For this challenge we were given an executable coolprogram.exe, and a network capture of suspicious traffic. I was not able to finish this one during the competition, so I have been working on it to learn more about reversing. The farthest I got was to pull the encrypted secondstage from the pcap, and to see coolprogram.exe call out to a suspicious URL. I was also able to learn that coolprogram checks the registry for different keys, and was written in Delphi.

The flag location in the executable is not immediately obvious when opening greek_to_me.exe in IDA. In the string table there is an IP address, WS2_32.dll, and the message telling the user their input is right or wrong.

Finding the encoded flag in this executable was easy. You can find it by running ‘strings IgniteMe.exe’ or by looking in the string table in IDA.

Reversing the binary of 11 was easy, but it wasn’t meant to be hard. The difficult part was reversing the VM code that the binary runs. When implementing the VM I made a mistake in the code that caused me problems trying to sort out. When it checks the index at each loop I had “index < end”, when it should have been “index <= end”. This caused it to end prematurely.