Linux | Reverse-Engineering

Ahmet Göker
4 min readApr 12, 2023

--

Greetings!

Welcome back to my blog channel. Today, I will be writing a write-up “How I reversed a file”. If you are ready to learn and analyze the file, let’s get started.

Analyzing The File

Analyzing a file is always a necessary phase to understanding the architecture and how it works.

We should consider that this file has been written in C/C++, and also we will be analyzing an ELF file. We can use some pre-built tools.

Awesome! As expected. We can see it is 64-bit and it is an ELF file not stripped, which makes it easy for us.

I am just going to run this file to see the output.

Does it seem that we must input a correct password to get the flag?

I will use the stringscommand to take a quick look at text strings.

getenv : The C library function char *getenv(const char *name) searches for the environment string pointed to by name and returns the associated value to the string

Awesome! I can see theUSER string, but what does it mean? We can also see Wait, yoH ur name H string, interesting?

ldd : (List Dynamic Dependencies) is a *nix utility that prints the shared libraries required by each program or shared library specified on the command line.

We can see the entry point of this file 0x00007f0cf86e8000

Lastly, we can use objdump command, we should be able to show the disassembly of the executable code.

It is weird that getenv is being called, I will use cutter and ghidra

Advanced static analysis

Advanced static analysis also known as code analysis dissects the binary file to study each component, still without executing it. One method is to reverse engineer the code using a disassembler.

We can use cutter, radare, gdbtools to disassemble a file.

To read this, we will use better tools.

We can see the string in that registers:

As you can see,

movabs rsi, 0x6f

movabs rsi, 0x2065

mov qword [rax], rsi

mov qword [rax+8], rdi

Let me explain:

As you can see that two strings are stored in RAX which means:

[RAX+0x0] = RSI -> 0x65

[RAX+0X8] = RDI → 0x2065

[RAX+0X10] = 0x7369 those values have been stored in the register of RAX

[RAX+0x0]= RSI -> 0x65

[RAX+0X8] = RDI → 0x2065

Awesome! I see that strcat is being used. In order to view the source in a better way, I will use the ghidra tool.

ENDIAN = little

We can that: getenv("USER") which points to the user of UNIX

And we can see strcat interesting…

strcat : The strcat() function concatenates string2 to string1 and ends the resulting string with the null character.’

It seems that my useris concatenated with RAX register

Get the flag

I reckon that we solved this challenge, but why?

Now look, when we input a random string or a flag it will give an output as wrong because we should consider that getenv and RAX are concatenated with each other. For instance,

string : hello

RAX : bye

When we concatenate to each other it will look: byehello

I created a source code to illustrate how it looks like.

I am going to try this:

We have successfully reversed and found the flag;)

Summary

I will be publishing upcoming blogs about reversing and hardware programming languages. I plan to share my knowledge and experience with people who are interested in these fields. I encourage readers to subscribe to my blog-channel and to clap for my posts to show their support and motivation.

Thank you! for taking your time to read my blog. I will see you in the next time!

--

--