Full Report
This is a write-up for solving the devils-swapper RE challenge. It was mostly intended for my personal archive, but since it may be interesting to all of you. This especially applies if you're still rather new to the whole RE world, as the write-up turned out
Analysis Summary
# Tool/Technique: Devils Swapper RE Challenge Solution Artifacts
## Overview
This summary details the analysis and solution process for the "Devils Swapper" Reverse Engineering (RE) challenge. The process involved initial static analysis, string decryption via ROT13, hypothesizing the functionality based on hints (like the `dd` command's `conv=swab` flag), and finally developing a custom brute-force script to reverse the binary's proprietary decryption logic, ultimately recovering the secret message.
## Technical Details
- Type: Technique (Reverse Engineering Methodology) / Challenge Artifact
- Platform: Linux (ELF 64-bit Binary)
- Capabilities: Static and dynamic analysis of stripped ELF binaries, classical cipher identification (ROT13), and proprietary executable logic reversal.
- First Seen: Not applicable (This is a write-up of a solved challenge)
## MITRE ATT&CK Mapping
Since this is a write-up detailing the process of solving a challenge, mappings relate to the techniques *used by the analyst* or the general nature of the artifact:
- T1027 - Obfuscated Files or Information (The binary likely employs obfuscation or proprietary logic)
- T1027.002 - Software Packing (The initial setup command suggests data packing/encoding)
## Functionality
### Core Capabilities
- **Initial Triage:** Identifying the binary as a stripped 64-bit ELF executable.
- **String Analysis:** Discovering an obfuscated string ("Purpx qq pbai bcgvbaf").
- **Cipher Identification:** Determining the obfuscated string was encoded with **ROT13** ($k=13$ Caesar cipher), yielding the hint: "Cracking successful with..." (Implied from the context of solving).
- **Hypothesis Generation:** Linking the challenge name/hints to the Linux `dd` utility, specifically the `conv=swab` option (swap pairs of input bytes).
### Advanced Features
- **Proprietary Decryption Reversal:** Analyzing functions (`sub_4001D0`, logic involving `mapping` array and calculation of `al_ebx_w_usr`) to expose the custom decryption function.
- **Brute-Force Implementation:** Creating a Python script to iterate through potential input characters (`ALPHABET`) and testing against the observed internal logic, stopping at the first instance meeting defined conditions ($j=11$).
- **Result Confirmation:** Successfully obtaining a human-readable decrypted string ("congratulations for solving the challenge").
## Indicators of Compromise
*Note: As this is an analysis of an intentionally constructed challenge binary, not live malware, IOCs are mostly theoretical or derived from the challenge setup.*
- File Hashes: Not provided in the excerpt (the analyst used a provided binary).
- File Names: `challenge` (after reconstruction).
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Executes without immediate errors but produces gibberish output until the correct input (or decryption logic is applied).
## Associated Threat Actors
- Not applicable. This relates to a publicly available reverse engineering challenge, not a specific threat group.
## Detection Methods
- **Static Analysis:** Using tools like IDA Pro to map function flow, identify string references, and analyze assembly logic.
- **String Analysis:** Using the `strings` utility to find obfuscated embedded text.
- **Custom Scripting:** Developing targeted scripts to automate the hypothesized or reversed cryptographic routines.
## Mitigation Strategies
*Note: Mitigation strategies here apply to reversing or analyzing similar proprietary/obfuscated binaries.*
- **Advanced Static Analysis:** Utilizing disassemblers/decompilers capable of handling complex control flow.
- **Automated De-obfuscation:** Employing symbolic execution or custom scripts to reverse complex proprietary algorithms.
- **Input Validation/Fuzzing:** Testing the binary with various defined inputs to trigger successful execution paths.
## Related Tools/Techniques
- **ROT13:** A simple substitution cipher used in the initial stage.
- **`dd` utility (`conv=swab`):** Hinted at byte-swapping functionality.
- **IDA Pro:** Used for static binary analysis.
- **Python Scripting:** Used for developing the custom brute-force reverse engineering solver.