Basic reverse engineering at Over The Wire

Today I was getting back to do some CTF on the platform Over The Wire. You can find there a lot of pentesting challenges. Either you are interested in web pentesting, linux server, cryptography, you can take a look there and see if they have what fits you.

So, I was getting challenged by the one of the games (name and level modified too avoid to many spoilers), in which you need to use some binaries that you find on the server to get the password to the next level. From the beginning, the ltrace linux command is your friend in order to see what string is expected as an argument or how the functions are working inside of the binary.

For one of the level, you just face a binary that gives you this kind on output when you execute it:

From this, one can easily see that a 4 digit code has to be given as an argument. Usually, a small loop would do it to brute force the binary. However, as I said, from the beginning you have to use ltrace and figure out what is happening inside of the binary. This coupled to my new interest in reverse engineering made me totally overlook this option and I started dealing with the binary.

In this case ltrace and strace were of no help. Then, I start diving into gdb. I don't know much about gdb, except what I could see here and there. For example, this video on a quick overview of gdb that also helped me to start seeing what reverse engineering could be.

Let's then get started with gdb.
Launch gdb and your executable

You get a prompt inside gdb. By entering help, you can get a list of command that you can enter in gdb.
Let's enter first the disassembly main command to get an overview of the instruction inside of the main function.

As you can see, it is not really straightforward to read it. To make this more understandable, we can convert this into the intel format, with the following command

And here is the result

By taking a look at the first lines, we can spot this comparison:

Here the program is trying to compare number 2 (0x2) to the value stored where the register eax is pointing to. The DWORD keyword is used to indicate the size of the variable. The program here is checking if the number of given argument is correct. This instruction is similar to the if statement in a programing language such as python. After the comparison, the program goes to the next instruction:

This instruction will set the behavior depending on the result of the comparison done on the previous line. In the case the comparison is true the je (jump equal) instruction will send the program to the instruction located at the offset of 64 from the main function (<main+64>). If the comparison returns a false, then the program continues to the next intruction (0x0804855b <+32>: mov eax,DWORD PTR [eax+0x4]).

Let's assume that our comparison is true, and that we have given the good number of argument. The program will then jump to the instruction located at <main+64>:

From there, the program will modifiy variables and push value into some registers. I will skip most of the instruction and go directly to what happens at <main+84>:

It seems that, this time, the program is trying to compare the value in the register eax, which is were the argument (the 4 digits, remember) is stored, to the value in the register [ebp-0xc] is pointing at. So, that must be the place inside the code where our argument is checked, and if it is the good one, maybe we get the password for the next level.
Nice, but how do we get the value used to compare to our argument. Well, if you go a bit up, when the program starts, you will see this line:

Here, the value the register [ebp-0xc] is pointing at is initialized with the value 0x1bd3. It means that the argument we have entered will be compared to this value. You can easily convert this value into base 10, and it gives you 7123 which was the key to unlock the next level.

That was my first challenge using reverse engineering, and it was interesting to see how to understand the binary you are dealing with instead of just brute-forcing it. Understanding the instruction given by the program is of great help in order to understand what it does, and can give you huge power in order to attack the executable or the server running it.
Assembly instructions appear to follow a certain logic, but it requires some time to get use to them. This x86 Assembly Guide can be used as a cheat sheet when starting to have all the main instructions at hand.

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
18 × 6 =