Reverse Engineering Challenge

A cybersecurity course needed a final Reverse Engineering challenge to capstone their three weeks of study in Binary Exploitation, Reverse Engineering, and low-level programming. I designed this bomb lab to fulfill that need and provide students a fun, challenging way to end their study.

This challenge demands the disassembly of a large, multi-file program that contains several "phases" for students to defuse. Each time a student attempts to defuse a phase of the bomb, either correctly or incorrectly, it notifies an external server that records submission attempts, last successful phase defused, etc. The goal is for students to successfully defuse the bomb in the least number of submissions possible!

The website is hosted live for students to track their place on the scoreboard, see their submission count, and track their progress over time. The site is hosted using NextJS, following the same styling as this site. The bomb triggers are stored in MongoDB; the website also hosts the API that the bomb application reports to.

Students were instructed to use GDB or Radare2 to disassemble the program. Inputs can be made using standard input or from a file. Students were encouraged not to use Ghidra to test their abilities reading assembly.

Students reported that the challenge was extremely fun, albeit slightly difficult, and was a fun way to end their course. They were proud of their ability to disassemble, reverse, and crack such a large challenge without assistance.

This challenge is heavily based on the CMU Bomb App . I simply reverse engineered the entire challenge, made some changes to how it ran and who it talked to, and hosted it myself. Hence, this made it a good challenge for me too :)