Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reverse Engineering for CTFs

Published byอักขระ เก่งงาน Modified over 4 years ago

Similar presentations

Presentation on theme: "Reverse Engineering for CTFs"— Presentation transcript:

1 Reverse Engineering for CTFs
Week 1

2 For demo later Install from:

3 What is reverse engineering?
to study or analyze (a device, as a microchip for computers) in order to learn details of design, construction, and operation, perhaps to produce a copy or an improved version. (

4 Why reverse engineering?
Uses: Malware analysis Vulnerability analysis Analyzing legacy software Auditing code Developing competing software Evaluating software quality and robustness

5 Overview Introduction to RE CTF Questions Methodology X86
Tools and Techniques Demo

6 Introduction to RE CTF Problems
Your goal is to find the flag and it is usually encrypted, encoded, or otherwise hidden. We are not crypto analyst who tirelessly attempt to perform dark mathematical magic. We are reverse engineers, we can look at the code! To be able to get the flag you need to figure out what the program does and reverse it so you get the flag. You will have to deal with multiple assembly languages and bytecode representations. If you want to choose a language that is most common in CTFs it is x86.

7 Methodology What are we dealing with? (file, strings)
What is our goal? (Run the executable) Reverse engineer and find the flag! Static User input Comparisons Constructs .data section .rodata section .bss section

8 What are we dealing with?

9 From code to runtime

10 From code to runtime

11 Initial Analysis Tools
file - looks at the magic number in the file to determine the type of file you are dealing with (always run this first) strings - Your best friend from now on. Prints strings from the binary. If this is not in your homework write-up you will be getting a 0 (probably). strings -n 4 file - prints the strings length 4 bytes or more in the file readelf - useful for elf files. ‘readelf -h’ - gives you the header information for an elf file including the entry point address. objdump - there is a lot you can do with objdump I suggest you become familiar with it

12 Initial Analysis Example (file)
ELF: Executable and Linkable format (Linux executable) 64-bit: x86-64 registers, calling conventions, etc… LSB: Least Significant Bit, is the bit position in a binary integer giving the units value, that is, determining whether the number is even or odd. Dynamically / Statically linked: Static linking is the result of the linker copying all library routines used in the program into the executable image. Dynamic linking occurs at run time. Stripped / Not stripped: Whether symbols which do not affect execution of the file have been removed or not. (Debugging symbols, ...)

13 ELF Primary sections of interests:
Text: This section holds the ‘‘Text”, or executable instructions, of a program. Bss: This section holds uninitialized data that contribute to the program’s memory image. Data: These sections hold initialized data that contribute to the program’s memory image. Rodata: These sections hold read-only data that typically contribute to a non-writable segment in the process image.

14 Program Memory Layout Linux

15 Initial Analysis Tools (strings)

16 What is our goal?

17 Run the executable What is the executable doing?
What is the result/output of running the executable? How do we win? Can we break it? (Segmentation fault)

18 x86

19 X86 - Registers

20 X86-Registers

21 X86 - Registers Nibble = 4 bits Byte = 8 bits Intel Specific:
Word = 2 byte DWord = 4 bytes QWord = 8 bytes

22 X86 - Basic Instructions Common instructions:
mov = move one value into register push = push value on stack Pop = pop value off stack ret = pop return address set eip leave = restore ebp call = calls a function cmp = compares values test = others: nop(0x90), xor, shl, shr, idiv, and, add, sub

23 x86 - Syntax ATT&T Intel

24 x86 - Handling Functions Issues: How should we pass parameters?
Registers, push? How should we manage the stack? Who is in charge of cleaning up the stack (caller or callee)? How should values be returned? Register[s]? How should we jump to the function? How do we know where to return to? How do we share registers?

25 x86 - Handling Functions How we handle the issues presented in the last slide depends on the calling conventions used.

26 X86 - Calling Conventions
Source:

27 X86 - Calling Conventions
cdecl (gcc)

28 X86 - Calling Conventions
System V AMD64 ABI

29 Constructs If statement Three basic blocks Compare block Then block
Else block

30 Constructs Loops 4 basic blocks
Initial block (Sets the loop counter condition/variable) Compare block (Checks condition) Loop body Exit block

31 Tools

32 Radare2 DO NOT INSTALL USING ‘sudo apt instal radare2’
Install from: Radare2 CLI: Start: r2 fileToAnalze Analyze the binary: aaaa (Must analyze the binary first ) CLI: Most command names in radare are derived from action names. They should be easy to remember, as they are short. Actually, all commands are single letters. Subcommands or related commands are specified using the second character of command name. Example: afl -> a = analyze f = functions l = list Prints a list of all functions in the binary.

33 Radare2 Commands ? = Help menu. Append ‘?’ to the end of any command to get the help inforation about that command. ~ = grep. Append ‘~your_string’ to the end of any command is equivalent to Command | grep your_string a = analyze the binary s = seek to an address/function afl = list functions i = info q = quit V = visual mode (Why we use Radare2!)

34 Radare2 Visual Mode Commands
q = quit p = change view or page Arrow keys = move around in visual mode u = undo, go back. (This reverts back to the previous view/location) ;; = add comments V = opens graph view (Even better!)

35 Ipython Interactive python shell Install: pip install ipython
Better features: Syntax highlighting Tab completion And more…

36 Useful Links Relocations, got, plt - key-to-code-sharing-and-dynamic-libraries.html How to deal with a stripped binary - handle-stripped-binaries-with-gdb-no-source-no-symbols-and-gdb-only-sho ELF Specification - (page 14 has descriptions of sections .bss, .data, .dynsym, .text, etc)

37 Radare2 Demo

Download ppt "Reverse Engineering for CTFs"

Similar presentations

Programs in Memory Bryce Boe 2012/08/29 CS32, Summer 2012 B.

Programs in Memory Bryce Boe 2012/08/29 CS32, Summer 2012 B.
MSP430 Teaching Materials

MSP430 Teaching Materials
Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.

Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
Advanced topics in X86 assembly by Istvan Haller.

Advanced topics in X86 assembly by Istvan Haller.
Linking and Loading Fred Prussack CS 518. L&L: Overview Wake-up Questions Terms and Definitions / General Information LoadingLinking –Static vs. Dynamic.

Linking and Loading Fred Prussack CS 518. L&L: Overview Wake-up Questions Terms and Definitions / General Information LoadingLinking –Static vs. Dynamic.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
An introduction to systems programming

An introduction to systems programming
F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.

F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
System Calls 1.

System Calls 1.
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.
Enabling the ARM Learning in INDIA ARM DEVELOPMENT TOOL SETUP.

Enabling the ARM Learning in INDIA ARM DEVELOPMENT TOOL SETUP.
MIPS coding. SPIM Some links can be found such as:

MIPS coding. SPIM Some links can be found such as:
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,

Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Programming With C.

Programming With C.
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad

Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad

Similar presentations

Ads by Google