software

Introducing RE_VAULT: My Public Archive of Reverse Engineering Projects

Published: (December 2, 2025 at 02:44 PM EST)
4 min read
Source: Dev.to

Source: Dev.to

What is RE_VAULT

RE_VAULT is my public archive of reverse engineering projects and challenge binaries.
The main project inside it is Flag Hunt 2 – Black Cipher Edition, a C program that behaves like a hostile forensic artifact. It includes menus, decoy output, fake analysis modules, and many traps, while hiding multiple independent challenges in the same binary.

  • 10 primary flags
  • 1 hidden bonus flag that is never printed
  • multiple layers of obfuscation and misdirection

The goal is to provide something that feels closer to a weird piece of malware or an incident artifact, but is still designed for learning.

Who this is for

If any of the following describes you, Black Cipher is probably useful:

  • You are learning Ghidra or another RE tool and want more than simple crackmes.
  • You want to understand tricks used in real malware without touching live malware.
  • You enjoy C, low‑level behavior, and weird control flow.
  • You want to practice thinking like both the attacker and the analyst.

You can treat this project in three ways:

  1. Pure puzzle – Run the binary, poke at it, and try to get all flags with Ghidra and a notebook.
  2. Learning lab – Focus on one module at a time (e.g., only the VM or only the heap artifact).
  3. Reference material – Read the C source to understand how certain evasive patterns are implemented.

How Black Cipher behaves

When you run the binary you get a small analysis console rather than a clean CTF‑style interface:

  • A banner that pretends to be a forensic tool.
  • A list of “analysis modules”.
  • Each menu option triggers a different challenge path.

Some modules print noise, some fail, and only a few give a clean flag without effort. Part of the challenge is figuring out which output is real, which is a decoy, and which is an encoded form you can decode yourself.

Spoiler warning

The rest of this article discusses the internal structure of the binary. No exact flag strings or full solutions are provided; the description is intentionally high‑level. If you want to go in completely blind, stop reading now, clone the repo, build the program, and return later.

High level structure of the challenges (light spoilers)

Each menu entry in Black Cipher maps to a different style of challenge, compressing a “mini curriculum” of RE techniques into one executable.

1. String decryption module

  • Encrypted string table stored in memory.
  • Decoder routine mixes XOR and rotation.
  • Follow the routine in Ghidra to recover real text; the raw output is intentionally garbled.

2. Control flow tracer

  • Function‑pointer maze with a table of pointers.
  • Some lead to dead ends or decoys; one path leads to the real flag.
  • Practice reconstructing strange control flow and focusing on actually executed code.

3. Hash verification system

  • Custom polynomial‑style hash function.
  • Answer string never stored in plain form.
  • Reimplement the hash and find the correct input.

4. Binary data extractor

  • Data hidden in binary sections (looks like random bytes).
  • Simple transform turns those bytes into meaningful data.
  • Use Ghidra to inspect .rodata layout and write a script to decode it.

5. Anti‑tamper detector

  • Anti‑debug tricks using ptrace and timing checks.
  • Flag revealed only when checks pass.
  • Understand, patch, or simulate the anti‑debug logic.

6. Virtual machine analyzer

  • Small custom VM with a bytecode array and interpreter loop.
  • Running the VM with the right state eventually prints a flag.
  • Reverse the VM and emulate it, or step through it manually.

7. Mathematical solver

  • Logic trap: visible equations are not the ones that matter.
  • Real constraints hidden behind different branches.
  • Trace the actual conditions that lead to the flag.

8. Memory forensics tool

  • Challenge lives on the heap: a struct with partially encoded data.
  • Program prints noisy bytes; the clean flag never appears directly.
  • Identify struct layout, understand the encoding, and reconstruct the original content.

9. Network protocol decoder

  • Fake PCAP‑style blob embedded in the binary.
  • Simple protocol checks determine parsing.
  • Small decoder recovers a hidden message.
  • Practice the “embedded binary blob + decode routine” pattern common in malware.

10. Multi‑stage hash validator

  • Chain of custom hash‑like functions; each feeds into the next.
  • Only a very specific string survives all checks.
  • Replicate the full chain in a script to find the flag.

The hidden bonus flag

An eleventh flag is never printed and not referenced obviously. Hints:

  • Lives in a custom section of the binary.
  • Bytes are encrypted and reversed.
  • Decryption logic is split across several unrelated functions.

If you are comfortable with ELF internals, custom sections, and Ghidra scripting, you will eventually find it. It rewards full understanding of the binary rather than speed.

How to get the solutions

The repository intentionally does not include full solutions. A separate solutions document (available on request) walks through:

  • How to locate each challenge in Ghidra.
  • What to look for in the decompiled code.
  • How the encoding and hashing actually work.
  • Concrete steps from first load to final flag.

If you are:

  • an instructor who wants to use this in a class,
  • a student who got stuck and needs to check their work, or
  • someone reviewing the code and wants to see the full reasoning,

you can email me to obtain the solutions document.

Back to Blog

Related posts

Read more »