SlideShare a Scribd company logo

Reverse-engineering: Using GDB on Linux

Download as PPTX, PDF
R
Rick Harris

At Holberton School, we have had a couple rounds of a ‘#forfun’ project called crackme. For these projects, we are given an executable that accepts a password. Our assignment is to crack the program through reverse engineering.

Software
1 of 24
Reverse-engineering Using GDB on Linux
Reverse-engineering: Using GDB on Linux At Holberton School, we have had a couple rounds of a ‘#forfun’ project called crackme. For these projects, we are given an executable that accepts a password. Our assignment is to crack the program through reverse engineering. For round one we were given four Linux tools to use, and we had to demonstrate how to find the answer with each tool. It was quickly apparent that using a standard library string comparison is a bad idea as was hardcoding passwords into the executable in plain text. Another round demonstrated that the ltrace tool could gather not only the password from string comparisons, but the encryption method (MD5 in that case) to decrypt the password.
Reverse-engineering: Using GDB on Linux This week we were given another crack at hacking. I went to my go-to tool for reverse-engineering, the GNU Project Debugger (aka GDB), to find the password. If you would like to take a shot at cracking the executable, you can find it at Holberton School’s Github. The file relevant to this post is crackme3.
Program Checks Before I dig too deep into the exec file, I check what information I can get from it. First, I do a test run of the file to see what error information is provided. $ ./crackme3 Usage: ./crackme3 password For this executable the password is expected to be provided on the command line.
Program Checks The next check I run is ltrace just to see if the password will appear. In addition, it can provide some other useful information about how the program works. $ ltrace ./crackme3 password __libc_start_main(0x40068c, 2, 0x7ffcdd754bd8, 0x400710 <unfinished …> strlen(“password”) = 8 puts(“ko”ko ) = 3 +++ exited (status 1) +++ The return shows that the program is checking the length of the string, but there is no clear indication that this is a roadblock. Time to break down the program.
The GNU Project Debugger GDB is a tool developed for Linux systems with the goal of helping developers identify sources of bugs in their programs. In their own words, from the gnu.org website: GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes—or what another program was doing at the moment it crashed.
The GNU Project Debugger When reverse engineering a program, the tool is used to review the compiled Assembly code in either the AT&T or Intel flavors to see step-by-step what is happening. Breakpoints are added to stop the program midstream and review data in the memory registers to identify how it is being manipulated. I will cover these steps in more detail below.
The Anatomy of Assembly To get started, I entered the command to launch the crackme3 file with GDB followed by the disass command and the function name. The output is a list of Assembly instructions that direct each action of the executable. $ gdb ./crackme3 (gdb) disass main
The Anatomy of Assembly
The Anatomy of Assembly In the previous slide, the AT&T and Intel syntaxes are displayed side-by-side. However, the output will actually display only one of the two. I prefer to use the AT&T format because the flow makes more sense to me. The first column provides the address of the command. The next column is the command itself followed by the data source and the destination. Jumps and function calls have the jump location or function name following those lines. Intel syntax reverses the data source and destination in its display. There are additional differences in the command names and data syntaxes, but this is common when comparing scripts of two different languages that perform the same function. If I were writing Assembly, my syntax preference might be different and would be based on more than just flow of information.
The Logic Flow Every script depends highly on logic flow. Depending on the compiler and options selected when compiled, the flow of the Assembly code could be straightforward or very complex. Some options intentionally obfuscate the flow to disrupt attempts to reverse engineer the executable. Below is the output of the disass main command in AT&T syntax.
The Logic Flow
The Logic Flow The portions of the command not highlighted are jumps and closing processes before exit. There are four types of jumps in the output of main and check_password; je, jmp, jne, and jbe. The jmp command performs the described jump regardless of condition. The other three are conditional jumps. The first two, je and jne, are straightforward. They mean jump if equal and jump if not equal. The last command, jbe, is a jump used in a loop that means jump if less than or equal.
The Heart of the Question Ultimately we are looking for the password. Based on the information from the main output, it is primarily depending on the check_password function to determine whether to exit or provide access. To analyze the process happening in that function, I entered disass check_password.
The Heart of the Question
The Heart of the Question The first thing I confirm is that the length of the password entered is important. The program looks for a password that is four characters long. The instruction at 0x400632 actually shows the password in integer form, but I did not recognize it immediately. That value is stored in memory four bytes before the memory address stored in the RBP register. I use x/h * $RBP - 0x04 to print the value. The ‘h’ stands for hexadecimal and it is the easiest format to to see how the password is stored. From the instruction set, a comparison of two registers, rax and rdx, occurs at 0x40066a. This is where the next step of my investigation leads.
Registered and Certified (gdb) b *0x40066a (gdb) run test Starting program: /home/vagrant/reverse_engineering/crackme3/crackme3 test Breakpoint 1, 0x000000000040066a in check_password () (gdb) info registers
Registered and Certified I set a breakpoint to analyze the data in process. Breakpoints do exactly what they say, they interrupt the process at the given instruction address. Once the breakpoint is set, I initialize the executable with the command run test. The value ‘test’ is the four character password I used to get past length test and into the password comparison. Once the breakpoint is triggered I enter info registers to view the data in the registers at the point the program was interrupted.
Registered and Certified Register Data On Each Loop 1: RDX—0x41 = A 2: RDX—0x42 = B 3: RDX—0x43 = C 4: RDX—0x4 = ^D or EOF Blue — User input | Green — Stored Password
Registered and Certified From the register information, I find two integers are stored; 0x74 and 0x41. The ASCII value of the letter ‘t’ is 0x74. The printable letter for 0x41 is ‘A’. I also noticed that in RCX is an integer value of 0x4434241. If read in reverse, it is 41, 42, 43 and 4. Converted to the character values it is A, B, C, ^D or EOF.
Registered and Certified Inputting the password is tricky. Bash interprets the EOF file command so it isn’t passed to the executable. In fact, it is used to exit executables. I tried to store it in a file, but emacs reads ^D (Ctrl + D) as an end of buffer command. My workaround is to use an online ASCII to text converter and paste into a file through Atom. It adds a new line character which I remove with emacs.
Registered and Certified To get the password past Bash and into the executable, I use the command line below. This keeps Bash busy with passing the values to the executable so it does not interpret the EOF, end of file or transmission. $ ./crackme3 $(< 0-password) Congratulations!
Conclusion Gdb is a powerful tool that is useful for much more than I have covered in this post. Take the time to read the documentation from GNU to learn more. I am confident there are many other tools that can be used as well. Share your go-to tool for reverse-engineering or debugging in the comments below.
About Rick Harris Student at Holberton School, a project-based, peer-learning school developing full-stack software engineers in San Francisco. Involved in the IT industry for 6+ years most recently as a part of the Office of Information Technologies at the University of Notre Dame. Keep in Touch Twitter: @rickharris_dev LinkedIn: rickharrisdev

Recommended

What's new in Gerrit Code Review 3.0
What's new in Gerrit Code Review 3.0What's new in Gerrit Code Review 3.0
What's new in Gerrit Code Review 3.0Luca Milanesio
 
Read-only rootfs: theory and practice
Read-only rootfs: theory and practiceRead-only rootfs: theory and practice
Read-only rootfs: theory and practiceChris Simmonds
 
Git and git workflow best practice
Git and git workflow best practiceGit and git workflow best practice
Git and git workflow best practiceMajid Hosseini
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Processdarshhingu
 
Linux booting Process
Linux booting ProcessLinux booting Process
Linux booting ProcessGaurav Sharma
 
Windows V/S Linux OS - Comparison
Windows V/S Linux OS - ComparisonWindows V/S Linux OS - Comparison
Windows V/S Linux OS - ComparisonHariharan Ganesan
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Ahmed El-Arabawy
 

Recommended

What's new in Gerrit Code Review 3.0
What's new in Gerrit Code Review 3.0What's new in Gerrit Code Review 3.0
What's new in Gerrit Code Review 3.0Luca Milanesio
 
Read-only rootfs: theory and practice
Read-only rootfs: theory and practiceRead-only rootfs: theory and practice
Read-only rootfs: theory and practiceChris Simmonds
 
Git and git workflow best practice
Git and git workflow best practiceGit and git workflow best practice
Git and git workflow best practiceMajid Hosseini
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Processdarshhingu
 
Linux booting Process
Linux booting ProcessLinux booting Process
Linux booting ProcessGaurav Sharma
 
Windows V/S Linux OS - Comparison
Windows V/S Linux OS - ComparisonWindows V/S Linux OS - Comparison
Windows V/S Linux OS - ComparisonHariharan Ganesan
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Ahmed El-Arabawy
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Linux file system
Linux file systemLinux file system
Linux file systemMd. Tanvir Hossain
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceBrendan Gregg
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerizationBalint Pato
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
Linux Programming
Linux ProgrammingLinux Programming
Linux ProgrammingEmertxe Information Technologies Pvt Ltd
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Presentation on basics of Registry Editor
Presentation on basics of Registry EditorPresentation on basics of Registry Editor
Presentation on basics of Registry EditorSanjeev Kumar Jaiswal
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)Vladimir Melnic
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/CoreShay Cohen
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
PACE-IT: Network Hardening Techniques (part 1)
PACE-IT: Network Hardening Techniques (part 1)PACE-IT: Network Hardening Techniques (part 1)
PACE-IT: Network Hardening Techniques (part 1)Pace IT at Edmonds Community College
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paasrajdeep
 
GDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewGDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewUndo
 
Give me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbGive me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbgregthelaw
 

More Related Content

What's hot

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceBrendan Gregg
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerizationBalint Pato
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Presentation on basics of Registry Editor
Presentation on basics of Registry EditorPresentation on basics of Registry Editor
Presentation on basics of Registry EditorSanjeev Kumar Jaiswal
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/CoreShay Cohen
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paasrajdeep
 

What's hot (20)

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Linux file system
Linux file systemLinux file system
Linux file system
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerization
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
 
Linux Programming
Linux ProgrammingLinux Programming
Linux Programming
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Presentation on basics of Registry Editor
Presentation on basics of Registry EditorPresentation on basics of Registry Editor
Presentation on basics of Registry Editor
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/Core
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
PACE-IT: Network Hardening Techniques (part 1)
PACE-IT: Network Hardening Techniques (part 1)PACE-IT: Network Hardening Techniques (part 1)
PACE-IT: Network Hardening Techniques (part 1)
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paas
 

Viewers also liked

GDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewGDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewUndo
 
Give me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbGive me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbgregthelaw
 
/Users/teacher/desktop/going up reading.ppt
/Users/teacher/desktop/going up reading.ppt/Users/teacher/desktop/going up reading.ppt
/Users/teacher/desktop/going up reading.pptm_garrido
 
CyberLab CCEH Session - 5 System Hacking
CyberLab CCEH Session - 5 System HackingCyberLab CCEH Session - 5 System Hacking
CyberLab CCEH Session - 5 System HackingCyberLab
 
Virtualized Platform Migration On A Validated System
Virtualized Platform Migration On A Validated SystemVirtualized Platform Migration On A Validated System
Virtualized Platform Migration On A Validated Systemgazdagf
 
Net App At Egis English
Net App At Egis EnglishNet App At Egis English
Net App At Egis Englishgazdagf
 
Hunting segfaults (for beginners)
Hunting segfaults (for beginners)Hunting segfaults (for beginners)
Hunting segfaults (for beginners)uwevoelker
 
Tools used for debugging
Tools used for debuggingTools used for debugging
Tools used for debuggingMarian Marinov
 
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWSGetting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWSAmazon Web Services
 
Төгсөлтийн сургалтыг зохицуулах журам
Төгсөлтийн сургалтыг зохицуулах журамТөгсөлтийн сургалтыг зохицуулах журам
Төгсөлтийн сургалтыг зохицуулах журамnaranbatn
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdbOwen Hsu
 
Route Redistribution between OSPF and EIGRP
Route Redistribution between OSPF and EIGRPRoute Redistribution between OSPF and EIGRP
Route Redistribution between OSPF and EIGRPNetProtocol Xpert
 
AWS Certified Solution Architect - Associate Level
AWS Certified Solution Architect - Associate LevelAWS Certified Solution Architect - Associate Level
AWS Certified Solution Architect - Associate LevelYabin Meng
 
Gdb tutorial-handout
Gdb tutorial-handoutGdb tutorial-handout
Gdb tutorial-handoutSuraj Kumar
 
淺入淺出 GDB
淺入淺出 GDB淺入淺出 GDB
淺入淺出 GDBJim Chang
 

Viewers also liked (20)

GDB: A Lot More Than You Knew
GDB: A Lot More Than You KnewGDB: A Lot More Than You Knew
GDB: A Lot More Than You Knew
 
Give me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdbGive me 15 minutes and i'll change your view of gdb
Give me 15 minutes and i'll change your view of gdb
 
/Users/teacher/desktop/going up reading.ppt
/Users/teacher/desktop/going up reading.ppt/Users/teacher/desktop/going up reading.ppt
/Users/teacher/desktop/going up reading.ppt
 
CyberLab CCEH Session - 5 System Hacking
CyberLab CCEH Session - 5 System HackingCyberLab CCEH Session - 5 System Hacking
CyberLab CCEH Session - 5 System Hacking
 
Virtualized Platform Migration On A Validated System
Virtualized Platform Migration On A Validated SystemVirtualized Platform Migration On A Validated System
Virtualized Platform Migration On A Validated System
 
Net App At Egis English
Net App At Egis EnglishNet App At Egis English
Net App At Egis English
 
Hunting segfaults (for beginners)
Hunting segfaults (for beginners)Hunting segfaults (for beginners)
Hunting segfaults (for beginners)
 
Tools used for debugging
Tools used for debuggingTools used for debugging
Tools used for debugging
 
Gdb cheat sheet
Gdb cheat sheetGdb cheat sheet
Gdb cheat sheet
 
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWSGetting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
Getting Started in the AWS Cloud, Glen Robinson, Solutions Architect, AWS
 
Төгсөлтийн сургалтыг зохицуулах журам
Төгсөлтийн сургалтыг зохицуулах журамТөгсөлтийн сургалтыг зохицуулах журам
Төгсөлтийн сургалтыг зохицуулах журам
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdb
 
How STP works?
How STP works? How STP works?
How STP works?
 
Route Redistribution between OSPF and EIGRP
Route Redistribution between OSPF and EIGRPRoute Redistribution between OSPF and EIGRP
Route Redistribution between OSPF and EIGRP
 
оутт 5
оутт 5 оутт 5
оутт 5
 
Gdb remote debugger
Gdb remote debuggerGdb remote debugger
Gdb remote debugger
 
GDB Rocks!
GDB Rocks!GDB Rocks!
GDB Rocks!
 
AWS Certified Solution Architect - Associate Level
AWS Certified Solution Architect - Associate LevelAWS Certified Solution Architect - Associate Level
AWS Certified Solution Architect - Associate Level
 
Gdb tutorial-handout
Gdb tutorial-handoutGdb tutorial-handout
Gdb tutorial-handout
 
淺入淺出 GDB
淺入淺出 GDB淺入淺出 GDB
淺入淺出 GDB
 

Similar to Reverse-engineering: Using GDB on Linux

Specialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingSpecialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingPositive Hack Days
 
CSCI  132  Practical  Unix  and  Programming   .docx
CSCI  132  Practical  Unix  and  Programming   .docxCSCI  132  Practical  Unix  and  Programming   .docx
CSCI  132  Practical  Unix  and  Programming   .docxmydrynan
 
Mark asoi ppt
Mark asoi pptMark asoi ppt
Mark asoi pptmark-asoi
 
Looping and switch cases
Looping and switch casesLooping and switch cases
Looping and switch casesMeoRamos
 
Porting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPorting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPVS-Studio
 
C and CPP Interview Questions
C and CPP Interview QuestionsC and CPP Interview Questions
C and CPP Interview QuestionsSagar Joshi
 
Lpi Part 2 Basic Administration
Lpi Part 2 Basic AdministrationLpi Part 2 Basic Administration
Lpi Part 2 Basic AdministrationYemenLinux
 
Fundamentals of programming final santos
Fundamentals of programming final santosFundamentals of programming final santos
Fundamentals of programming final santosAbie Santos
 
OverviewIn this assignment you will write your own shell i.docx
OverviewIn this assignment you will write your own shell i.docxOverviewIn this assignment you will write your own shell i.docx
OverviewIn this assignment you will write your own shell i.docxalfred4lewis58146
 
Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008guestd9065
 
Fundamentals of programming final
Fundamentals of programming finalFundamentals of programming final
Fundamentals of programming finalRicky Recto
 
Advanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyAdvanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyBurlacu Sergiu
 
Switch case and looping statement
Switch case and looping statementSwitch case and looping statement
Switch case and looping statement_jenica
 

Similar to Reverse-engineering: Using GDB on Linux (20)

A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpoint
 
How a Compiler Works ?
How a Compiler Works ?How a Compiler Works ?
How a Compiler Works ?
 
Specialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingSpecialized Compiler for Hash Cracking
Specialized Compiler for Hash Cracking
 
CSCI  132  Practical  Unix  and  Programming   .docx
CSCI  132  Practical  Unix  and  Programming   .docxCSCI  132  Practical  Unix  and  Programming   .docx
CSCI  132  Practical  Unix  and  Programming   .docx
 
Mark asoi ppt
Mark asoi pptMark asoi ppt
Mark asoi ppt
 
Survelaine murillo ppt
Survelaine murillo pptSurvelaine murillo ppt
Survelaine murillo ppt
 
Looping and switch cases
Looping and switch casesLooping and switch cases
Looping and switch cases
 
Compiler presentaion
Compiler presentaionCompiler presentaion
Compiler presentaion
 
Switch case looping
Switch case loopingSwitch case looping
Switch case looping
 
python and perl
python and perlpython and perl
python and perl
 
Porting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPorting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under Linux
 
C and CPP Interview Questions
C and CPP Interview QuestionsC and CPP Interview Questions
C and CPP Interview Questions
 
C tutorials
C tutorialsC tutorials
C tutorials
 
Lpi Part 2 Basic Administration
Lpi Part 2 Basic AdministrationLpi Part 2 Basic Administration
Lpi Part 2 Basic Administration
 
Fundamentals of programming final santos
Fundamentals of programming final santosFundamentals of programming final santos
Fundamentals of programming final santos
 
OverviewIn this assignment you will write your own shell i.docx
OverviewIn this assignment you will write your own shell i.docxOverviewIn this assignment you will write your own shell i.docx
OverviewIn this assignment you will write your own shell i.docx
 
Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008
 
Fundamentals of programming final
Fundamentals of programming finalFundamentals of programming final
Fundamentals of programming final
 
Advanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copyAdvanced driver debugging (13005399) copy
Advanced driver debugging (13005399) copy
 
Switch case and looping statement
Switch case and looping statementSwitch case and looping statement
Switch case and looping statement
 

Recently uploaded

SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 

Recently uploaded (20)

SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 

Reverse-engineering: Using GDB on Linux

  • 2. Reverse-engineering: Using GDB on Linux At Holberton School, we have had a couple rounds of a ‘#forfun’ project called crackme. For these projects, we are given an executable that accepts a password. Our assignment is to crack the program through reverse engineering. For round one we were given four Linux tools to use, and we had to demonstrate how to find the answer with each tool. It was quickly apparent that using a standard library string comparison is a bad idea as was hardcoding passwords into the executable in plain text. Another round demonstrated that the ltrace tool could gather not only the password from string comparisons, but the encryption method (MD5 in that case) to decrypt the password.
  • 3. Reverse-engineering: Using GDB on Linux This week we were given another crack at hacking. I went to my go-to tool for reverse-engineering, the GNU Project Debugger (aka GDB), to find the password. If you would like to take a shot at cracking the executable, you can find it at Holberton School’s Github. The file relevant to this post is crackme3.
  • 4. Program Checks Before I dig too deep into the exec file, I check what information I can get from it. First, I do a test run of the file to see what error information is provided. $ ./crackme3 Usage: ./crackme3 password For this executable the password is expected to be provided on the command line.
  • 5. Program Checks The next check I run is ltrace just to see if the password will appear. In addition, it can provide some other useful information about how the program works. $ ltrace ./crackme3 password __libc_start_main(0x40068c, 2, 0x7ffcdd754bd8, 0x400710 <unfinished …> strlen(“password”) = 8 puts(“ko”ko ) = 3 +++ exited (status 1) +++ The return shows that the program is checking the length of the string, but there is no clear indication that this is a roadblock. Time to break down the program.
  • 6. The GNU Project Debugger GDB is a tool developed for Linux systems with the goal of helping developers identify sources of bugs in their programs. In their own words, from the gnu.org website: GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes—or what another program was doing at the moment it crashed.
  • 7. The GNU Project Debugger When reverse engineering a program, the tool is used to review the compiled Assembly code in either the AT&T or Intel flavors to see step-by-step what is happening. Breakpoints are added to stop the program midstream and review data in the memory registers to identify how it is being manipulated. I will cover these steps in more detail below.
  • 8. The Anatomy of Assembly To get started, I entered the command to launch the crackme3 file with GDB followed by the disass command and the function name. The output is a list of Assembly instructions that direct each action of the executable. $ gdb ./crackme3 (gdb) disass main
  • 9. The Anatomy of Assembly
  • 10. The Anatomy of Assembly In the previous slide, the AT&T and Intel syntaxes are displayed side-by-side. However, the output will actually display only one of the two. I prefer to use the AT&T format because the flow makes more sense to me. The first column provides the address of the command. The next column is the command itself followed by the data source and the destination. Jumps and function calls have the jump location or function name following those lines. Intel syntax reverses the data source and destination in its display. There are additional differences in the command names and data syntaxes, but this is common when comparing scripts of two different languages that perform the same function. If I were writing Assembly, my syntax preference might be different and would be based on more than just flow of information.
  • 11. The Logic Flow Every script depends highly on logic flow. Depending on the compiler and options selected when compiled, the flow of the Assembly code could be straightforward or very complex. Some options intentionally obfuscate the flow to disrupt attempts to reverse engineer the executable. Below is the output of the disass main command in AT&T syntax.
  • 13. The Logic Flow The portions of the command not highlighted are jumps and closing processes before exit. There are four types of jumps in the output of main and check_password; je, jmp, jne, and jbe. The jmp command performs the described jump regardless of condition. The other three are conditional jumps. The first two, je and jne, are straightforward. They mean jump if equal and jump if not equal. The last command, jbe, is a jump used in a loop that means jump if less than or equal.
  • 14. The Heart of the Question Ultimately we are looking for the password. Based on the information from the main output, it is primarily depending on the check_password function to determine whether to exit or provide access. To analyze the process happening in that function, I entered disass check_password.
  • 15. The Heart of the Question
  • 16. The Heart of the Question The first thing I confirm is that the length of the password entered is important. The program looks for a password that is four characters long. The instruction at 0x400632 actually shows the password in integer form, but I did not recognize it immediately. That value is stored in memory four bytes before the memory address stored in the RBP register. I use x/h * $RBP - 0x04 to print the value. The ‘h’ stands for hexadecimal and it is the easiest format to to see how the password is stored. From the instruction set, a comparison of two registers, rax and rdx, occurs at 0x40066a. This is where the next step of my investigation leads.
  • 17. Registered and Certified (gdb) b *0x40066a (gdb) run test Starting program: /home/vagrant/reverse_engineering/crackme3/crackme3 test Breakpoint 1, 0x000000000040066a in check_password () (gdb) info registers
  • 18. Registered and Certified I set a breakpoint to analyze the data in process. Breakpoints do exactly what they say, they interrupt the process at the given instruction address. Once the breakpoint is set, I initialize the executable with the command run test. The value ‘test’ is the four character password I used to get past length test and into the password comparison. Once the breakpoint is triggered I enter info registers to view the data in the registers at the point the program was interrupted.
  • 19. Registered and Certified Register Data On Each Loop 1: RDX—0x41 = A 2: RDX—0x42 = B 3: RDX—0x43 = C 4: RDX—0x4 = ^D or EOF Blue — User input | Green — Stored Password
  • 20. Registered and Certified From the register information, I find two integers are stored; 0x74 and 0x41. The ASCII value of the letter ‘t’ is 0x74. The printable letter for 0x41 is ‘A’. I also noticed that in RCX is an integer value of 0x4434241. If read in reverse, it is 41, 42, 43 and 4. Converted to the character values it is A, B, C, ^D or EOF.
  • 21. Registered and Certified Inputting the password is tricky. Bash interprets the EOF file command so it isn’t passed to the executable. In fact, it is used to exit executables. I tried to store it in a file, but emacs reads ^D (Ctrl + D) as an end of buffer command. My workaround is to use an online ASCII to text converter and paste into a file through Atom. It adds a new line character which I remove with emacs.
  • 22. Registered and Certified To get the password past Bash and into the executable, I use the command line below. This keeps Bash busy with passing the values to the executable so it does not interpret the EOF, end of file or transmission. $ ./crackme3 $(< 0-password) Congratulations!
  • 23. Conclusion Gdb is a powerful tool that is useful for much more than I have covered in this post. Take the time to read the documentation from GNU to learn more. I am confident there are many other tools that can be used as well. Share your go-to tool for reverse-engineering or debugging in the comments below.
  • 24. About Rick Harris Student at Holberton School, a project-based, peer-learning school developing full-stack software engineers in San Francisco. Involved in the IT industry for 6+ years most recently as a part of the Office of Information Technologies at the University of Notre Dame. Keep in Touch Twitter: @rickharris_dev LinkedIn: rickharrisdev