Reverse engineering

Reverse engineering of
the application. Part 2
 –

Introduction to the task

In this task, you have to examine the file
reverse_me.exe and find the flag hidden in it

The exercise includes working with:

Encryption
(The data in the file may be encrypted.
We need to understand which
algorithm)
Hashing
Transformations
(it is possible that the virus uses hash
(data may be changed with XOR or
functions - for example, SHA256 - to
other mathematical operations)
verify passwords)

Reverse engineering of the application. Part 2

Code obfuscation
is a method used to obfuscate the program code to make it difficult to
analyze.

Obfuscation may include

Using unnecessary instructions

Converting simple expressions to

complex ones
Replacing variables with meaningless
names

Using complex structures to store data*

*for example, repeated use of
Reverse engineering of the application. Part 2 XOR
Dynamic loading of libraries
is a method where function addresses are calculated
during program execution. This makes static analysis
difficult because the functions are not always visible
in the source code of the program.
Attackers can use dynamic loading to hide
functionality.

Reverse engineering of the application. Part 2

Debug protection methods
The following anti-debugging techniques are often used to protect against reverse
engineering:

Checking for debuggers during execution.

Shutting down the program when a debugger is

detected.

Changing the behavior of a program when running in

a debugging environment.

Reverse engineering of the application. Part 2

Entry points and input analysis

In reverse engineering, it is In the case of a flag, the

important to find the entry point data entered by the user is
of the program that initializes typically validated or
execution. It is also critical to encrypted before being
understand how the program compared to the correct
handles user input. value.

Reverse engineering of the application. Part 2

Flag checking algorithm
The program can use various methods to check a flag:

• XOR encryption: data is converted using a key, and the correct input is
compared to the encryption result.
• Hashing: the program can generate a hash of the entered data and
compare it with a previously known hash (e.g. SHA256).
• Multiple checks: in complex cases, checking the flag may involve
multiple stages of data processing and data conversion.

Reverse engineering of the application. Part 2

The XOR algorithm

XOR (eXclusive OR) is a In reverse engineering, XOR can

cryptographic operation in which be used to encrypt or mask data.
two bits are compared and the An important task is to find the
result is 1 if the bits are different correct decryption key.
and 0 if they are the same.

Reverse engineering of the application. Part 2

Hashing data

— the process of data conversion into a fixed-length

string. It is often used to verify data integrity.
Examples of hashing algorithms: SHA256, MD5. In
reverse engineering, it is often necessary to recover
data by comparing its hashes with known values.

Reverse engineering of the application. Part 2

Static and dynamic analysis

1. Static analysis: analysis of a program without its

execution. For example, parsing code using a
disassembler, searching for strings or functions that
may contain a flag.
2. Dynamic analysis: analysis of a program during its
execution. It is used to track changes in memory. It
examines how the program interacts with the
operating system and how it processes data.

Reverse engineering of the application. Part 2

Breakpoints and tracing

Breakpoints are often used for dynamic analysis to pause

program execution at the right moment.
This allows to analyze the values of variables and the call stack,
as well as to track how data changes during program
execution.

Reverse engineering of the application. Part 2

Search for hidden functions

Hidden or dynamically loaded

functions can be found using
debuggers or by analyzing function
calls that cause data to be loaded.
It is often important to keep track of
system calls or calls to dynamic
libraries (for example, via
LoadLibrary).

Reverse engineering of the application. Part 2

 Flag recovery

1. Input analysis: first of all, it is necessary to find out how the program
processes user input.
2. Understanding logic: study what functions are called during data
processing and how they interact.
3. Data modification: based on the identified algorithms, reconstruct the
flag or develop a program to generate it.

Reverse engineering of the application. Part 2

Conclusion
Reverse engineering requires a combination of knowledge of programming,
cryptography, and working with analysis tools.
It is important to be able to work with both dynamic and static analysis, and to be
prepared for protection methods such as obfuscation or anti-debugging. These
skills are necessary to recover hidden data, such as a flag, in complex tasks.

Reverse engineering of the application. Part 2