Full Report
Note: This is a re-upload of an old write-up.This is another write-up from an interesting little challenge. The original forum post about it can be found here. To get your hands on the challenge I've prepared the base64 text representation of it once again below so you
Analysis Summary
# Tool/Technique: ReverseMe Challenge Binary (Custom Logic)
## Overview
The analyzed artifact is a custom, unstripped x64 ELF executable designed as a reverse engineering challenge ("ReverseMe"). The primary purpose of the binary is to validate a user-provided 4-digit numerical key through a series of complex arithmetic and bitwise operations involving negation, addition, bitwise AND, and conditional jumps.
## Technical Details
- Type: Tool (Custom Challenge Binary/Logic)
- Platform: Linux (x86-64)
- Capabilities: Validates a specific 4-digit numerical key based on derived conditions for each digit.
- First Seen: Not explicitly stated, referenced as an "old write-up."
## MITRE ATT&CK Mapping
This is a custom executable performing input validation, relevant for a defensive analysis context focusing on local system interaction.
- **T1059 - Command and Scripting Interpreter**
- T1059.006 - Python (If used for key generation/interaction)
- **T1027 - Obfuscated Files or Information**
- T1027.002 - Compiled Code Artifacts (The binary itself hides the logic)
## Functionality
### Core Capabilities
1. **Input Fetching and Validation:** Reads user input from standard input, expecting a key that must be a number.
2. **Length Check:** Verifies the key length is exactly 4 digits.
3. **Digit-by-Digit Processing:** Processes each of the four input bytes sequentially.
### Advanced Features
The validation logic relies on complex interactions between the input byte ($B$), its negation ($-B$), and $B+1$, followed by a crucial bitwise AND operation to control control flow:
* **Byte 1 Validation:** The specific logic is not detailed but results in the prefix `5`.
* **Byte 2 Validation (Key component $4$):** The logic hinges on passing a check involving $\text{result} = (-B_2) \ \& \ (B_2+1)$. The required result passed to the subsequent `test eax, eax` is $\text{result} = 0x4$. This is achieved when $B_2 = 4$.
* **Byte 3 Validation (Key components $1, 2, 9$):** Similar logic to Byte 2, but the required result passed to the subsequent `test eax, eax` is $\text{result} = 0x2$. Inputs $B_3 \in \{1, 2, 9\}$ satisfy this condition.
* **Byte 4 Validation (Key component $7$):** The final digit is validated using the same underlying technique, where $B_4 = 7$ allows it to pass the final check and output the success message.
The successful key derived from the provided analysis is **5317** (Note: The analysis seems to have derived $5$ for the first byte and $3$ for the second byte, despite the text specifically analyzing the case where $B_2=4$ leads to bypass. The final example key provided in the source text is $5317$).
## Indicators of Compromise
Since this is a self-contained challenge used locally, traditional IOCs are minimal:
- File Hashes: SHA1: `917a8066affea23dc0c37a01c9004f8efa4e4c25` (Based on the file analysis provided)
- File Names: `bin`
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Reads 4 characters from stdin; executes complex arithmetic/bitwise operations when executed.
## Associated Threat Actors
None. This is associated with a "challenge" or CTF context.
## Detection Methods
Since this is a locally executed file with no networking, detection focuses on file artifacts and process behavior:
- Signature-based detection: Utilizing the provided file hash.
- Behavioral detection: Monitoring execution of unstripped ELF binaries exhibiting custom input validation logic and high entropy in computation paths (if the obfuscation were more complex).
- YARA rules: Could be created targeting unique hexadecimal constants or instruction sequences used in the key derivation logic.
## Mitigation Strategies
As this is a benign challenge file, mitigation primarily concerns preventing unauthorized execution of unknown binaries:
- Prevention measures: Executable restriction policies; application whitelisting.
- Hardening recommendations: Use of Mandatory Access Control (MAC) systems like SELinux or AppArmor to restrict the execution environment of suspicious files.
## Related Tools/Techniques
- General cracking/key verification logic, common in software protection schemes and security challenges.
- Techniques involving bitwise manipulation for anti-debugging or hardware-level checks, although utilized here for simple validation.