Bypassing encryption by memory dumpingšŸ’£ in a Linux Kernel 2.4 in 2004

Penetration Testing Wiki

Bypassing encryption by memory dumpingšŸ’£ in a Linux Kernel 2.4 in 2004

I don’t know what you were doing or even if you were even born, but on September 22th 2004 at 4:44 PM I was having fun decrypting an ELF binary going through the awesome NGSEC1 CTF !! #quiz.ngsec.com

There was a binary file encrypted with BurnEye Encryption Engine that had to be decrypted in order to catch the flag and pass the LAST level of the CTF.
From a static analysis point of view is very well protected. The problem was that in order to get execute it must be decrypted. There was a kernel module (burndump.c) that dumped that process memory region and allowed to use strings command to search through the strings and get the FLAG !

You can get the source code of burndump.c kernel 2.4 module here: https://securiteam.com/tools/5bp0h0u7pq/

For more exploitation techniques have a look here: https://pentestwiki.org/exploitation/