A look at SANS Brussels Challenges

sans_emea-125x125This morning, a colleague of mine pointed out me to some reversing challenges” addressed to participants of SANS Brussels 2015 (what? I was not there?). Why not to take a quick look and try to solve them ? I hope to publish the solutions/suggestions is not cause of rage for mentors of SANS, for whom I have a lot of esteem.

However, at the time of this writing these challenges are online and accessible without any particular restriction at https://www.sansemea.com/challenges.php, therefore I do not think there will be particular problems


Challange One (EASY):

Encoded string:


Decoded String:

At SANS Brussels encoding is well understood apparently


The plain text has been Base32 encoded. (base32 ? how this was in your mind ?)

Challange two (MEDIUM):

var _0xb618=[\x53\x61\x79\x48\x65\x6C\x6C\x6F”,”\x47\x65\x74\x43\x6F\x75\x6E\x74″,”\x4D\x65\x73\x73\x61\x67\x65\x20\x3A\x20″,”\x4F\x62\x76\x69\x6F\x75\x73\x6C\x79\x20\x79\x6F\x75\x20\x61\x72\x65\x20\x70\x72\x65\x74\x74\x79\x20\x6E\x65\x61\x74\x20\x61\x74\x20\x72\x65\x76\x65\x72\x73\x69\x6E\x67\x2E\x20\x54\x68\x65\x20\x77\x69\x6E\x6E\x69\x6E\x67\x20\x63\x6F\x64\x65\x20\x66\x6F\x72\x20\x74\x68\x69\x73\x20\x63\x68\x61\x6C\x6C\x65\x6E\x67\x65\x20\x69\x73\x20\x43\x75\x72\x6C\x79\x20\x68\x61\x73\x20\x77\x61\x79\x20\x74\x6F\x6F\x20\x6D\x75\x63\x68\x20\x74\x69\x6D\x65\x2E];function NewObject(_0x3c81x2){var _0x3c81x3=0;this[_0xb618[0]]=function (_0x3c81x4){_0x3c81x3++;alert(_0x3c81x2+_0x3c81x4);} ;this[_0xb618[1]]=function (){return _0x3c81x3;} ;} ;var obj= new NewObject(_0xb618[2]);obj.SayHello(_0xb618[3]);

… okok it’s seem a chaos but… look at “SayHello(_0xb618[3]” and start to count HEX encoded string from 0 to 3 as they appear during the allocation to “var_oxb618″… we will get this:


now we have to do a bit of cleaning:


and convert to ASCII …. we’ll get:

Obviously you are pretty neat at reversing. The winning code for this challenge is Curly has way too much time.

Challange three (not so -> HARD) :D

ok. I don’t know exactly what they were expecting here but… I did a very very quick thing …. We have


w0w… it looks like shellcode… have you noticed \x33\xc9 ? A classic XOR instruction… Ok. Let’s start to see what there is in it:









There a trick based on FPU instructions to get PC. First executing any FP (floating point) instruction on top and then FSTENV PTR SS: [ESP-C] will result in getting the address of the first FP instruction. So… EDX==EIP !! mov eax,0x1973126d moves the key (6d127319) on EAX register. I had thought of writing a note to handly dexor but my will failed. However, i tried to emulate it:

I firstly converted it


and then i launched it:


these are results:




Ok … just a little help to see everything graphically :)

So, now we have to…. wait…wait… do you think i have to do everything myself ??? Try to solve it… i think now it’s quite clear…


  1. Alicia

    Nice post. I was checking constantly this weblog and I am inspired!
    Very useful information particularly the last phase :) I maintain such
    information much. I used to be looking for this particular
    info for a very long time. Thanks and best of luck.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + = 13