Reverse Engineering on z3r0s

Reverse Engineering - Coffee Invocation

Sun, 10 May 2026 00:00:00 +0000

Coffee Invocation Writeup Link to heading

Flag Link to heading

HTB{1_c4nt_c4ptur3_fl4g5_unt17_1v3_h4d_a1l_my_0xCAFEBABE}

Overview Link to heading

coffee_invocation is a PIE ELF that embeds two Java class files and drives them through JNI.

The native code:

creates a JVM
hooks java/lang/Shutdown.halt0
rewrites cached boxed values such as Byte, Short, Character, Boolean
runs Verify1
runs Verify2
if both wrappers return 0, prints the supplied password as HTB{<password>}

So the solve is to recover the exact 52-character password accepted by both verifiers.

Reverse Engineering - Cyberpsychosis

Sun, 10 May 2026 00:00:00 +0000

HackTheBox - Cyberpsychosis (Reverse Engineering) Link to heading

Challenge Description Link to heading

Malicious actors have infiltrated our systems and we believe they've implanted a custom rootkit. Can you disarm the rootkit and find the hidden data?

Difficulty: Medium
Category: Reverse Engineering
Files: diamorphine.ko, LICENSE.txt
Target: TCP service hosting a QEMU VM

Analysis Link to heading

Identifying the Rootkit Link to heading

The challenge provides diamorphine.ko, a Linux kernel module (LKM). Diamorphine is a well-known open-source Linux rootkit. Basic identification:

Reverse Engineering - Maze

Sun, 10 May 2026 00:00:00 +0000

HTB Reverse Challenge: Maze Link to heading

Challenge Overview Link to heading

Category: Reverse Engineering
Difficulty: Medium
Flag: HTB{w0W_Y0u_C0uld_E5c4p3_Th1s_M4Z33!!}

We are given a Windows executable (maze.exe), an encrypted zip (enc_maze.zip), and an image (maze.png). The goal is to navigate through multiple layers of obfuscation to find the flag.

Solution Link to heading

Step 1: Identify and Unpack PyInstaller Link to heading

$ file maze.exe
maze.exe: PE32+ executable for MS Windows, x86-64
$ strings maze.exe | grep PyInstaller
PyInstaller: pyi_win32_utils_to_utf8 failed.

The binary is a PyInstaller-packed Python 3.8 application. We extract it using pyinstxtractor:

Reverse Engineering - rauth

Sun, 10 May 2026 00:00:00 +0000

HTB Reverse Challenge: rauth Link to heading

Challenge Info Link to heading

Category: Reverse Engineering
Description: "My implementation of authentication mechanisms in C turned out to be failures. But my implementation in Rust is unbreakable. Can you retrieve my password?"
Flag: HTB{I_Kn0w_h0w_t0_5al54}

Analysis Link to heading

The binary is a 64-bit ELF Rust executable, dynamically linked, with debug info and not stripped.

Reverse Engineering - Regas Town

Sun, 10 May 2026 00:00:00 +0000

Rega's Town - HTB Reverse Engineering Challenge Writeup Link to heading

Challenge Info Link to heading

Category: Reverse Engineering
Description: Welcome to Rega Town, a quaint little place where everyone communicates through the magic of patterns and rules!

Analysis Link to heading

The challenge provides a 64-bit ELF binary written in Rust. Running it prompts for a "secret passphrase" and validates it against a series of regex patterns.

Reverse Engineering - VirtuallyMad

Sun, 10 May 2026 00:00:00 +0000

VirtuallyMad - HTB Reverse Engineering Challenge Link to heading

Flag Link to heading

HTB{0210010002100100031100010112110004130000}

The challenge provides a stripped ELF binary (virtually.mad) that implements a custom virtual machine. The user must supply a hex-encoded "code" string that, when executed by the VM, produces a specific register state.

VM Architecture Link to heading

Registers & State Link to heading

The VM allocates a 0x38-byte structure:

Reverse Engineering - vvm

Sun, 10 May 2026 00:00:00 +0000

rev_vvm Writeup Link to heading

Flag Link to heading

HTB{v1rTu4L_p4sSw0rD_t3ChN0loGy}

Summary Link to heading

The binary is a stripped PIE ELF that implements a small VM. The visible flow is:

Print the banner.
Build a dispatch table for VM opcodes by XOR-decoding multiple handler stubs from .data.
Execute a dword-based bytecode program stored in .data at 0x5540.

Running the binary directly is not useful because one VM opcode calls ptrace and exits under tracing/debugged environments. The solve is easier statically by reconstructing the VM handlers and emulating the bytecode.