I’ve participed to NDH2013 this year and worked on a very interesting binary : k1986. It comes with two files :
aris@kali64:~/ndh2013$ ls -l k1986 license.db -rwxr-xr-x 1 aris aris 14984 jun 23 02:07 k1986 -rwx------ 1 aris aris 360 jun 22 22:54 license.db aris@kali64:~/ndh2013$ file k1986-orig license.db k1986-orig: ELF 64-bit LSB executable, x86-64, invalid version (SYSV), for GNU/Linux 2.6.32, dynamically linked (uses shared libs), corrupted section header size license.db: data
It’s starting well, corrupted ELF file. The content of license.db seems encrypted, so my first guess was that it was a DRM server of some kind. It becomes more fun when you try to check what it does:
aris@kali64:~/ndh2013$ objdump -t k1986-orig objdump: k1986-orig: File format not recognized aris@kali64:~/ndh2013$ gdb --quiet ./k1986-orig "/home/aris/ndh2013/k1986-orig": not in executable format: Format de fichier non reconnu (gdb) quit aris@kali64:~/ndh2013$ nm ./k1986-orig nm: ./k1986-orig: File format not recognized aris@kali64:~/ndh2013$ ldd ./k1986-orig n'est pas un exécutable dynamique