Reverse engineering in CTFs

Reverse engineering is a critical aspect of hacking you have to know to achieve some CTFs.

The typical scenario involves a binary (executable) you have to deconstruct to understand how it works and get information that will provide access to a specific instance (e.g., credentials).

Reverse engineering is a very broad term, and the idea is to take something apart to "rebuild" the logic behind.

Disclaimer

I strongly recommend using VMs (virtual machines) to manipulate infected binaries. In any case, using your primary system for CTFs and other sensitive activities is a very bad idea.

Common types of binaries to reverse

• ELF
• .apk
• .exe (.NET or PE files)
• .py or .pyc (Python)
• Java files

Native tools and techniques to know

Why not simply run it?

Because we operate in a safe and isolated environment, we can do whatever we want, so let's switch to #YOLO mode.

Sometimes, the answer or, at least, some hint can be found by running the binary:

chmod +x my_binary && ./my_binary

It's not uncommon for CTFs' creators to leave additional instructions you can read by interacting with the binary.

strings

This native command in Linux can be used like that:

strings my_binary | less

You'll see all bits of text (strings) inside a binary. I often pipe it with less to read it gradually.

The command accepts many options, so do not hesitate to use strings --help.

In my experience, the basic command is usually enough to get useful information and even passwords, as CTFs' binaries are often left on some user's folder for that unique purpose.

grep

You can use the grep command to quickly find what you want:

find vs. grep: a mini cheat sheet

jmau111⭐ ・ Jun 17 '22 ・ 4 min read

#linux #bash #cli #productivity

Indeed, you sometimes only need a specific value or a piece of text, not the whole code. Of course, if it's not enough, you'll dig further, but keeping things simple is often a good approach.

strace or ltrace

These utils are handy because you can see the processes and operations associated with the binary while it's running.

They can intercept and record all calls to external resources such as libraries, and signals.

N.B.: If it's not pre-packaged, it's easy to install with a simple apt install

strace stands for system calls and signals, and ltrace stands for library calls. You use it like that:

strace ./my_binary

objdump

objdump shows disassembled code. As ELF binaries are composed of different sections, for example, the header and the metadata, the tool allows parsing these information.

The goal is to translate the binary representation, not to perform advanced analysis, but that's exactly what we want with such tool.

Advanced tools to know

Uncompyle6

Uncompyle6 is a nice Python decompiler you can use to explore .pyc files, for example, to retrieve the original Python code.

Pretty straightforward!

Binwalk

Binwalk can quickly extract embedded files and interesting data from image files.

You often use it to explore steganographic documents:

binwalk -e secret-image.png

JADX

JADX is a Dex to Java decompiler that is particularly convenient to analyze .apk files.

It provides tools to convert files and run code.

Ghidra

Ghidra is a phenomenal SRE (software reverse engineering) framework maintained by the NSA. It has some requirements like JDK (Java), but it's extremely efficient to analyze compiled code.

There's a learning curve, though. If you don't master the subtleties of low-level components, you will likely find it very hard to understand.

There are many panels and features, but don't be intimidated. You can easily import a binary to disassemble and decompile it, even if you don't master everything.

In the context of a CTF, you will likely have to find hardcoded credentials or hashes in some Java classes.

You may use this cheat sheet to speed up operations.

Wrap up

Using the right tool for the right task is essential when you try to reverse engineer a binary. There are built-in commands and third-party solutions that can speed up work dramatically.

However, keep things simple. Try the simplest approach, and if it does not work, use open-source frameworks. These SRE are useful but they don't come without inconveniences, and you don't always need the big guns.