Reverse engineering refers to the technique of analyzing the binary executable code of a computer program through some means and tools such as disassembly and debugging, so as to obtain the algorithm details and implementation principles of the program. Not only that, but reverse engineering skills play a huge role in the specific work of information security, such as malicious code analysis, software vulnerability mining, mobile security, and software cracking.
We introduced the real web questions of CTF before, so today we will choose a REVERSE question type from CTF to explain.
Let me introduce first, REVERSE is a common question type in the CTF competition. It mainly examines the knowledge related to reverse engineering of the contestants. The form of the examination is to reverse analyze a binary program (exe, dll or elf, etc.) to understand the internals of the program. The realization mechanism, the ultimate goal may be to obtain a password, or write a registration machine to calculate the registration code corresponding to the specified user name, etc.
Then how can we reverse a program, how can a complete program see its code?
Of course, other people have thought of this kind of problem, so there are several tools to help reverse engineering.
1. PEiD is a well-known shell checking tool, its function is very powerful, almost can detect most of the shell and program compilation information. PEiD supports various external plug-ins, and supports user-defined signature information of packers.
2. Ollydbg, referred to as OD, is a user-mode debugger with a graphical user interface that can run on various mainstream Windows operating systems. Ollydbg has dynamic debugging and static analysis functions, it is very easy to use, and the tracking and handling of exceptions is quite flexible, and many enthusiasts have written many great plug-ins for this debugger. Preferred for dynamic debuggers. Ollydbg's disassembly engine is very powerful, it can identify thousands of functions frequently used by C and Windows, and can automatically annotate parameters. Below are some commonly used shortcut keys for OD.
F2 sets a breakpoint (if the breakpoint already exists, the breakpoint will be deleted)
F4 Run to the line where the cursor is (automatically break when running to the line where the cursor is)
F7 single-step trace (if a call is encountered, the trace enters)
F8 single-step tracking (if a call is encountered, the entire call will be executed)
F9 to continue execution (run the program until the process exits or the next breakpoint is encountered)
3. IDA is an interactive disassembly tool with powerful functions, which supports disassembly analysis of binary programs under multiple operating systems and multi-processors, and can interact with users to improve processing efficiency. IDA supports plug-ins and IDC scripts. Hex-
Rays
Decompiler is a very powerful plug-in for IDA, which supports the direct conversion of disassembly codes into C language pseudocodes, which greatly improves the work efficiency of disassembly analysts. Below this is the shortcut key of ida, which can help us analyze more efficiently.
Space toggles the disassembly view between graphical mode and list view mode
F5 restores disassembled instructions to pseudocode
x View cross-references
n Rename the variable name or function name
d Interpret binary data as bytes/dwords/quadwords
c interprets binary data as code
a interprets binary data as a string
Experimental procedure
Okay, let's start the experiment, first enter the experiment webpage: [CTF-
REVERSE Practice Reverse Preliminary Exploration](https://www.hetianlab.com/expc.do?ec=ECID172.19.104.182014111410002900001&pk_campaign=freebuf-wemedia
).
Title description:
There is a CrackMe1.exe program in the C:\Reverse\1 directory of the host computer. When running this program, you will be prompted to enter a password. When you enter the correct password, a prompt message box will pop up. Please reverse engineer the CrackMe1.exe program. And debugging to find the correct pass code.
Let’s start with the first step of external behavior analysis. No matter what the scene is, I believe that when you first come into contact with a new thing, you will carefully observe the external characteristics of the thing. The same is true for CTF questions. After getting the questions, you can run the program. Observe where data can be entered in the program, which buttons will react when clicked, and what prompts appear during the operation, etc.
Through the observation of the CrackMe1.exe program, we know that the program needs to enter a password. When the button is clicked without entering any data, the following information is prompted:
When entering a string of test data, the following information will be prompted:
There are pop-up boxes and prompts here. Should we just look for this prompt? But before we reverse engineer a program, in addition to the dynamic behavior of the program, it is also a very critical step to check whether the program is packed (what kind of program is packed? What compiler compiled it?). I mentioned PEID before, so we use PEID to check the shell. After selecting the program, right-click, and select the "Scan with PEiD" option in the right-click menu
, you can view the shell information. What we see here is Microsoft Visual C++
6.0, indicating that CrackMe1.exe is not packed, and it is compiled with VC6.
We change OD for dynamic debugging,
Dynamic debugging can help us understand many details of the internal execution logic of the program. Many information can only be seen after the program is running, which cannot be easily obtained by static analysis. OD is our first choice for dynamic debugger under Windows operating system.
Operation Select the CrackMe1.exe program and right-click, and select "Open with OllyICE" in the right-click menu, and the main interface of the OD debugger will be displayed. We right-click in the disassembly command list window, and then select "Ultra String
Reference ", "Find ASCII" menu items, as shown in the figure:
After that, a string list window will pop up, which lists various strings existing in the memory space of the current process, and we can check whether there are any strings we are interested in. For example, there was a prompt of "wrong password" before, then we can press Ctrl+F, enter "wrong password" in the pop-up window, and click the OK button to find:
There is also a password above that is correct, congratulations, is this the key? Let's try double-clicking this to see.
Double-click the line where the string is found, and you will come to the disassembly window of OD, and you can see the place where the string is referenced in the code instruction. As shown below:
In this code snippet, we also see a jnz jump instruction. Whether this instruction jumps will determine whether the prompt pops up for success or failure. Such a jump is also called a critical jump. The code above the key jump is often the key password judgment logic, so we can focus on analyzing the code above the key jump. Above the key jump, we set a breakpoint at the following position (click on this line of code to select it, and then press F2):
00401456. 55 push ebp
After setting the breakpoint, press F9 to run the program, enter a password (such as test) and click the button, the program will automatically break at our breakpoint, and then press F8 to start single-step tracking. At 00401490, we found the password test we entered and the string HeeTianLab, as shown in the figure:
After carefully analyzing the above code, it is found that the characters are taken from the two strings for comparison one by one. As long as there is a character that is different, it will eventually jump to the place where the prompt fails. Then you can guess that HeeTianLab is the correct password. We run another CrackMe1 process, enter HeeTianLab, and a successful prompt pops up:
This is the clearance, and then I will do it again with another artifact IDA, there is a dynamic artifact, and there must be a static artifact.
In addition to dynamic debugging, static analysis is also an important skill. Static analysis can help us quickly understand the code execution logic of the program, especially the function of using IDA's Hex-
Rays plug-in to generate pseudocode from assembly code, which can greatly improve our analysis efficiency.
Use IDA to open the CrackMe1.exe program, IDA will prompt you to select the file type, processor type, etc. Usually we don’t need to modify these settings, just click the “OK” button.
After that, IDA will analyze the program, wait for a while, and after the analysis is finished, it will prompt "The initial autoanalysis has been finished." in the "Output Window" below , as shown in the figure:
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-BXNY7uo5-1691584655333)(https://image.3001.net/images/20210302/1614666411_603ddaabee1ec6f112151.png!small )]
Select "View" - "Open subviews" - "Strings" menu item in the IDA menu, and the string list interface will pop up, as shown in the figure:
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-3Imo5cAP-1691584655334)(https://image.3001.net/images/20210302/1614666412_603ddaacbde8182f1fbed.png!small )]
IDA's string list interface does not provide the function of Ctrl+F to quickly search, so we need to manually turn the page to find the string we are interested in. When we drag it to a certain place, we see the prompt related string:
Double-click the string "wrong password" to define the place where the string is defined, then click the name of the string with the mouse, and then press the x key to search for cross-references. The pop-up dialog box is as shown in the figure below:
Click the OK button to come to the place where the string is referenced, we see a list of disassembly instructions, at this time we can analyze the assembly instructions here, it doesn’t matter if you don’t want to see the assembly instructions, just press the F5 key The pseudocode of the function is generated, and we see that the input password is compared with HeeTianLab in the pseudocode:
Obviously, HeeTianLab is the password we want.
Reverse learning is a process that requires a deep understanding of computer-related and programming knowledge systems. It is a progressive and staged skill. If you want to learn reverse engineering well, you must have a lot of programming language reserves, security-related knowledge, and a good understanding of computer principles and common sense. And these are just the basics of reverse!
HeeTianLab is the password we want.
Reverse learning is a process that requires a deep understanding of computer-related and programming knowledge systems. It is a progressive and staged skill. If you want to learn reverse engineering well, you must have a lot of programming language reserves, security-related knowledge, and a good understanding of computer principles and common sense. And these are just the basics of reverse!
Network security engineer enterprise-level learning route
At this time, of course you need a systematic learning route
If the picture is too large and compressed by the platform, you can download it at the end of the article (free of charge), and you can also learn and communicate together.
Some of my collection of self-study primers on cyber security
Some good video tutorials I got for free:
The above information [click the card below] can be received, free to share