T2´08 Challenge status update

It would seem that the Challenge is more challenging this year – we have not received a single correct answer yet. This is the first time the Challenge has withstood more than 24 hours!

Please remember that you do not have to be the first one to solve it – the Advisory Board will select another winner among the next ten correct answers. The criteria for the other selection is the elegance of the answer. In short, you can win with both speed and style 🙂

14 thoughts on “T2´08 Challenge status update”

  1. I have an other theory: nobody will leak his Themida unpacking skills for a free ticket.

    Seriously, what is the point of such a contest, targeting a *commercial* packer, most anti-malware analysts have dealt with already?

  2. @newsoft:

    If you think the challenge is simply to unpack Themida, then perhaps you should look into the challenge a bit deeper :-p The challenge does not require any “Themida unpacking skills” at all (assuming by unpacking you mean restoring the packed/protected binary to a state close to the original pre-packed/pre-protected state by removing the packing/protection). We’re not interested in any special Themida unpacking techniques in the least, so any private skills in that department are all yours to keep. The same applies to any other commercial packer/protector which may or may not been used in the challenge :-p

    So why did we use commercial packers/protectors at all? Well, as you’ve correctly observed, more often than not, most hostile code analysts these days have to deal with code that has some sort of commercial packer/protector applied to it. We decided to keep it very real by applying a few to the challenge which we’ve come across recently during our incident response work. To successfully analyse the challenge, you don’t have to unpack any of these things, but you do need to be able to analyse packed/protected binaries which are naturally hostile towards reverse-engineering/analysis. This in my view is a very real skill that is a must for any modern reverse engineer as creators of hostile code are very trigger happy when it comes to packers/protectors, in their attempts to hide their malicious intentions. For them, there is also the added advantage that AV cannot categorically black-list commercial packers/protectors used in many/popular commercial software products.

    As far as the solution to the challenge goes, one needs to recover the solution submission e-mail address (easy part if you’re creative), and then explain how the e-mail address relates to the program behaviour (and the on-screen “clues”). So we expect a successful submitter to have reverse engineered the relevant program functionality 🙂 This is most definitely *NOT* an unpacking challenge, but rather, a reverse engineering challenge!

  3. catch me if you can… little bunny foo foo, rabits are fast and hard to catch. 😉 sent email. I think I solved it!!! w00t!

    Great challenge! Thanks.

  4. This challenge doesn’t work in my computer. I have reversed Themida VM but apparently it’s of no use 🙂

    Easter egg doesn’t work too well. I’m just not that creative. Greetings to all who have solved the puzzle 🙂

  5. @Nishad Herath:

    “As far as the solution to the challenge goes, one needs to recover the solution submission e-mail address (easy part if you’re creative), and then explain how the e-mail address relates to the program behaviour (and the on-screen “clues”).”

    It’s a week now that I have smth like “email” and know about the source of “CatchMe” blocks etc. But…

    Hope the solution is not like: “And now bruteforce your hash for a couple of weeks”. ;))

  6. Unpacking themida is not a problem. But having enough of time to deobfuscate the unpacked dll & exe and find out the “secret” is a problem. I have spent a day analyzing the unpacked binaries last weekend and decided to quit since I think I wouldn’t have enough of time for it (before someone find out the solution).

  7. Now I can say, that this challenge has a very strange management.

    The first Saturday’s night after the challenge was published I sent the e-mail with text “is anybody there? :)”. I supposed if it is the final e-mail I will get answer like “e-mail is ok, plz send solution”. Nobody answered me and I continued to reversing challenge to find “the black cat in the black room”.

    And now I have known that this e-mail was really the final target of the challenge. So the reversing challenge can be broken, but the red tape challenge will break you. 😉

  8. I’m impressed by the absence of communication on this website. When will the results finally be shown ? It is days I’m parsing the website, without seeing anything new, it looks like the admins are connecting once a week or so… 🙁

Comments are closed.