Reverse Engineering


Program Security

Lectures and Reading

There are many resources related to reverse engineering around the internet.

  • A good place to start is a series of walkthroughs of several hacking challenges by ASU's own Adam Doupe on his YouTube channel.
  • A comprehensive revese engineering tutorial series.

As mentioned in the slides, there are a number of useful tools for this assignment! Here is a (non-exhaustive) list:

  • gdb will let you run and inspect the state of these programs. Please check out the Debugging Refresher module. We have also provided a quick briefer here. Some useful gdb concepts:
    • Know the difference between step instruction (si) and next instruction (ni). It boils down to the fact that si will follow jumps, and ni will step over jumps. This means that if you use si, you will quickly find yourself crawling through libc code, which is insane and unnecessary.
    • You can use x/i $rip to disassemble the next instruction that will be executed. You can call display/i $rip to make the next instruction display every time gdb prompts you for input. You can also do x/2i and display/2i to print two (or other quantities of) instructions.
    • The disas command will disassemble the current function that you are looking at.
    • gdb can be scripted! Look up conditional breakpoints and scriptable breakpoints in the gdb manual.
    • Modern binaries are position independent, meaning that they can be loaded anywhere in memory when they run. GDB will load them at the offset 0x555555554000. This means that if objdump is telling you that main starts at some address like, 0x100, the address when debugging with GDB will be 0x555555554100
  • strings will list printable strings in the file. This is useful for looking for constant strings that the program checks for (such as file names and so on) in the course of getting input. Keep in mind that the options for string include a minimum size that it will print.
  • Don't forget about pwntools! You will need to interact heavily with these programs. Do it right (with pwntools).
  • rappel is a nice tool to help you figure out what certain instructions do.
  • Tools for reverse engineering actual binaries:
    • IDA, accessible via the Desktop in the dojo, is the industry standard of reverse-engineering tools.
    • Ghidra, also accessible via the Desktop in the dojo, is an open source direct competitor to IDA that is used and loved by many.
    • angr-management, also accessible via the Desktop in the dojo, is an open source up-and-coming reversing tool with some advanced functionality.
    • Binary Ninja Cloud, accessible separately through your web browser, is a free binary reverse engineering tool.
    • In a pinch, objdump -d -M intel the_binary will disassemble the binary you want to look at. -M intel, in that command, makes objdump give you nice and readable Intel assembly syntax.

Challenges

Reverse engineer this challenge to find the correct license key.

Reverse engineer this challenge to find the correct license key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 5 bytes in the binary.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 5 bytes in the binary.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 1 byte in the binary.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 1 byte in the binary.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 2 bytes in the binary, but performs an integrity check afterwards.

Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 2 bytes in the binary, but performs an integrity check afterwards.

We're about to dive into reverse engineering obfuscated code! To better prepare you for the journey ahead, this challenge is a very straightforward crackme, but using slightly different code, memory layout, and input format. We will progressively obfuscate this in future levels, but this level should be a freebie!

We're about to dive into reverse engineering obfuscated code! To better prepare you for the journey ahead, this challenge is a very straightforward crackme, but using slightly different code, memory layout, and input format. We will progressively obfuscate this in future levels, but this level should be a freebie!

Let's dive into reverse engineering obfuscated code! This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag! If you are clever, you won't need to reverse too much VM code.

Let's dive into reverse engineering obfuscated code! This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag! If you are clever, you won't need to reverse too much VM code.

Let's dive into reverse engineering obfuscated code! This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag! If you are clever, you won't need to reverse too much VM code.

Let's dive into reverse engineering obfuscated code! This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag! If you are clever, you won't need to reverse too much VM code.

Let's dive into reverse engineering obfuscated code! This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag! If you are clever, you won't need to reverse too much VM code.

Let's dive into reverse engineering obfuscated code! This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag! If you are clever, you won't need to reverse too much VM code.

Let's continue deeper in reverse engineering obfuscated code! This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!

Let's continue deeper inreverse engineering obfuscated code! This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!

This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!

This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!

This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!

This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!

This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag! This is a full end-to-end obfuscated challenge, like you might see in real-world obfuscated code!

This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag! This is a full end-to-end obfuscated challenge, like you might see in real-world obfuscated code!

Reverse engineer this custom emulator and architecture to understand how to get the flag!

Reverse engineer this custom emulator and architecture to understand how to get the flag!

Reverse engineer this custom emulator and architecture, and write your own custom shellcode to get the flag.

Reverse engineer this custom emulator and architecture, and write your own custom shellcode to get the flag.

Reverse engineer this custom emulator and architecture, and write your own custom shellcode to get the flag, with a twist. This is the final boss. Are you a true Yan-head?

Reverse engineer this custom emulator and architecture, and write your own custom shellcode to get the flag, with a twist. This is the final boss. Are you a true Yan-head?


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score