I’ve been working on my programming recently to help improve my reverse engineering skills and I’ve just finished writing my first reverse engineering capture the flag. I’ve tried to make the assembly as clear and simple as possible, whilst still remaining challenging, to allow inexperienced REs to be able to step through and really get a grasp of how the data is handled and passed around. Getting to the end is not the goal here. The real value is in being able to read the assembly and know what each level is doing, stopping to research any unknown functions or calls to build your knowledge. And, it’s Zombieland themed! Why?….Why not!?

The CTF itself has been written in C and is compiled as a 32-bit executable. You can find the CTF at the following link (PW – Mcb_ctf1!):

https://drive.google.com/file/d/1V1RV-9cpLFzWD92cTVGj7uawQybU_tMu/view?usp=sharing

SHA1: C7DED4460C7162F16D5A8D0788C757B5CB5E0F72 (Zl_CTF.7z)

SHA1: D80B68AD35C8EC0A3516A58D07CFF4AFC4A1A5F0 (Zl_CTF.exe)

! This file is not malicious in any way !

The idea is to use reverse engineering to find the correct answer for each stage, then run the executable and feed it the answers to progress through the story.

Rules

No patching!!! – If you feel the need to patch the code, you’re not understanding it.

No spamming the inputs – Anyone can throw a hundred guesses at it and eventually get it right! You’re only cheating yourself if you do this.

Use only reverse engineering techniques to determine what input the program is looking for at each level, then provide the input through the cmdline when it asks.

Tips

Build an analysis VM if you don’t already have one. A good, easy option is FlareVM found at: https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html

I recommend using IDA Pro (Free) and X32dbg simultaneously on your analysis VM. Split the screen if you have a big enough monitor (or multi-screen), eg:

Start in IDA and read through each level as you come to it. Really try to understand whats going to happen before you start stepping through it in x32dbg:

If you come across a call you’re not fimiliar with, research it to understand what it expects as input and what it will output as a result. (If you’re researching a Windows API it helps to include “MSDN” in your search).

Once you think you know all you can from IDA, begin to step through the code in x32dbg to prove your theory.

Once you reach the prologue of each level, follow ESP in the dump (right-click esp) so you can view data being passed into or being retreived from memory:

If you see a pointer being used, eg. [esp-D], use the Windows calculator programmer mode to determine the address and what data is being accessed. This is not manditory to completing the CTF but it is extremely helpful for really cementing the theory behind how data is passed between the various registers and the stack:

It can also be really helpful to map out the logic of a function and try to translate the assembly back into its original source code. Especially with more complex functions with nested loops or recursion involved.

Hopefully, this will be helpful for some people who are struggling to get started in RE. I really enjoyed developing this and I will be looking at creating some more challenging CTFs in the future.

And, if you do enjoy it, please share/tweet the love!