Solution to ElizeVC (Part II): Reconstructing the original binary This is the second part of the solution to ElizeVC, one of my challenges for this years MRMCDCTF. In the first part I explained how to get the flag without actually attacking the crypter. Here I will focus on how to defeat the protector and reconstruct the original binary (at least the interesting parts) from the encrypted file. The Protection The protector encrypts every function on its own (as opposed to, for example, the complete .

Solution to ElizeVC (very hard) from MRMCDCTF 2019 ElizeVC was the hardest challenge I had written for this year’s MRMCDCTF. Protections The binary of this challenge is protected with various methods: crypter/protector: The binary is encrypted on a per-function basis. Each protected function is encrypted with 128-bit XTEA in Counter Mode, with different keys and IVs for every function. Whenever a protected function is entered, the uncrypter is called, which decrypts the function in place.

Solution to Carbonara (medium - hard) from MRMCDCTF 2019 Carbonara is another one of my challenges for MRMCDCTF 2019. Just like KonradVC, it employs an anti-reversing trick, but of a completely different kind: the code is chopped into small pieces, each one instruction long. These pieces are saved in random order, and connected by jmps. The resulting code executes the instructions in the right order, but looks like a total mess.