Month: February 2018

Writing a simple x86 emulator with IDAPython

elias IDAPython, Reverse Engineering , ,

Often times, when I stumble upon IDAPython scripts, I notice that they are using inefficient / incorrect IDAPython APIs to disassemble or decode instructions (for instance using idc.GetMnem() or idc.GetDisasm()). Therefore, in this blog post, I am going to illustrate how to use IDA’s instruction decoding functions from IDAPython in order to write a very simple x86 emulator. The goal is to demonstrate the correct use of instruction decoding IDAPython APIs. By the end of this post, you should be able to solve similar problems using IDAPython. Continue reading

Blizzard CTF 2017 – The LichKing Reverse Engineering challenge walkthrough

elias Uncategorized , , , ,

The Lichking challenge

Challenge demo. Click on the picture to enlarge it.

I created this challenge for the Blizzard 2017 CTF competition that took place on 11/05/2017 in the eSports Arena in Santa Ana, Orange County, CA.
(https://ctftime.org/event/487). After the CTF event was over, I decided to release it to public and see who can crack it.

This challenge is inspired by the picture password login feature from Windows 8. When you run the challenge, you will be presented with a picture. Your goal is guess what are the 4 secret coordinates (hidden spots) in the picture that you should be clicking using the correct sequence. Once guessed correctly, a congratulatory message box is displayed. If you fail to guess the right 4 points coordinates, then you will see an error message.

This is a pure reverse engineering puzzle and therefore you won’t find any obfuscation or anti-debugging/reverse engineering tricks whatsoever. In the challenge, I left a bunch of hints to make it easy for others to solve the puzzle. Nonetheless, taking the brute-force approach leads to uncovering the hidden message, however this is not the proper solution I am expecting from participants. Continue reading

StarCraft: Emulating a buffer overflow for fun and profit – REcon Brussels, 2018

elias Uncategorized , ,

Today I present my talk at REcon Brussels. It was about a problem I had to solve at work.

Basically, the classic StarCraft 1.16.1 had a buffer overflow that was exploited to create impressive maps well beyond the original game programming.

In this talk, I explained how I tackled the problem and emulated the buffer overflow so that exploited maps work on the latest version of StarCraft.

By the way, “StarCraft: Remastered” is free (in low-resolution, the HD resolution must be purchased). Download it from Battle.net.

Here’s the full talk abstract:

StarCraft 1.16.1 and older had a buffer overflow bug in the map parsing code. The hackers in South Korea leveraged the buffer overflow to create mods for the game. The mods became so popular that if we fix the buffer overflows we kill all the mods.

This talk shares the technical difficulties faced while solving this problem and also illustrates the various reverse engineering techniques used along the way:

  • How I approached the problem and how the reverse engineering efforts helped solving them
  • How I developed the tracers and instrumentation tools needed for the job
  • How the emulator was designed

You can also download the slides from here: