SlideShare uma empresa Scribd logo

Reverse-engineering: Using GDB on Linux

Transferir como PPTX, PDF
R
Rick Harris

At Holberton School, we have had a couple rounds of a ‘#forfun’ project called crackme. For these projects, we are given an executable that accepts a password. Our assignment is to crack the program through reverse engineering.

Software
1 de 24
Reverse-engineering Using GDB on Linux
Reverse-engineering: Using GDB on Linux At Holberton School, we have had a couple rounds of a ‘#forfun’ project called crackme. For these projects, we are given an executable that accepts a password. Our assignment is to crack the program through reverse engineering. For round one we were given four Linux tools to use, and we had to demonstrate how to find the answer with each tool. It was quickly apparent that using a standard library string comparison is a bad idea as was hardcoding passwords into the executable in plain text. Another round demonstrated that the ltrace tool could gather not only the password from string comparisons, but the encryption method (MD5 in that case) to decrypt the password.
Reverse-engineering: Using GDB on Linux This week we were given another crack at hacking. I went to my go-to tool for reverse-engineering, the GNU Project Debugger (aka GDB), to find the password. If you would like to take a shot at cracking the executable, you can find it at Holberton School’s Github. The file relevant to this post is crackme3.
Program Checks Before I dig too deep into the exec file, I check what information I can get from it. First, I do a test run of the file to see what error information is provided. $ ./crackme3 Usage: ./crackme3 password For this executable the password is expected to be provided on the command line.
Program Checks The next check I run is ltrace just to see if the password will appear. In addition, it can provide some other useful information about how the program works. $ ltrace ./crackme3 password __libc_start_main(0x40068c, 2, 0x7ffcdd754bd8, 0x400710 <unfinished …> strlen(“password”) = 8 puts(“ko”ko ) = 3 +++ exited (status 1) +++ The return shows that the program is checking the length of the string, but there is no clear indication that this is a roadblock. Time to break down the program.
The GNU Project Debugger GDB is a tool developed for Linux systems with the goal of helping developers identify sources of bugs in their programs. In their own words, from the gnu.org website: GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes—or what another program was doing at the moment it crashed.
The GNU Project Debugger When reverse engineering a program, the tool is used to review the compiled Assembly code in either the AT&T or Intel flavors to see step-by-step what is happening. Breakpoints are added to stop the program midstream and review data in the memory registers to identify how it is being manipulated. I will cover these steps in more detail below.
The Anatomy of Assembly To get started, I entered the command to launch the crackme3 file with GDB followed by the disass command and the function name. The output is a list of Assembly instructions that direct each action of the executable. $ gdb ./crackme3 (gdb) disass main
The Anatomy of Assembly
The Anatomy of Assembly In the previous slide, the AT&T and Intel syntaxes are displayed side-by-side. However, the output will actually display only one of the two. I prefer to use the AT&T format because the flow makes more sense to me. The first column provides the address of the command. The next column is the command itself followed by the data source and the destination. Jumps and function calls have the jump location or function name following those lines. Intel syntax reverses the data source and destination in its display. There are additional differences in the command names and data syntaxes, but this is common when comparing scripts of two different languages that perform the same function. If I were writing Assembly, my syntax preference might be different and would be based on more than just flow of information.
The Logic Flow Every script depends highly on logic flow. Depending on the compiler and options selected when compiled, the flow of the Assembly code could be straightforward or very complex. Some options intentionally obfuscate the flow to disrupt attempts to reverse engineer the executable. Below is the output of the disass main command in AT&T syntax.
The Logic Flow
The Logic Flow The portions of the command not highlighted are jumps and closing processes before exit. There are four types of jumps in the output of main and check_password; je, jmp, jne, and jbe. The jmp command performs the described jump regardless of condition. The other three are conditional jumps. The first two, je and jne, are straightforward. They mean jump if equal and jump if not equal. The last command, jbe, is a jump used in a loop that means jump if less than or equal.
The Heart of the Question Ultimately we are looking for the password. Based on the information from the main output, it is primarily depending on the check_password function to determine whether to exit or provide access. To analyze the process happening in that function, I entered disass check_password.
The Heart of the Question
The Heart of the Question The first thing I confirm is that the length of the password entered is important. The program looks for a password that is four characters long. The instruction at 0x400632 actually shows the password in integer form, but I did not recognize it immediately. That value is stored in memory four bytes before the memory address stored in the RBP register. I use x/h * $RBP - 0x04 to print the value. The ‘h’ stands for hexadecimal and it is the easiest format to to see how the password is stored. From the instruction set, a comparison of two registers, rax and rdx, occurs at 0x40066a. This is where the next step of my investigation leads.
Registered and Certified (gdb) b *0x40066a (gdb) run test Starting program: /home/vagrant/reverse_engineering/crackme3/crackme3 test Breakpoint 1, 0x000000000040066a in check_password () (gdb) info registers
Registered and Certified I set a breakpoint to analyze the data in process. Breakpoints do exactly what they say, they interrupt the process at the given instruction address. Once the breakpoint is set, I initialize the executable with the command run test. The value ‘test’ is the four character password I used to get past length test and into the password comparison. Once the breakpoint is triggered I enter info registers to view the data in the registers at the point the program was interrupted.
Registered and Certified Register Data On Each Loop 1: RDX—0x41 = A 2: RDX—0x42 = B 3: RDX—0x43 = C 4: RDX—0x4 = ^D or EOF Blue — User input | Green — Stored Password
Registered and Certified From the register information, I find two integers are stored; 0x74 and 0x41. The ASCII value of the letter ‘t’ is 0x74. The printable letter for 0x41 is ‘A’. I also noticed that in RCX is an integer value of 0x4434241. If read in reverse, it is 41, 42, 43 and 4. Converted to the character values it is A, B, C, ^D or EOF.
Registered and Certified Inputting the password is tricky. Bash interprets the EOF file command so it isn’t passed to the executable. In fact, it is used to exit executables. I tried to store it in a file, but emacs reads ^D (Ctrl + D) as an end of buffer command. My workaround is to use an online ASCII to text converter and paste into a file through Atom. It adds a new line character which I remove with emacs.
Registered and Certified To get the password past Bash and into the executable, I use the command line below. This keeps Bash busy with passing the values to the executable so it does not interpret the EOF, end of file or transmission. $ ./crackme3 $(< 0-password) Congratulations!
Conclusion Gdb is a powerful tool that is useful for much more than I have covered in this post. Take the time to read the documentation from GNU to learn more. I am confident there are many other tools that can be used as well. Share your go-to tool for reverse-engineering or debugging in the comments below.
About Rick Harris Student at Holberton School, a project-based, peer-learning school developing full-stack software engineers in San Francisco. Involved in the IT industry for 6+ years most recently as a part of the Office of Information Technologies at the University of Notre Dame. Keep in Touch Twitter: @rickharris_dev LinkedIn: rickharrisdev

Recomendados

Hardware implementation of page table
Hardware implementation of page table Hardware implementation of page table
Hardware implementation of page table Sukhraj Singh
 
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea ArcangeliKernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea ArcangeliAnne Nicolas
 
Tuned
TunedTuned
TunedReanimation Bk
 
Processes and threads
Processes and threadsProcesses and threads
Processes and threadsKrasimir Berov (Красимир Беров)
 
Vino's 8086 interrupts
Vino's 8086 interruptsVino's 8086 interrupts
Vino's 8086 interruptsVinod K Payyannur
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux InterruptsKernel TLV
 
Superscalar & superpipeline processor
Superscalar & superpipeline processorSuperscalar & superpipeline processor
Superscalar & superpipeline processorMuhammad Ishaq
 
Computer architecture cache memory
Computer architecture cache memoryComputer architecture cache memory
Computer architecture cache memoryMazin Alwaaly
 

Recomendados

Hardware implementation of page table
Hardware implementation of page table Hardware implementation of page table
Hardware implementation of page table Sukhraj Singh
 
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea ArcangeliKernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea ArcangeliAnne Nicolas
 
Tuned
TunedTuned
TunedReanimation Bk
 
Processes and threads
Processes and threadsProcesses and threads
Processes and threadsKrasimir Berov (Красимир Беров)
 
Vino's 8086 interrupts
Vino's 8086 interruptsVino's 8086 interrupts
Vino's 8086 interruptsVinod K Payyannur
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux InterruptsKernel TLV
 
Superscalar & superpipeline processor
Superscalar & superpipeline processorSuperscalar & superpipeline processor
Superscalar & superpipeline processorMuhammad Ishaq
 
Computer architecture cache memory
Computer architecture cache memoryComputer architecture cache memory
Computer architecture cache memoryMazin Alwaaly
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Real Time Operating System Concepts
Real Time Operating System ConceptsReal Time Operating System Concepts
Real Time Operating System ConceptsSanjiv Malik
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Cache memory
Cache memoryCache memory
Cache memoryShailesh Tanwar
 
Valgrind tutorial
Valgrind tutorialValgrind tutorial
Valgrind tutorialSatabdi Das
 
Cache memory
Cache memoryCache memory
Cache memoryAhsan Ashfaq
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsShivam Mitra
 
Introduction to Linux
Introduction to LinuxIntroduction to Linux
Introduction to Linuxsureskal
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdbOwen Hsu
 
Demystifying the Go Scheduler
Demystifying the Go SchedulerDemystifying the Go Scheduler
Demystifying the Go Schedulermatthewrdale
 
Unit IV Memory and I/O Organization
Unit IV Memory and I/O OrganizationUnit IV Memory and I/O Organization
Unit IV Memory and I/O OrganizationBalaji Vignesh
 
Programming Language
Programming LanguageProgramming Language
Programming LanguageAdeel Hamid
 
MemoryManagementStrategies.ppt
MemoryManagementStrategies.pptMemoryManagementStrategies.ppt
MemoryManagementStrategies.pptPaulRajasingh2
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 National Cheng Kung University
 
Vliw and superscaler
Vliw and superscalerVliw and superscaler
Vliw and superscalerRafi Dar
 
Components in real time systems
Components in real time systemsComponents in real time systems
Components in real time systemsSaransh Garg
 
Linux Programming
Linux ProgrammingLinux Programming
Linux ProgrammingEmertxe Information Technologies Pvt Ltd
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingFastBit Embedded Brain Academy
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzerDmitry Vyukov
 
OPERATING SYSTEM
OPERATING SYSTEMOPERATING SYSTEM
OPERATING SYSTEMPUNE VIDYARTHI GRIHA'S COLLEGE OF ENGINEERING, NASHIK
 
GDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewGDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewUndo
 
Give me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbGive me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbgregthelaw
 

Mais conteúdo relacionado

Mais procurados

Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Real Time Operating System Concepts
Real Time Operating System ConceptsReal Time Operating System Concepts
Real Time Operating System ConceptsSanjiv Malik
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Valgrind tutorial
Valgrind tutorialValgrind tutorial
Valgrind tutorialSatabdi Das
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsShivam Mitra
 
Introduction to Linux
Introduction to LinuxIntroduction to Linux
Introduction to Linuxsureskal
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdbOwen Hsu
 
Demystifying the Go Scheduler
Demystifying the Go SchedulerDemystifying the Go Scheduler
Demystifying the Go Schedulermatthewrdale
 
Unit IV Memory and I/O Organization
Unit IV Memory and I/O OrganizationUnit IV Memory and I/O Organization
Unit IV Memory and I/O OrganizationBalaji Vignesh
 
Programming Language
Programming LanguageProgramming Language
Programming LanguageAdeel Hamid
 
MemoryManagementStrategies.ppt
MemoryManagementStrategies.pptMemoryManagementStrategies.ppt
MemoryManagementStrategies.pptPaulRajasingh2
 
Vliw and superscaler
Vliw and superscalerVliw and superscaler
Vliw and superscalerRafi Dar
 
Components in real time systems
Components in real time systemsComponents in real time systems
Components in real time systemsSaransh Garg
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingFastBit Embedded Brain Academy
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzerDmitry Vyukov
 

Mais procurados (20)

Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
 
Real Time Operating System Concepts
Real Time Operating System ConceptsReal Time Operating System Concepts
Real Time Operating System Concepts
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
Cache memory
Cache memoryCache memory
Cache memory
 
Valgrind tutorial
Valgrind tutorialValgrind tutorial
Valgrind tutorial
 
Cache memory
Cache memoryCache memory
Cache memory
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interrupts
 
Introduction to Linux
Introduction to LinuxIntroduction to Linux
Introduction to Linux
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdb
 
Demystifying the Go Scheduler
Demystifying the Go SchedulerDemystifying the Go Scheduler
Demystifying the Go Scheduler
 
Unit IV Memory and I/O Organization
Unit IV Memory and I/O OrganizationUnit IV Memory and I/O Organization
Unit IV Memory and I/O Organization
 
Programming Language
Programming LanguageProgramming Language
Programming Language
 
MemoryManagementStrategies.ppt
MemoryManagementStrategies.pptMemoryManagementStrategies.ppt
MemoryManagementStrategies.ppt
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Vliw and superscaler
Vliw and superscalerVliw and superscaler
Vliw and superscaler
 
Components in real time systems
Components in real time systemsComponents in real time systems
Components in real time systems
 
Linux Programming
Linux ProgrammingLinux Programming
Linux Programming
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
 
OPERATING SYSTEM
OPERATING SYSTEMOPERATING SYSTEM
OPERATING SYSTEM
 

Destaque

GDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewGDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewUndo
 
Give me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbGive me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbgregthelaw
 
/Users/teacher/desktop/going up reading.ppt
/Users/teacher/desktop/going up reading.ppt/Users/teacher/desktop/going up reading.ppt
/Users/teacher/desktop/going up reading.pptm_garrido
 
CyberLab CCEH Session - 5 System Hacking
CyberLab CCEH Session - 5 System HackingCyberLab CCEH Session - 5 System Hacking
CyberLab CCEH Session - 5 System HackingCyberLab
 
Virtualized Platform Migration On A Validated System
Virtualized Platform Migration On A Validated SystemVirtualized Platform Migration On A Validated System
Virtualized Platform Migration On A Validated Systemgazdagf
 
Net App At Egis English
Net App At Egis EnglishNet App At Egis English
Net App At Egis Englishgazdagf
 
Hunting segfaults (for beginners)
Hunting segfaults (for beginners)Hunting segfaults (for beginners)
Hunting segfaults (for beginners)uwevoelker
 
Tools used for debugging
Tools used for debuggingTools used for debugging
Tools used for debuggingMarian Marinov
 
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWSGetting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWSAmazon Web Services
 
Төгсөлтийн сургалтыг зохицуулах журам
Төгсөлтийн сургалтыг зохицуулах журамТөгсөлтийн сургалтыг зохицуулах журам
Төгсөлтийн сургалтыг зохицуулах журамnaranbatn
 
Route Redistribution between OSPF and EIGRP
Route Redistribution between OSPF and EIGRPRoute Redistribution between OSPF and EIGRP
Route Redistribution between OSPF and EIGRPNetProtocol Xpert
 
AWS Certified Solution Architect - Associate Level
AWS Certified Solution Architect - Associate LevelAWS Certified Solution Architect - Associate Level
AWS Certified Solution Architect - Associate LevelYabin Meng
 
Gdb tutorial-handout
Gdb tutorial-handoutGdb tutorial-handout
Gdb tutorial-handoutSuraj Kumar
 
淺入淺出 GDB
淺入淺出 GDB淺入淺出 GDB
淺入淺出 GDBJim Chang
 
Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = JavaデバッガKenji Kazumura
 

Destaque (20)

GDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewGDB: A Lot More Than You Knew
GDB: A Lot More Than You Knew
 
Give me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbGive me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdb
 
/Users/teacher/desktop/going up reading.ppt
/Users/teacher/desktop/going up reading.ppt/Users/teacher/desktop/going up reading.ppt
/Users/teacher/desktop/going up reading.ppt
 
CyberLab CCEH Session - 5 System Hacking
CyberLab CCEH Session - 5 System HackingCyberLab CCEH Session - 5 System Hacking
CyberLab CCEH Session - 5 System Hacking
 
Virtualized Platform Migration On A Validated System
Virtualized Platform Migration On A Validated SystemVirtualized Platform Migration On A Validated System
Virtualized Platform Migration On A Validated System
 
Net App At Egis English
Net App At Egis EnglishNet App At Egis English
Net App At Egis English
 
Hunting segfaults (for beginners)
Hunting segfaults (for beginners)Hunting segfaults (for beginners)
Hunting segfaults (for beginners)
 
Tools used for debugging
Tools used for debuggingTools used for debugging
Tools used for debugging
 
Gdb cheat sheet
Gdb cheat sheetGdb cheat sheet
Gdb cheat sheet
 
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWSGetting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
 
Төгсөлтийн сургалтыг зохицуулах журам
Төгсөлтийн сургалтыг зохицуулах журамТөгсөлтийн сургалтыг зохицуулах журам
Төгсөлтийн сургалтыг зохицуулах журам
 
How STP works?
How STP works? How STP works?
How STP works?
 
Route Redistribution between OSPF and EIGRP
Route Redistribution between OSPF and EIGRPRoute Redistribution between OSPF and EIGRP
Route Redistribution between OSPF and EIGRP
 
оутт 5
оутт 5 оутт 5
оутт 5
 
Gdb remote debugger
Gdb remote debuggerGdb remote debugger
Gdb remote debugger
 
GDB Rocks!
GDB Rocks!GDB Rocks!
GDB Rocks!
 
AWS Certified Solution Architect - Associate Level
AWS Certified Solution Architect - Associate LevelAWS Certified Solution Architect - Associate Level
AWS Certified Solution Architect - Associate Level
 
Gdb tutorial-handout
Gdb tutorial-handoutGdb tutorial-handout
Gdb tutorial-handout
 
淺入淺出 GDB
淺入淺出 GDB淺入淺出 GDB
淺入淺出 GDB
 
Python + GDB = Javaデバッガ
Python + GDB = JavaデバッガPython + GDB = Javaデバッガ
Python + GDB = Javaデバッガ
 

Semelhante a Reverse-engineering: Using GDB on Linux

Specialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingSpecialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingPositive Hack Days
 
CSCI  132  Practical  Unix  and  Programming   .docx
CSCI  132  Practical  Unix  and  Programming   .docxCSCI  132  Practical  Unix  and  Programming   .docx
CSCI  132  Practical  Unix  and  Programming   .docxmydrynan
 
Mark asoi ppt
Mark asoi pptMark asoi ppt
Mark asoi pptmark-asoi
 
Looping and switch cases
Looping and switch casesLooping and switch cases
Looping and switch casesMeoRamos
 
Porting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPorting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPVS-Studio
 
C and CPP Interview Questions
C and CPP Interview QuestionsC and CPP Interview Questions
C and CPP Interview QuestionsSagar Joshi
 
Lpi Part 2 Basic Administration
Lpi Part 2 Basic AdministrationLpi Part 2 Basic Administration
Lpi Part 2 Basic AdministrationYemenLinux
 
Fundamentals of programming final santos
Fundamentals of programming final santosFundamentals of programming final santos
Fundamentals of programming final santosAbie Santos
 
OverviewIn this assignment you will write your own shell i.docx
OverviewIn this assignment you will write your own shell i.docxOverviewIn this assignment you will write your own shell i.docx
OverviewIn this assignment you will write your own shell i.docxalfred4lewis58146
 
Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008guestd9065
 
Fundamentals of programming final
Fundamentals of programming finalFundamentals of programming final
Fundamentals of programming finalRicky Recto
 
Advanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyAdvanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyBurlacu Sergiu
 
Switch case and looping statement
Switch case and looping statementSwitch case and looping statement
Switch case and looping statement_jenica
 

Semelhante a Reverse-engineering: Using GDB on Linux (20)

A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpoint
 
How a Compiler Works ?
How a Compiler Works ?How a Compiler Works ?
How a Compiler Works ?
 
Specialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingSpecialized Compiler for Hash Cracking
Specialized Compiler for Hash Cracking
 
CSCI  132  Practical  Unix  and  Programming   .docx
CSCI  132  Practical  Unix  and  Programming   .docxCSCI  132  Practical  Unix  and  Programming   .docx
CSCI  132  Practical  Unix  and  Programming   .docx
 
Mark asoi ppt
Mark asoi pptMark asoi ppt
Mark asoi ppt
 
Survelaine murillo ppt
Survelaine murillo pptSurvelaine murillo ppt
Survelaine murillo ppt
 
Looping and switch cases
Looping and switch casesLooping and switch cases
Looping and switch cases
 
Compiler presentaion
Compiler presentaionCompiler presentaion
Compiler presentaion
 
Switch case looping
Switch case loopingSwitch case looping
Switch case looping
 
python and perl
python and perlpython and perl
python and perl
 
Porting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPorting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under Linux
 
C and CPP Interview Questions
C and CPP Interview QuestionsC and CPP Interview Questions
C and CPP Interview Questions
 
C tutorials
C tutorialsC tutorials
C tutorials
 
Lpi Part 2 Basic Administration
Lpi Part 2 Basic AdministrationLpi Part 2 Basic Administration
Lpi Part 2 Basic Administration
 
Fundamentals of programming final santos
Fundamentals of programming final santosFundamentals of programming final santos
Fundamentals of programming final santos
 
OverviewIn this assignment you will write your own shell i.docx
OverviewIn this assignment you will write your own shell i.docxOverviewIn this assignment you will write your own shell i.docx
OverviewIn this assignment you will write your own shell i.docx
 
Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008
 
Fundamentals of programming final
Fundamentals of programming finalFundamentals of programming final
Fundamentals of programming final
 
Advanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyAdvanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copy
 
Switch case and looping statement
Switch case and looping statementSwitch case and looping statement
Switch case and looping statement
 

Último

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 

Último (20)

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

Reverse-engineering: Using GDB on Linux

  • 2. Reverse-engineering: Using GDB on Linux At Holberton School, we have had a couple rounds of a ‘#forfun’ project called crackme. For these projects, we are given an executable that accepts a password. Our assignment is to crack the program through reverse engineering. For round one we were given four Linux tools to use, and we had to demonstrate how to find the answer with each tool. It was quickly apparent that using a standard library string comparison is a bad idea as was hardcoding passwords into the executable in plain text. Another round demonstrated that the ltrace tool could gather not only the password from string comparisons, but the encryption method (MD5 in that case) to decrypt the password.
  • 3. Reverse-engineering: Using GDB on Linux This week we were given another crack at hacking. I went to my go-to tool for reverse-engineering, the GNU Project Debugger (aka GDB), to find the password. If you would like to take a shot at cracking the executable, you can find it at Holberton School’s Github. The file relevant to this post is crackme3.
  • 4. Program Checks Before I dig too deep into the exec file, I check what information I can get from it. First, I do a test run of the file to see what error information is provided. $ ./crackme3 Usage: ./crackme3 password For this executable the password is expected to be provided on the command line.
  • 5. Program Checks The next check I run is ltrace just to see if the password will appear. In addition, it can provide some other useful information about how the program works. $ ltrace ./crackme3 password __libc_start_main(0x40068c, 2, 0x7ffcdd754bd8, 0x400710 <unfinished …> strlen(“password”) = 8 puts(“ko”ko ) = 3 +++ exited (status 1) +++ The return shows that the program is checking the length of the string, but there is no clear indication that this is a roadblock. Time to break down the program.
  • 6. The GNU Project Debugger GDB is a tool developed for Linux systems with the goal of helping developers identify sources of bugs in their programs. In their own words, from the gnu.org website: GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes—or what another program was doing at the moment it crashed.
  • 7. The GNU Project Debugger When reverse engineering a program, the tool is used to review the compiled Assembly code in either the AT&T or Intel flavors to see step-by-step what is happening. Breakpoints are added to stop the program midstream and review data in the memory registers to identify how it is being manipulated. I will cover these steps in more detail below.
  • 8. The Anatomy of Assembly To get started, I entered the command to launch the crackme3 file with GDB followed by the disass command and the function name. The output is a list of Assembly instructions that direct each action of the executable. $ gdb ./crackme3 (gdb) disass main
  • 9. The Anatomy of Assembly
  • 10. The Anatomy of Assembly In the previous slide, the AT&T and Intel syntaxes are displayed side-by-side. However, the output will actually display only one of the two. I prefer to use the AT&T format because the flow makes more sense to me. The first column provides the address of the command. The next column is the command itself followed by the data source and the destination. Jumps and function calls have the jump location or function name following those lines. Intel syntax reverses the data source and destination in its display. There are additional differences in the command names and data syntaxes, but this is common when comparing scripts of two different languages that perform the same function. If I were writing Assembly, my syntax preference might be different and would be based on more than just flow of information.
  • 11. The Logic Flow Every script depends highly on logic flow. Depending on the compiler and options selected when compiled, the flow of the Assembly code could be straightforward or very complex. Some options intentionally obfuscate the flow to disrupt attempts to reverse engineer the executable. Below is the output of the disass main command in AT&T syntax.
  • 13. The Logic Flow The portions of the command not highlighted are jumps and closing processes before exit. There are four types of jumps in the output of main and check_password; je, jmp, jne, and jbe. The jmp command performs the described jump regardless of condition. The other three are conditional jumps. The first two, je and jne, are straightforward. They mean jump if equal and jump if not equal. The last command, jbe, is a jump used in a loop that means jump if less than or equal.
  • 14. The Heart of the Question Ultimately we are looking for the password. Based on the information from the main output, it is primarily depending on the check_password function to determine whether to exit or provide access. To analyze the process happening in that function, I entered disass check_password.
  • 15. The Heart of the Question
  • 16. The Heart of the Question The first thing I confirm is that the length of the password entered is important. The program looks for a password that is four characters long. The instruction at 0x400632 actually shows the password in integer form, but I did not recognize it immediately. That value is stored in memory four bytes before the memory address stored in the RBP register. I use x/h * $RBP - 0x04 to print the value. The ‘h’ stands for hexadecimal and it is the easiest format to to see how the password is stored. From the instruction set, a comparison of two registers, rax and rdx, occurs at 0x40066a. This is where the next step of my investigation leads.
  • 17. Registered and Certified (gdb) b *0x40066a (gdb) run test Starting program: /home/vagrant/reverse_engineering/crackme3/crackme3 test Breakpoint 1, 0x000000000040066a in check_password () (gdb) info registers
  • 18. Registered and Certified I set a breakpoint to analyze the data in process. Breakpoints do exactly what they say, they interrupt the process at the given instruction address. Once the breakpoint is set, I initialize the executable with the command run test. The value ‘test’ is the four character password I used to get past length test and into the password comparison. Once the breakpoint is triggered I enter info registers to view the data in the registers at the point the program was interrupted.
  • 19. Registered and Certified Register Data On Each Loop 1: RDX—0x41 = A 2: RDX—0x42 = B 3: RDX—0x43 = C 4: RDX—0x4 = ^D or EOF Blue — User input | Green — Stored Password
  • 20. Registered and Certified From the register information, I find two integers are stored; 0x74 and 0x41. The ASCII value of the letter ‘t’ is 0x74. The printable letter for 0x41 is ‘A’. I also noticed that in RCX is an integer value of 0x4434241. If read in reverse, it is 41, 42, 43 and 4. Converted to the character values it is A, B, C, ^D or EOF.
  • 21. Registered and Certified Inputting the password is tricky. Bash interprets the EOF file command so it isn’t passed to the executable. In fact, it is used to exit executables. I tried to store it in a file, but emacs reads ^D (Ctrl + D) as an end of buffer command. My workaround is to use an online ASCII to text converter and paste into a file through Atom. It adds a new line character which I remove with emacs.
  • 22. Registered and Certified To get the password past Bash and into the executable, I use the command line below. This keeps Bash busy with passing the values to the executable so it does not interpret the EOF, end of file or transmission. $ ./crackme3 $(< 0-password) Congratulations!
  • 23. Conclusion Gdb is a powerful tool that is useful for much more than I have covered in this post. Take the time to read the documentation from GNU to learn more. I am confident there are many other tools that can be used as well. Share your go-to tool for reverse-engineering or debugging in the comments below.
  • 24. About Rick Harris Student at Holberton School, a project-based, peer-learning school developing full-stack software engineers in San Francisco. Involved in the IT industry for 6+ years most recently as a part of the Office of Information Technologies at the University of Notre Dame. Keep in Touch Twitter: @rickharris_dev LinkedIn: rickharrisdev