post
deepzero

solving this using patching is easy, but i honestly dont see a way to do ti without. :dunno:

anyways, got the link for challenge #2. :)

Thanks for the post, Teddy!

Share this post


Link to post
Apuromafo

http://joineset.com/statut.html

9. Contest duration

The contest starts May 9th, 2011 at 12:00 O’clock AM CET and ends August 31st, 2011 at 23:59 O’clock PM, CET.

ohh

nice teddy ^^

greetings Apuromafo

Share this post


Link to post
deepzero

did anyone else work on this?

#2.1 is not gennable, imo....does anyone know weather patching is allowed/genning is possible?

Share this post


Link to post
Killboy

did anyone else work on this?

#2.1 is not gennable, imo....does anyone know weather patching is allowed/genning is possible?

The application's executable cannot be modified.

The application's memory cannot be modified.

Haven't looked at it yet but it sounds intriguing :sweat:

Share this post


Link to post
chickenbutt

lots of custom+crypted crypto routines, fake symbol table and imports, section with encrypted custom-routine key, EP trick. It's mostly encryption and allocation stuff, probable some dropper with a hidden message somewhere. No VM or emulation outside IT stuff though. I think they map another PE underneath crypto. It's pretty much a patched up Delphi dropper or loader.

I didn't look further, If you don't have at least one masters it's probably not worth the time if you're doing it for a career. If they wanted talent it'd have some encrypted VM or heavy packed driver obfusc and patching.

Edited by chickenbutt (see edit history)

Share this post


Link to post
quosego
I didn't look further, If you don't have at least one masters it's probably not worth the time if you're doing it for a career. If they wanted talent it'd have some encrypted VM or heavy packed driver obfusc and patching.

hmmm if only the corporate world was looking for talent.

I doubt many people with a masters degree are checking this out.

Edited by quosego (see edit history)

Share this post


Link to post
boni11

hey guys, anyone solved second password(stage 2)? Is there any way to reverse the algorithm? Because brutefoce isnt effectiv in that case.

Share this post


Link to post
izlesa

2boni11

You must solve matrix equation =) There are some pitfalls, but it is easy.

2chickenbutt

in first stage only simple string obfuscation and antidebugging tricks, nothing hard. In last stage there are simple vm in driver (not obfuscated, but one trick used =)) look deeply).

It`s not so hard if you have some exp in re. Unfortunately i think, i had very bad english to join to company =/ In my country very small job market for reverse engineers =(

Share this post


Link to post
dn5

I'll take a look today, it looks interested. Matrix is something very easy, as long as you know basic multiplication of matrices you can do it.

Share this post


Link to post
samonek4

@Holy

"After some time thinking I decided to open .zip file in hex viewer and realized that it wasn’t a .zip file but an .exe :D!."

...

 

I tried to create a PE of these four files: UPX1, UPX0, CERTIFICATE ...
I never had the idea that this ZIP is EXE.

Share this post


Link to post
master131

I remember attempting the CrackMe a long while ago back in July. Unfortunately, I got stuck at the "Nope you didn't" message on the second stage. Haven't attempted it again since then. The .NET part looks the most fun though, since that is what I specialise in.


Share this post


Link to post
cypher

really looking forward to crackme2014. liked this one. getting the correct password for the DLL took me the longest time. rest was kinda straightforward. however it was much fun.


Share this post


Link to post
chickenbutt

hmmm if only the corporate world was looking for talent.

I doubt many people with a masters degree are checking this out.

 

I'm sure they want at least a bachelors and some paid experience like the rest.. But yeah, as long as there are dumb infrastructure descisions there are choice vulnerabilities and weak DRM.. Some guy who read the PE/COF doc and can pass a 'what kind of beer do you like?' HR interview, but sucks at basic mathematics and basic research, is always going to be lead dev at these 'ultimate protection' companies.. Even the concept of subscription based signature engines shows a good bit of illiteracy in game theory, economics, and basic software engineering, and how many times have DRM engines been defeated because someone doesn't know basic number systems and flake crypto implementations?

 

 

Regarding Actual working DRM for virtual binary formats: VM is the end game in pure software DRM. I don't see why anyone is messing with simple anti-debug anymore. Use stmettric key entry to make virtual chain of trust for all VM unwrapping and allocation, and watch everyone fail to defeat your protection.. Just don't do the crypto wrong like everyone else has for some reason.. The only way to defeat this is side channel and unlikely brute force on [VM HANDLER COUNT] keys..

Edited by chickenbutt (see edit history)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...