Introduction to reverse engineering

This is going to be about the basics of reverse engineering and how to get started with it.

Tools that you will need may include:

Some people will use either IDA or Radare but I like to use both one really is not better then the other in my oppinion.

For this example I will be using this sample code I wrote.

To compile I did $gcc sample.c -o sample and usually reverse engineering challenges are stripped so I stripped it as well $strip sample

Next to start the actual reversing process the first thing I like to do is run the strings command against the binary to see if the password is not being obfuscated.

As you can see secretKey will be shown by doing this but lets say that this is not the case.

Next I am going to open it up in r2 and look at the disassembly.

Ok now this looks like that password function but a looking at this we are unsure of what the password could be but there is a hex value there that looks like ascii 0x654b746572636573 so lets convert that.

Remember that this is little endian so we have to make sure we decode it properly by doing $python -c “print ‘\x73\x65\x63\x72\x65\x74\x4b\x65’” and the output of that is secretKe but it appears this is not the entire password but if we look two instructions later we see the 0x79 which is the “y” completing the password.

Next lets recompile it but this time lets turn off ASLR by doing $gcc sample.c -o sample -no-pie and now reload it into r2 and now this time we can see that the function call to the password function is sym.password which now it is more clear on where the password function is to beginners. Next open the password function up in r2 and open the binary in GDB.

Now in GDB I set a breakpoint on the call to string compare and ran it with a test password

pwndbg> break *0x00400620
pwndbg> r AAAA

We are able to see the password contained in the RCX and RSI registers.

We could also are able to get the password by looking at the stack like this.

Now lets see what it looks like in IDA.

Basically the same as Radare we can see the same set of instructions that allow us to get the pasword.
lea rax, [rbp+s2]
mov rcx, 654B746572636573h
mov [rax], rcx
mov word ptr [rax+8], 79h

Sometimes Radare can have trouble resolving names of functions but IDA does not have this issue.

Open up the binary again in GDB but this time lets get the password without entering any arguements.

If we do not enter any arguments we will follow the je 0x40067a instruction which the call to the password function will never happen but we can change that with GDB.

First set a breakpoint on 0x00400663 and then run the program. Now set RIP to the next instruction after the jump therefor bypassing the jump and then set a break point at the first address in the password function and navigate around the binary to avoid segfaulting because since we did not give the program an argv[1] it will segfault when ever a function like strlen is called to do this I did.
pwndbg> break *0x00400663
pwndbg> r
pwndbg> set $rip = 0x00400665
pwndbg> break *0x004005c7
pwndbg> c
pwndbg> set $rip = 0x004005fb
pwndbg> break *0x00400620
pwndbg> c

As you can see it still works we can use this method of setting the instruction pointer to what ever we want to navigate around the binary to avoid what ever we want in this case it is jumps and certain function calls that would case our program to crash or exit when we do not want it to. It is important to only skip what is absolutely necessary to skip like for example when I set the break point on the first jump instruction I set RIP to the very next instruction without skipping anything. If you know something is not important you can go a head and skip it like I did when I skipped a few instructions between the fucntion calls and jump instructions that I wanted to skip.

One thing to note though is that I made getting the password to this binary extremely easy because it is only a demonstration but when doing challenges and CTFs it will most likely never be this easy.

I would also like to note when i am working on a reversing challenge and I have to navigate around the binary or I just want to make my life easier I will open up a text file and write down the commands I want to execute like so
pwndbg> break *0x00400663
pwndbg> r
pwndbg> set $rip = 0x00400665
pwndbg> break *0x004005c7
pwndbg> c
pwndbg> set $rip = 0x004005fb
pwndbg> break *0x00400620
pwndbg> c

I do this and not include these commands in the GDB init file because there is a chance I may want to change something up so I settle for copy and pasting.

While I am working on reversing challenges my setup looks like this where i have IDA on my left monitor. Radare is on my far right on the right monitor and I have another terminal or sublime in that free space under GDB. Having a setup such as this will make reversing a little bit easier and allows you to stay organized while working.

Related posts:

We invest heavily in terms of our time, travel and money to surround ourselves with such great talent. Often times our monthly compensation from you, will be equal to the monthly compensation of the…

The things I did for you. “More Than You Know” is published by Cayla Casler.

PlayStation in Concert is a joint production between Sony and Classic FM radio. It brought together the Royal Philharmonic Orchestra and the City of London Choir in one of the UK’s finest concert…