Reverse Engineering - from zero to hero
The goal of this workshop is to introduce you to Reverse Engineering. It is composed of 2 parts: 1. First steps in Reverse Engineering with GDB and PEDA 2. More advanced Reverse study with Cutter and Ghidra decompiler
You will learn: * to read x86 ASM * how a program is executed * the difference between 64 and 32 bits in program execution * to perform static and dynamic analysis with GDB and PEDA * to patch a binary with Cutter * to make advanced analysis with Cutter and Ghidra decompiler
Reverse Engineering with GDB & PEDA
Reverse Engineering aims to understand what a program does. The goal of the Reverse Engineer is to deduce the source code of a given program from the analysis he made on it.
This field of security is often encountered in :
- video games / software cracking (here the goal is to understand how the program checks the user licence and modify it to bypass the protections)
- malware analysis (understand the way it works in order to neutralize it)
Reverse Engineering implies a certain knowledge of the way the computer memory works and of the creation and execution of a binary. Here are some keywords you should be able to understand to start your Reverse Engineering journey :
- binary file
- memory segmentation
This workshop is written along side this guide that you should read before starting the challenges.
For this workshop, you will need to install
gdb (if not already installed on your system) and PEDA, a Python plugin for the debugger.
N.B: If you don’t manage to run the binaries and encounter a “File not found”, you must install a 32bits library. You may try glibc.i686
0 - Reflex
Here is the first exercice. The purpose here is to make you have the good reflexes when you start the analysis of a binary.
What is the format of the binary ?
What is the targeted architecture ?
Is it 32 or 64 bits ?
You should find two ways of solving this challenge.
Keep all this recognition process in mind, it’s really useful when you face a reverse engineering challenge.
1 - Static Analysis and ASM
Static analysis is the process of studying a program without running it.
To do so, we can use GDB to interpret the asm code in binary form to plaintext binary.
Then we read this code and deduce the way the program work.
So go ahead and open translate_me with
gdb ./translate_me !
To display the asm instructions of a function, use
pdisas function_name or
The purpose of this challenge is not to find a flag but to translate the asm code you get with gdb to C code.
You can see if your C code is correct by compiling it with
gcc -m32 -O0 main.c and comparing its asm with the challenge binary.
2 - Dynamic analysis
Now we are going to learn how to analyze dynamically a binary. With GDB we can run our binary instruction by instruction and see, for each one of them, the corresponding values of the registers and the stack.
To dynamically analyze a binary, you can use
start in gdb.
Here are the most useful commands during a dynamic analysis in GDB :
sto execute the next instruction.
finishto go directly to the next instruction after the current function.
b*addrwhere addr is the address of an instruction. This sets a breakpoint to this address.
runto go to the next breakpoint or to the end of the program if no breakpoint set.
3 - The arena
It’s time to use your knowledge in a typical CTF exercice. The arena binary will take you through various way to check an input. Each step has its own logic : you have to find ways to go and to validate the final step. Try to strictly apply all the techniques you have learnt before !
4 - First contact with protection
There various way of protecting a binary from Reverse Engineering, for example :
- obfuscation : you pollute your binary with useless instructions to make the work of the reverse engineer harder.
- dynamic analysis protection with ptrace
- stripped binaries : remove the useful debugging information, which are basically metadata about variables and functions addresses and names.
Try to identify which protection(s) is/are used on im-protected. Find a way to bypass it and solve the challenge !
Reverse Engineering with Cutter
GDB and PEDA are good tools but when we face complex / heavy programs, it’s hard to make an efficient analysis. That’s why today we are going to learn how to use Cutter, a GUI tool built on top of Radare2 This tool is great because it features :
- a clean and efficient interface
- a good integration of the Ghidra decompiler (a decompiler deduces the C code from the binary asm instructions). Ghidra was developped and released by the NSA.
- a built-in debugger
Download the .AppImage of Cutter and run it !
1 - ez-check
The challenge ez-check is pretty simple. Solve it using Cutter and take the time to discover the software and its various functionalities.
2 - impossible
Now we are going to learn how to patch a binary. Patching a binary means changing some instructions to change the behaviour of the program. To patch a binary in Cutter, you have to :
- open the binary in write mode (the option must be set in the first popup window at the beginning of Cutter).
- make a right click on the C / asm code and go to Edit -> instruction to rewrite the instruction !
- then you can launch again your program and see the effect of your changes !
Depending on the size of the program and the impact of your changes, edition can take some time. Be patient !
Start analysing the impossible binary : first understand why it is called impossible, then solve the challenge !
3 - Craft
After all this reverse, you might want to hang out a little bit on this new Minecraft version. The problem is that it is licence protected…
Bypass the protections and start a game !
N.B. : This is actually not Minecraft. The binary you are dealing with is a modified version of Craft, an open source Minecraft clone made in C and OpenGL.
To conclude our adventure
You now have the basics of Reverse Engineering and you may want to work more on your Reverse skills. We recommend you to check out :
Cutter, we may have already used it but it is a really interesting project with a lot of new features at every release !
Ghidra, the decompilation tool of the NSA which is used by Cutter to provide a full decompilation.
Z3, a SAT solver which allow you to easily resolve crackme challenges.
Angr, a binary analysis framework which will help you to automate and fasten your Reverse challenges resolution.
Want to contribute or give feedback ? Reach me @pwnh4.