Linux | Reverse-Engineering
Greetings!
Welcome back to my blog channel. Today, I will be writing a write-up “How I reversed a file”. If you are ready to learn and analyze the file, let’s get started.
Analyzing The File
Analyzing a file is always a necessary phase to understanding the architecture and how it works.
We should consider that this file has been written in C/C++, and also we will be analyzing an ELF file. We can use some pre-built tools.
Awesome! As expected. We can see it is 64-bit and it is an ELF file not stripped, which makes it easy for us.
I am just going to run this file to see the output.
Does it seem that we must input a correct password to get the flag?
I will use the strings
command to take a quick look at text strings.
getenv
: The C library function char *getenv(const char *name) searches for the environment string pointed to by name and returns the associated value to the string
Awesome! I can see theUSER
string, but what does it mean? We can also see Wait, yoH ur name H
string, interesting?
ldd
: (List Dynamic Dependencies) is a *nix utility that prints the shared libraries required by each program or shared library specified on the command line.
We can see the entry point of this file 0x00007f0cf86e8000
Lastly, we can use objdump
command, we should be able to show the disassembly of the executable code.
It is weird that getenv
is being called, I will use cutter
and ghidra
Advanced static analysis
Advanced static analysis also known as code analysis dissects the binary file to study each component, still without executing it. One method is to reverse engineer the code using a disassembler.
We can use cutter, radare, gdb
tools to disassemble a file.
To read this, we will use better tools.
We can see the string in that registers:
As you can see,
movabs rsi, 0x6f
movabs rsi, 0x2065
mov qword [rax], rsi
mov qword [rax+8], rdi
Let me explain:
As you can see that two strings are stored in RAX
which means:
[RAX+0x0] = RSI -> 0x65
[RAX+0X8] = RDI → 0x2065
[RAX+0X10]
= 0x7369
those values have been stored in the register of RAX
[RAX+0x0]
= RSI -> 0x65
[RAX+0X8]
= RDI → 0x2065
Awesome! I see that strcat
is being used. In order to view the source in a better way, I will use the ghidra
tool.
ENDIAN
= little
We can that: getenv("USER")
which points to the user of UNIX
And we can see strcat
interesting…
strcat
: The strcat() function concatenates string2 to string1 and ends the resulting string with the null character.’
It seems that my user
is concatenated with RAX register
Get the flag
I reckon that we solved this challenge, but why?
Now look, when we input a random string or a flag it will give an output as wrong
because we should consider that getenv and RAX
are concatenated with each other. For instance,
string
: hello
RAX
: bye
When we concatenate to each other it will look: byehello
I created a source code to illustrate how it looks like.
I am going to try this:
We have successfully reversed and found the flag;)
Summary
I will be publishing upcoming blogs about reversing and hardware programming languages. I plan to share my knowledge and experience with people who are interested in these fields. I encourage readers to subscribe to my blog-channel and to clap for my posts to show their support and motivation.
Thank you! for taking your time to read my blog. I will see you in the next time!