This month's challenge is to analyze an unknown binary, in an effort to reinforce the value of reverse engineering, and improve (by learning from the security community) the methods, tools and procedures used to do it. This challenge is similar to SotM 32. However, this binary has mechanisms implemented to make the binary much harder to analyze, to protect against reverse engineering. Submissions are due no later than 23:00 GMT, Friday, 03 December, 2004, and the results will be released Monday, 10 January (NOTE: This is a change, *again*). Review the challenge submission rules at the SOTM homepage before submitting your results.

The Challenge:
All we are going to tell you about the binary is that it was 'found' on a WinXP system and has now be sent to you for analysis. You will have to analyse it in-depth and get as much information as possible about its inner working, and what is the goal of the binary. The main goal of this challenge is to teach people how to analyse heavily armored binaries. Such techniques could be used in the future, and its time to get used to them. Top Three winners get a signed copy of the book Know Your Enemy: 2nd Edition.

Download the Image (17 KB)
MD5 (0x90.exe) = 7daba3c46a14107fc59e865d654fefe9

Questions Ensure you document the procedures, tools and methods used.

1. Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.
2. Something uncommon has been used to protect the code from beeing reverse engineered, can you identificate what it is and how it works?
3. Provide a means to "quickly" analyse this uncommon feature.
4. Which tools are the most suited for analysing such binaries, and why?
5. Identify the purpose (fictitious or not) of the binary.
6. What is the binary waiting from the user? Please detail how you found it.

Bonus Question:

• What techniques or methods can you think of that would make the binary harder to reverse engineer?

The Results:
This months challenge image and questions are lead by Nicolas Brulez of the French Honeynet Project. You can find his official writeup here.

Writeup from the Security Community

First of all, we would like to apologize for the delay, the end of the year has been very busy here. Also, the submissions were extremely difficult to judge due to the excellent quality. The rankings have been done by following the SOTM rules, which means that not only do you have to be technical but also have an easy to read submission, and a good presentation of your methods, so people can actually learn from you. Thus, a very technical document being hard to follow won't be ranked as good as someone having a clear document, showing his methods for people to learn from, and with an average technical level. Last, we changed the Top3 to Top5 for this challenge, as they were all extremely close. All of the Top5 submissions will be receiving a signed copy of the 2nd Edition of the Know Your Enemy book.

Top 5

• Peter Kosinar
• Bilbo
• Eloy Paris
• Chris Eagle
• Nicola Cuomo

Next 7

• Peter Ferrie
• Kostya Kortchinsky
• Desclaux Fabrice
• E Grandjean
• Vinay Mahadik
• Joe Stewart
• Michael T Ford