Linux | Reverse-Engineering
Welcome back to my blog channel. Today, I will be writing a write-up “How I reversed a file”. If you are ready to learn and analyze the file, let’s get started.
Analyzing The File
Analyzing a file is always a necessary phase to understanding the architecture and how it works.
We should consider that this file has been written in C/C++, and also we will be analyzing an ELF file. We can use some pre-built tools.
Awesome! As expected. We can see it is 64-bit and it is an ELF file not stripped, which makes it easy for us.
I am just going to run this file to see the output.
Does it seem that we must input a correct password to get the flag?
I will use the
stringscommand to take a quick look at text strings.
getenv : The C library function char *getenv(const char *name) searches for the environment string pointed to by name and returns the associated value to the string
Awesome! I can see the
USER string, but what does it mean? We can also see
Wait, yoH ur name H string, interesting?
ldd : (List Dynamic Dependencies) is a *nix utility that prints the shared libraries required by each program or shared library specified on the command line.
We can see the entry point of this file
Lastly, we can use
objdump command, we should be able to show the disassembly of the executable code.
It is weird that
getenv is being called, I will use
Advanced static analysis
Advanced static analysis also known as code analysis dissects the binary file to study each component, still without executing it. One method is to reverse engineer the code using a disassembler.
We can use
cutter, radare, gdbtools to disassemble a file.
To read this, we will use better tools.
We can see the string in that registers:
As you can see,
movabs rsi, 0x6f
movabs rsi, 0x2065
mov qword [rax], rsi
mov qword [rax+8], rdi
Let me explain:
As you can see that two strings are stored in
RAX which means:
[RAX+0x0] = RSI ->
[RAX+0X8] = RDI →
0x7369 those values have been stored in the register of
[RAX+0x0]= RSI ->
[RAX+0X8] = RDI →
Awesome! I see that
strcat is being used. In order to view the source in a better way, I will use the
ENDIAN = little
We can that:
getenv("USER") which points to the user of UNIX
And we can see
strcat : The strcat() function concatenates string2 to string1 and ends the resulting string with the null character.’
It seems that my
useris concatenated with
Get the flag
I reckon that we solved this challenge, but why?
Now look, when we input a random string or a flag it will give an output as
wrong because we should consider that
getenv and RAX are concatenated with each other. For instance,
string : hello
RAX : bye
When we concatenate to each other it will look:
I created a source code to illustrate how it looks like.
I am going to try this:
We have successfully reversed and found the flag;)
I will be publishing upcoming blogs about reversing and hardware programming languages. I plan to share my knowledge and experience with people who are interested in these fields. I encourage readers to subscribe to my blog-channel and to clap for my posts to show their support and motivation.
Thank you! for taking your time to read my blog. I will see you in the next time!