Blizzard CTF 2017 – The LichKing Reverse Engineering challenge walkthrough

The Lichking challenge

Challenge demo. Click on the picture to enlarge it.

I created this challenge for the Blizzard 2017 CTF competition that took place on 11/05/2017 in the eSports Arena in Santa Ana, Orange County, CA.
(https://ctftime.org/event/487). After the CTF event was over, I decided to release it to public and see who can crack it.

This challenge is inspired by the picture password login feature from Windows 8. When you run the challenge, you will be presented with a picture. Your goal is guess what are the 4 secret coordinates (hidden spots) in the picture that you should be clicking using the correct sequence. Once guessed correctly, a congratulatory message box is displayed. If you fail to guess the right 4 points coordinates, then you will see an error message.

This is a pure reverse engineering puzzle and therefore you won’t find any obfuscation or anti-debugging/reverse engineering tricks whatsoever. In the challenge, I left a bunch of hints to make it easy for others to solve the puzzle. Nonetheless, taking the brute-force approach leads to uncovering the hidden message, however this is not the proper solution I am expecting from participants. Continue reading

StarCraft: Emulating a buffer overflow for fun and profit – REcon Brussels, 2018

Today I present my talk at REcon Brussels. It was about a problem I had to solve at work.

Basically, the classic StarCraft 1.16.1 had a buffer overflow that was exploited to create impressive maps well beyond the original game programming.

In this talk, I explained how I tackled the problem and emulated the buffer overflow so that exploited maps work on the latest version of StarCraft.

By the way, “StarCraft: Remastered” is free (in low-resolution, the HD resolution must be purchased). Download it from Battle.net.

Here’s the full talk abstract:

StarCraft 1.16.1 and older had a buffer overflow bug in the map parsing code. The hackers in South Korea leveraged the buffer overflow to create mods for the game. The mods became so popular that if we fix the buffer overflows we kill all the mods.

This talk shares the technical difficulties faced while solving this problem and also illustrates the various reverse engineering techniques used along the way:

  • How I approached the problem and how the reverse engineering efforts helped solving them
  • How I developed the tracers and instrumentation tools needed for the job
  • How the emulator was designed

You can also download the slides from here:

Introducing Ganxo v0.1 Alpha – An open source API hooking framework

Hello,

Today I release the first Alpha version of Ganxo (pronounced as “Gun Show” or “Gan Chou”), an open source API hooking framework. In Catalan, Ganxo means “hook”, thus the framework’s name.

Writing an API hooking framework was always on my to do list. I started developing Ganxo back in April 2016 and after two weeks of development during my free time, I got busy with other things and abandoned my efforts.

My initial goals were to accomplish the following before going public with it:

  • Support x86 and x64 hooking
  • Write a more extensive test suite
  • Fully document it

This past weekend, I decided to release Ganxo even though I have not met all my goals. As of today, Ganxo works on MS Windows and supports x86 API hooking. The groundwork is laid down and it should be easy to add x64 bits hooking support on Windows or even just port it to other operating systems.

Feel free to clone the code from here and start using it today.

Stay tuned, I plan more features in the coming future!

While at it, check out my Batchography book!

Genesis

Hi there,

This is not the real genesis! This is a continuation from my WordPress hosted blog http://0xeb.wordpress.com/.

This blog will be dedicated to programming, reverse engineering and ranting about the IT industry.

Notable previous blog posts: