Rules of Engagement

To be eligible for a prize you must abide by the rules below. 

  • You must run the RevEngE system in the background while you attack the challenges. You can run RevEngE on bare hardware or (more likely) within a virtual machine, to ensure that we don't collect sensitive personal information. You must submit the logging data collected by RevEngE along with the solution to the challenge. RevEngE optionally allows you to add annotations as you perform the attack, to show the attack strategies you employ. You can read more about RevEngE here: Getting RevEngE: A System for Analyzing Reverse Engineering Behavior. 
  • 1 point will be awarded a correct solution to a challenge that is submitted along with the RevEngE logging data. At the judges' discretion 1/2 point can be awarded for a "valiant effort" that is not completely correct. For each challenge, an additional 1 point will be awarded to the first person to submit a correct solution. An additional 1/2 point will be awarded to solutions submitted with good RevEngE annotations. Round 1 will have 7 challenges, round 2 will have 3. The maximum number of possible points is therefore 10*(1+1+ 1/2)=25. 
  • The person with the most points at the end of the competition receives USD 5,000. The second place winner receives USD 2,000. The third and fourth places each receive USD 1,000. Finally, USD 1,000 will be split between participants who the judges deem to have submitted particularly clever solutions.
  • Do not share your solutions online or with other individuals. 
  • When you install the data collection framework you will be asked to accept our IRB agreement. This means you agree that we may publish any data we collect, properly annonymized, of course.

Who Can Participate?

Any individual can participate in the challenge. These are individual challenges and team solutions will not be accepted.

  • Employees and students directly associated with the Grand Reverse Engineering Challenge may not participate.
  • Other employees and students of the University of Arizona, Ghent University, and Cloakware/IRDETO may participate, but are not eligible for monetary rewards.

Rules of Evaluation

There are three types of challenges: deobfuscation, tampering, and extraction. For the deobfuscation challenges your task is to convert the binary into an equivalent mathematical function or idiomatic C program. For the tampering challenged your task is to modify the binary to behave differently, such as removing a licensing check. For the extraction challenges your task is to find an embedded piece of data in the binary, such as a cryptographic key. The challenges vary in complexity. For each type of challenge, the correctness of a submission is measured differently:

  • For the deobfuscation challenges correctness is measured as a combination of accuracy and fidelity. Accuracy is measured by the fraction of test cases where the original and deobfuscated program agree. We do not reveal our test cases. Fidelity is a measure of the "goodness" of the deobfuscated code, i.e. how close it is in size to the original, unobfuscated source. Size is measured dynamically, as the number of instructions executed. Here is the link to the tool we use to count the number of instructions.
  • For tampering challenges correctness is measured as the number of test cases where the original and tampered programs agree. We do not reveal our test cases. There are two kinds of test cases: some tests will check that the mainline code has not been modified, and some tests will check that the goal of the challenge has been achieved (e.g. that all license checks have been rendered impotent).
  • For the extraction challenges, correctness is measured as the Levenshtein distance between the embedded and submitted data.