Reverse engineering is a critical aspect of hacking you have to know to achieve some CTFs.
The typical scenario involves a binary (executable) you have to deconstruct to understand how it works and get information that will provide access to a specific instance (e.g., credentials).
Reverse engineering is a very broad term, and the idea is to take something apart to "rebuild" the logic behind.
I strongly recommend using VMs (virtual machines) to manipulate infected binaries. In any case, using your primary system for CTFs and other sensitive activities is a very bad idea.
.exe(.NET or PE files)
- Java files
Because we operate in a safe and isolated environment, we can do whatever we want, so let's switch to #YOLO mode.
Sometimes, the answer or, at least, some hint can be found by running the binary:
chmod +x my_binary && ./my_binary
It's not uncommon for CTFs' creators to leave additional instructions you can read by interacting with the binary.
This native command in Linux can be used like that:
strings my_binary | less
You'll see all bits of text (strings) inside a binary. I often pipe it with
less to read it gradually.
The command accepts many options, so do not hesitate to use
In my experience, the basic command is usually enough to get useful information and even passwords, as CTFs' binaries are often left on some user's folder for that unique purpose.
You can use the
grep command to quickly find what you want:
Indeed, you sometimes only need a specific value or a piece of text, not the whole code. Of course, if it's not enough, you'll dig further, but keeping things simple is often a good approach.
These utils are handy because you can see the processes and operations associated with the binary while it's running.
They can intercept and record all calls to external resources such as libraries, and signals.
N.B.: If it's not pre-packaged, it's easy to install with a simple
strace stands for system calls and signals, and
ltrace stands for library calls. You use it like that:
objdump shows disassembled code. As ELF binaries are composed of different sections, for example, the header and the metadata, the tool allows parsing these information.
The goal is to translate the binary representation, not to perform advanced analysis, but that's exactly what we want with such tool.
Uncompyle6 is a nice Python decompiler you can use to explore
.pyc files, for example, to retrieve the original Python code.
Binwalk can quickly extract embedded files and interesting data from image files.
You often use it to explore steganographic documents:
binwalk -e secret-image.png
JADX is a Dex to Java decompiler that is particularly convenient to analyze
It provides tools to convert files and run code.
Ghidra is a phenomenal SRE (software reverse engineering) framework maintained by the NSA. It has some requirements like JDK (Java), but it's extremely efficient to analyze compiled code.
There's a learning curve, though. If you don't master the subtleties of low-level components, you will likely find it very hard to understand.
There are many panels and features, but don't be intimidated. You can easily import a binary to disassemble and decompile it, even if you don't master everything.
In the context of a CTF, you will likely have to find hardcoded credentials or hashes in some Java classes.
You may use this cheat sheet to speed up operations.
Using the right tool for the right task is essential when you try to reverse engineer a binary. There are built-in commands and third-party solutions that can speed up work dramatically.
However, keep things simple. Try the simplest approach, and if it does not work, use open-source frameworks. These SRE are useful but they don't come without inconveniences, and you don't always need the big guns.