RE guide for beginners: Methodology and tools


Hi fellas,

A few days ago, I decided to start my adventure in the reverse engineering domain. I was quickly overwhelmed by a bunch of information and op codes that confused me a lot, even with solid knowledge in assembly and programming.

Reverse engineering can seem complex at the first glance, however, with a good methodology and toolkit, everything becomes more significant.

This article claims to guide you, based on my own experiences, in your first steps in this strange and odd universe.

Methodology

So, here we are, you downloaded your first binary and now … what to do ? RE requires two types of analysis, static and dynamic. The static analysis will help you to have a better overview and understanding on what going on within the binary, whereas the dynamic analysis will allow you to follow, step by step, the changing that occurs within each register, which system calls are used, etc.

The following methodology is pretty basic. Indeed, we start to perform static analysis to spot odd pieces of code which have to be deeply analysed through dynamic analysis. Pretty simple right ? But which tool can you use ?

Static analysis

I must admit that I didn’t take the time to assess the different tools available on the internet. Indeed, I instantly jumped on binary ninja due to its low cost (99$), compared to the functionalities provided.

Binary ninja is dedicated to static analysis, providing an awesome GUI, which is priceless when you have to deal with such amount of information !

As you can see on the image above, binary ninja displays the entire call graph of your executable, simplifying the way to understand how each block interact together. Moreover, you can easily switch of view, via the right bottom select menu. Lastly, the left side enumerates every function called, directly accessible thanks to a simple mouse click.

Upstream, this software allows:

  • To place comment within the code
  • To patch binary through assembly or C code
  • To access an API to develop your own plugin to accelerate the analysis process
  • To access a bunch of plugins available from their GitHub
  • Other functions that I didn’t use yet ^^

Note: A demo version is available for free and should be enough for beginners.

Dynamic analysis

Dynamic analysis can be done through various tools e.g gdb, radare2, etc. From my personal experience, radare2 is far from being user-friendly. Indeed, without the stylesheet, I wasn’t able to remember the shortcuts, which made me waste a lot of time ! However, gdb seems to do the job and pretty well… Moreover, the gdb user experience can be improved by using peda (Python Exploit Development Assistance for GDB), enhancing the display of gdb by colourising and displaying disassembly codes, registers, memory information during debugging.

Here is the enhanced CLI:

Example

To show you how to apply and use this methodology, I chose to show you how I successfully reverse the third phase of the bomb lab, developed by the Carnegie Mellon University, which @_py makes available on his CTF platform skidophrenia.

Here is the phase 3 entry point :

Assumption : The solution seems to have 3 components, two integers and 1 character

Let’s break on the 0x08048bbf address to see the registers state.

Input tried: 1 2 3

Ok, well, it seems that the register EAX represent the amount of argument passed to sscanf. Which confirms our previous assumption. Indeed, at least three values are necessary to pass to the next block.

Here are the next blocks :

Explanations

  1. Check if the first integer is above 0x7. If yes, the bomb will explode (block not shown in the picture)
  2. We jump to the case corresponding to our first argument
  3. Set the BL register to 0x6b and compare the third argument to 0x7b. If the values are equal, we jump to next block, otherwise the bomb explodes.
  4. Check if the second argument is equal to BL, which has been set previously. If not, the bomb explodes.

Consequently, we can assume that the password should be :

  • 3: representing the third case
  • k: corresponding to the ascii value of 0x6b
  • 251: corresponding to the decimal value of 0x7b

Let’s try it !

Challenge completed ! As you can see, this challenge didn’t need so much dynamic analysis, however, this is quite rare. I chose this exercise to show you the importance to take your times to perform static analysis cause it can easily represent 70% of the work. So, scrupulously analyse each piece of code to reach your goal !

Conclusion

As it has been demonstrated, reverse engineering is accessible for everyone. However, it is inescapable to have decent knowledge in assembly, memory management as well as in programming. Indeed, it will definitely help you to quickly identify where you have to focus your investigation to patch or bypass the security measure in place. Moreover, patience and dedication are qualities that will help you in your way to develop your RE skills.

Upstream, to help RE Linux binaries in 32 / 64 bits architecture, I created a git repository which contains a docker image, embedding a few tools necessary for such challenge.

I hope that you enjoyed your reading.

Best,
Nitrax

Note: A particular thanks for @_py, who guided me in this unknown area which is reverse engineering.