Psychological Warfare

Posted Mar 25, 2024 Updated Jul 31, 2025

By bytebrew

1 min read

In this writeup, I analyze a movfuscated binary that takes no input and gives no output, then I use diffing and tracing to obtain the flag.

The Crackme’s Background

In the past, I have seen Christopher Domas’s work. I could tell from the challenge name it was going to be Christopher Domas related because of this project he made: https://github.com/xoreaxeaxeax/REpsych. But I did not expect it to be movfuscated.

For those who do not know, x86 mov is Turing complete. This means that, only using the mov instruction, you can remake any program. Christopher’s role in this was making a mov compiler: https://github.com/xoreaxeaxeax/movfuscator

Initial Analysis

It only uses mov and it’s compiled for Linux. The flag is the number of instructions executed + the hidden message. It takes no input, and has a flat control flow (no comparisons, even when demovuscated).

Part One

Thankfully, my teammate knew how to use perf.

Part Two

All info that is given is: it’s a hidden message ;-;

Demov

Demovfuscating was annoying, but doable. Long ago, I tried compiling demovuscator (https://github.com/leetonidas/demovfuscator), but failed. So, this time, I searched for a Docker container instead, and found it: https://hub.docker.com/r/iyzyi/demovfuscator

Does it have malware? Does it upload my binary to some random website? I don’t know, but it works (kinda):

Finding the hidden message

After A LOT of trial and error, I finally found out how to obtain the flag:

I dumped the decompilation:

I ran a diff checker against the sub functions, the only difference is the written address, the function name, and most importantly: the value written (THOSE LOOK LIKE CHAR VALUES!):