Reverse Engineering


CIS 5510

Now that you've developed expertise in reading and writing assembly code, we'll put that knowledge to the test in reverse engineering binaries!

First you'll learn the magic of gdb, then reverse engineer binaries.

For the Debugging levels, the challenge is in /challenge, but named differently for each level. Make sure you read the output, it will drop you into gdb. From there there run run to get started. Follow the output to keep going

For the Reverse Engineering levels, the challenge is in /challenge, but named differently for each level. The levelX.0 are "teaching" challenges that have output that shows what the challenge is doing. The levelX.1 challenges are similar (but not the same) but have no output: you'll need to reverse engineer the binary.


Lectures and Reading

There are a number of good gdb crash courses / reference manuals:

There are many resources related to reverse engineering around the internet.

As mentioned in the slides, there are a number of useful tools for this assignment! Here is a (non-exhaustive) list:

  • gdb will let you run and inspect the state of these programs.
  • To switch from gdb to either gef or pwndbg, you can execute one of the following commands: echo "source /opt/gef/gef.py" > ~/.gdbinit or echo "source /opt/pwndbg/gdbinit.py" > ~/.gdbinit
  • Some useful gdb concepts:
    • Know the difference between step instruction (si) and next instruction (ni). It boils down to the fact that si will follow jumps, and ni will step over jumps. This means that if you use si, you will quickly find yourself crawling through libc code, which is insane and unnecessary.
    • You can use x/i $rip to disassemble the next instruction that will be executed. You can call display/i $rip to make the next instruction display every time gdb prompts you for input. You can also do x/2i and display/2i to print two (or other quantities of) instructions.
    • The disas command will disassemble the current function that you are looking at.
    • gdb can be scripted! Look up conditional breakpoints and scriptable breakpoints in the gdb manual.
    • Modern binaries are position independent, meaning that they can be loaded anywhere in memory when they run. GDB will load them at the offset 0x555555554000. This means that if objdump is telling you that main starts at some address like, 0x100, the address when debugging with GDB will be 0x555555554100
  • strings will list printable strings in the file. This is useful for looking for constant strings that the program checks for (such as file names and so on) in the course of getting input. Keep in mind that the options for string include a minimum size that it will print.
  • Don't forget about pwntools! You will need to interact heavily with these programs. Do it right (with pwntools).
  • rappel is a nice tool to help you figure out what certain instructions do.
  • Tools for reverse engineering actual binaries:
    • IDA, accessible via the Desktop in the dojo, is the industry standard of reverse-engineering tools.
    • Ghidra, also accessible via the Desktop in the dojo, is an open source direct competitor to IDA that is used and loved by many.
    • angr-management, also accessible via the Desktop in the dojo, is an open source up-and-coming reversing tool with some advanced functionality.
    • Binary Ninja Cloud, accessible separately through your web browser, is a free binary reverse engineering tool.
    • In a pinch, objdump -d -M intel the_binary will disassemble the binary you want to look at. -M intel, in that command, makes objdump give you nice and readable Intel assembly syntax.

Challenges

Reverse engineer this challenge to find the correct license key.

Reverse engineer this challenge to find the correct license key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 5 bytes in the binary.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 5 bytes in the binary.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 1 byte in the binary.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 1 byte in the binary.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 2 bytes in the binary, but performs an integrity check afterwards.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 2 bytes in the binary, but performs an integrity check afterwards