DEV Community

Cover image for Enter RE_VAULT and Try Your Hand at Black Cipher
0x57Origin
0x57Origin

Posted on

Enter RE_VAULT and Try Your Hand at Black Cipher

#webdev #c #cybersecurity #programming

RE_VAULT: My growing archive of reverse engineering challenges

When I first got into reverse engineering, I kept running into the same problem.

Either the binaries were so trivial that you could finish them in five minutes, or they were full blown malware samples that assumed you already knew what you were doing. There was not much in the middle that felt like a structured way to get better.

So I started building my own targets.

This repository is where I am collecting them.

GitHub: https://github.com/0x57Origin/RE_VAULT/tree/main

Contact for solutions: 0x57Origin@proton.me

What is RE_VAULT

RE_VAULT is my public archive of reverse engineering projects and challenge binaries.

Right now the main thing inside it is a project called:

Flag Hunt 2 - Black Cipher Edition

It is a C program that behaves like a hostile forensic artifact. It has menus, decoy output, fake analysis modules, and a lot of traps. Underneath that, it hides multiple independent challenges that all live inside the same binary.

There are:

  • 10 primary flags
  • 1 hidden bonus flag that is never printed
  • multiple layers of obfuscation and misdirection

The goal is simple. Give people something that feels closer to a weird piece of malware or an incident artifact, but still designed for learning.

Who this is for

If any of this sounds like you, then Black Cipher is probably useful:

  • You are learning Ghidra or another RE tool and want more than simple crackmes
  • You want to understand the tricks used in real malware, without touching actual live malware
  • You enjoy C, low level behavior, and weird control flow
  • You want to practice thinking like both the attacker and the analyst

You can treat this project in three ways:

  1. As a pure puzzle. Run the binary, poke at it, and try to get all flags with Ghidra and a notebook.
  2. As a learning lab. Focus on one module at a time, for example only the VM or only the heap artifact.
  3. As reference material. Read the C source to understand how certain evasive patterns are implemented.

How Black Cipher behaves

When you run the binary, you do not get a clean CTF style interface. You get something that looks more like a small analysis console:

  • A banner that pretends to be a forensic tool
  • A list of "analysis modules"
  • Each menu option triggers a different challenge path

Some modules will print noise. Some will fail. Some will show partial information. Only a few of them will give you a clean flag without effort.

That is by design.

Part of the challenge is figuring out which output is real, which is a decoy, and which is an encoded form of something you can decode yourself.

Spoiler warning

The rest of this article talks about the internal structure of the binary.

I will not give any exact flag strings or full solutions here, but I will describe what each module is roughly doing. If you want to go in completely blind, stop reading now, clone the repo, build the program, and only come back later.

GitHub again:

https://github.com/0x57Origin/RE_VAULT/tree/main

High level structure of the challenges (light spoilers)

Each menu entry in Black Cipher maps to a different style of challenge. The idea was to compress a whole "mini curriculum" of RE techniques into one executable.

Here is what you are really dealing with.

1. String decryption module

This module is about encrypted strings and simple obfuscation.

  • The binary keeps an encoded string table in memory
  • A decoder routine performs a mix of XOR and rotation
  • If you find that routine in Ghidra and follow it, you can recover real text

The raw output when you run it looks wrong on purpose. The point is to make you pull the decoder out, not just rely on printing.

2. Control flow tracer

This is a function pointer maze.

  • There is a table of function pointers
  • Some point to dead ends, some to decoys, one path leads to the real flag
  • The correct sequence is not obvious from the strings

Reversing this is good practice for reconstructing strange control flow and focusing on what is actually executed rather than what looks interesting.

3. Hash verification system

This module is built around a custom hash.

  • Input is run through a polynomial style hashing function
  • The code never stores the answer string in plain form
  • You are expected to reimplement the hash and find the right input

This is a common pattern in license checks and challenges. It rewards careful reading of the decompiled logic and a bit of scripting on the side.

4. Binary data extractor

Here you deal with data hidden in the binary sections.

  • The program walks over what looks like random bytes in a data segment
  • A simple transform turns those bytes into something meaningful
  • Again, the program does not present the final result nicely on screen

You will probably end up using Ghidra to inspect the .rodata layout and then write a small script to decode what you find.

5. Anti tamper detector

This one focuses on anti debugging tricks.

  • Uses ptrace to detect basic debugging
  • Contains timing based checks that complain if something feels off
  • Only reveals the flag when the checks pass

This encourages you to understand what the anti debug logic is doing and either patch it out or simulate the expected behavior.

6. Virtual machine analyzer

This is a small custom VM.

  • There is a bytecode array in the binary
  • An interpreter loop implements a set of opcodes
  • Running the VM with the right state eventually triggers a flag print

You can either reverse the VM and emulate it in a script, or step through it and watch what it is computing.

7. Mathematical solver

This is a logic trap.

  • The program shows you equations that are not actually the ones that matter
  • The real constraints are hidden behind different branches
  • Only a very specific input satisfies the true condition path

If you try to solve the visible math directly, you will get nowhere. You need to trace which conditions are actually used in the path that prints the flag.

8. Memory forensics tool

This challenge lives on the heap.

  • A struct is allocated and partially filled with encoded data
  • The program prints noisy bytes related to that memory
  • The clean flag never appears directly

To win here, you should identify the struct layout in Ghidra, understand the encoding used inside it, and reconstruct the original content.

9. Network protocol decoder

This module pretends to be packet analysis.

  • A fake PCAP style blob is embedded in the binary
  • Simple protocol checks determine how it is parsed
  • A small decoder recovers a hidden message from it

The idea is to get used to the pattern "embedded binary blob plus decode routine" which you will see a lot in malware and droppers.

10. Multi stage hash validator

The last visible flag rides on a chain of hashes.

  • The input is run through several custom hash like functions
  • Each one feeds into the next
  • Only a very specific string survives all checks

To solve this, you basically have to replicate the full chain in a script and let it guide you.

The hidden bonus flag

There is an eleventh flag that is never printed and never referenced in an obvious way.

The only hints I will give here:

  • It lives in a custom section of the binary
  • The bytes are encrypted and reversed
  • The logic that explains how to decrypt it is split across several unrelated functions

If you are comfortable with ELF internals, custom sections, and Ghidra scripting, you will eventually find it. It is not meant to be fast. It is meant to reward full understanding of the binary.

How to get the solutions

By design, the repository does not include the full solutions.

There is a separate solutions document that walks through:

  • how to find each challenge in Ghidra
  • what to look for in the decompiled code
  • how the encoding and hashing actually work
  • concrete steps from first load to final flag

If you are:

  • an instructor who wants to use this in a class
  • a student who got stuck and needs to check their work
  • someone reviewing my code and wants to see my full reasoning

You can email me and I can share the solutions privately.

Contact: 0x57Origin@proton.me

Please mention "Black Cipher" or "Flag Hunt 2" in the subject so I know what you are asking about.

Final notes

RE_VAULT is not meant to be a one off project. It is where I plan to keep building and collecting more reverse engineering challenges over time.

Right now the main focus is Black Cipher. In the future I want to add:

  • smaller warmup binaries
  • more VM based puzzles
  • challenges that mix file formats, crypto, and protocol analysis

If you try the project and have feedback, ideas, or want to collaborate on future challenges, feel free to reach out.

GitHub repo again:

https://github.com/0x57Origin/RE_VAULT/tree/main

Email for solutions or questions:

0x57Origin@proton.me

Top comments (0)