The document outlines a comprehensive guide on reverse engineering and pwnable techniques for capture the flag (CTF) competitions, detailing essential tools, common vulnerabilities, and strategies to analyze programs. It covers basic knowledge necessary for CTF, binary file types, and debugging tools, along with examples of memory vulnerabilities like buffer overflow. Resources for further learning and practical challenges are also provided to enhance the reader's skills in cybersecurity.

1. JULY 11, 2021 - 11H
Meeting with Company A
AUGUST 8, 2021 - 16H
Meeting with Company A
JUNE 15, 2021 - 18H
Meeting with Company A
JUNE 15, 2021 - 15H
Meeting with Company A
JUNE 15, 2021 - 15H
Meeting with Company A
Meeting with Company A
MARCH 22, 2021 - 15H
RIL 15, 2021 - 15H
ting with Company A
JUNE 15, 2021 - 18H
Meeting with Company A
JUNE 15, 2021 - 15H
Meeting with Company A
JUNE 15, 2021 - 15H
Meeting with Company A
Reverse Engineering &
Pwnable for CTF
Powered By: Kusol Watchara-Apanukorn

2. ● Kusol Watchara-Apanukorn (Boss)
● Head of Cyber Security Consultant @Sectrike Co., Ltd
● Certificate: OSCP, GPEN, eCXD, Python for Pentester
● Hobbies:
○ IoT
○ CVE Hunter
○ Bug Bounty Hunter
○ CTF
● LinkedIn Profile: https://th.linkedin.com/in/kusol-watchara-apanukorn-808094146
WHO AM I?

3. TABLE OF CONTENTS
Basic Knowledge
01 Introduction 02
Basic of RE
Reverse Engineer
03
Basic of PWN
Pwnable 04 Summary

4. Introduction

5. Reverse Engineering
● Definition
○ Reverse engineering is considered as the process of developing a
set of specifications for a complex hardware system by an orderly
examination of specimens of that system. It is assumed that the
specifications are being developed for the purpose of making a
clone of the original hardware system, a circumstance which
requires the most comprehensive form of specifications.
Ref: https://ieeexplore.ieee.org/abstract/document/6313354

6. Reverse Engineering
● Basic Knowledge for CTF
○ Read pseudo-code
○ Known some assembly
○ Coding

7. Reverse Engineering
● Common language in CTF
○ C
○ C++
○ Rust
○ Golang
○ C# or .NET
○ JAVA
○ Python (pyc or py)

8. Low Level Language
● Manually memory management
● Communicate directly to hardware/os
● True low-level: Assembly and machine code
● These days, we category C and C++ are low-level language.

9. Reverse Engineering
● Common binary file
○ PE file (.exe or .dll)
○ ELF file (elf)
○ APK file (apk)
○ .NET file (.exe)
○ JAVA file
○ Python file (pyc or py)

10. Reverse Engineering Common Goal
● Search the hardcoded
● Modify the target program to change logic
● Analyze the program how it work? (This is between reverse
engineering and pwnable)
○ Hidden function
○ Valid input to show the flag

11. Pwnable
● Aka Pwned/Pwn
● It’s a slang word that mean totally defeat or dominate.
● The earliest known use of the verb pwn is in the 1990s.
● The earliest evidence for pwn is from 1999, in a message posted on the
Usenet newsgroup rec.games.computer.ultima.online.
Ref: https://www.oed.com/dictionary/pwn_v?tl=true

12. Pwnable
● Basic knowledge
○ Reverse engineering
○ Read pseudo-code
○ Known some assembly
○ Coding
○ Memory vulnerabilities like buffer overflow and format string

13. Pwnable
● Common binary file
○ PE file (.exe or .dll)
○ ELF file (elf)
○ Python file (pyc or py)

14. Pwnable Common CTF Goal
● Analyze the program how it work? (This is between reverse
engineering and pwnable)
○ Hidden function
○ Valid input to show the flag
○ Time attack
● Exploit memory vulnerability program like:
○ Buffer overflow in ARM, x86, x86_64
○ Format string vulnerability
○ Return-oriented programming (ROP)

15. Reverse Engineering

16. ● Disassembly
○ Ghidra [Free]
○ IDA [Free/Paid]
○ Hopper [Paid]
○ Radare2 [Free]
● Decompiler (like JAVA and .NET)
○ JADX
○ JD-GUI
○ dnSpy
○ ILSpy
○ decompiler.com
Reverse Engineering Tools

17. ● Tricks
○ Whenever you get a file, issuing file command first to it to know
what really file is it.
○ Use strings <filename> command to read the strings in the
binary to find some clues. Maybe some grep -i command too.
Reverse Engineering Tools

18. Root-Me Challenge

19. ● Download here: https://github.com/NationalSecurityAgency/ghidra/releases
Ghidra Basic Usage

20. Windows
https://oracle.com/java/technologies/downloads/#jdk22-windows
Linux
$ sudo apt update
$ sudo apt install default-jdk
Ghidra (Java Issue)

21. ● Execute the bash file
Ghidra Basic Usage

22. Create a new project
Ghidra Basic Usage

23. Choose any and click next button
Ghidra Basic Usage

24. Choose project directory and name the project. After done click “Finish”
Ghidra Basic Usage

25. Import the lab’s file by using “Import FIle… function”.
Ghidra Basic Usage

26. Click OK.
Ghidra Basic Usage

27. Click OK.
Ghidra Basic Usage

28. Double click on lab’s file.
Ghidra Basic Usage

29. Click yes to analyze the binary file.
Ghidra Basic Usage

30. Use default setting and click analyze.
Ghidra Basic Usage

31. Analyze the main function.
Ghidra Basic Usage

32. Analyze the pseudo code.
Ghidra Basic Usage

33. __s1 must be “123456789” to get into iVar1 == 0 condition.
Ghidra Basic Usage

34. Please solve this challenge from root-me.org
Reverse Engineering Lab

35. JUNE 25, 2021 - 12H
Meeting with Company A
JULY 11, 2021 - 11H
Meeting with Company A
AUGUST 8, 2021 - 16H
Meeting with Company A
JUNE 15, 2021 - 18H
Meeting with Company A
JUNE 15, 2021 - 15H
Meeting with Company A
JUNE 15, 2021 - 15H
Meeting with Company A
MARCH 22, 2021 - 15H
Meeting with Company A
RIL 15, 2021 - 15H
ting with Company A ELF x86 - Basic
minutes
20

36. Pwnable

37. ● Windows debugger tools
○ WinDbg
○ Immunity Debugger
● Linux debugger tools
○ GDB
○ GDB-GEF
○ GDB-PEDA
● Exploit tools
○ Pwntool (python library)
○ Ropper
○ ROPGadget
Pwnable Tools

38. ● Tricks
○ Run checksec check the properties of executable of binary
security.
○ You need strong in Assembly Language, computer architecture,
C programming (Reverse engineering) and Python language to
make script for this challenge!
Pwnable Tools

39. X86-64 Linux Memory Layout
● Stack
○ Manage local variables
○ Function arguments
○ Control information such as return address
● Heap
○ Dynamic memory allocation
○ malloc(), calloc(), new()
● Data
○ Statically allocated data
○ Like global variables, static vars, string constants
● Text / Shared Libraries
○ Executable machine instructions
○ Read-only
Stack
Shared Libraries
Heap
Data
Text
0x00007FFFFFFFFFFF
0x0000040000000000
Ref: https://slideplayer.com/slide/14508799/

40. Memory Allocation Example
Ref: https://slideplayer.com/slide/14508799/

41. Memory Allocation Example
● local 0x00007ffe4d3be87c
● p1 0x00007f7262a1e010
● p3 0x00007f7162a1d010
● p4 0x000000008359d120
● p2 0x000000008359d010
● big_array 0x0000000080601060
● huge_array 0x0000000000601060
● main() 0x000000000040060c
● useless() 0x0000000000400590
Stack
Heap
Heap
Data
Text
00007F
000000
Ref: https://slideplayer.com/slide/14508799/

42. Sample Memory Safety Vulnerability
● Stack-based buffer overflow
● Heap-based buffer overflow
● Format string vulnerability
● Use after free
● …
Ref: https://cwe.mitre.org/data/definitions/119.html

43. Install Debugger Plugin
● Install GEF (Linux)
● https://github.com/hugsy/gef
Install: bash -c "$(curl -fsSL https://gef.blah.cat/sh)"

44. Vulnerable Buffer Code
Buffer Overflow

45. Buffer Overflow Disassembly

46. What happened?
Stack Frame for
call_echo
Return Address (8
bytes)
Unused
[9] [8] [7] [6]
[5] [4] [3] [2]
[1] [0]
buf[10]

47. Buffer Stack
Stack Frame for
call_echo
Return Address (8
bytes)
Unused
[9] [8] [7] [6]
[5] [4] [3] [2]
[1] [0]
buf[10]

48. Buffer Overflow Stack
Stack Frame for
call_echo
Return Address (8
bytes)
Unused
[9] [8] [7] [6]
[5] [4] [3] [2]
[1] [0]
buf[10]

49. 0x00000000004011c8
Return address of echo()

50. Breakpoint at 0x4011c8 (return)
Analyze before return

51. Run the program
Analyze before return

52. Control Pointer

53. 0x00000000004011c8
Return address of echo()

54. Analyze RBP
Analyze before return

55. Overwrite RBP
Analyze before return

56. ● We do buffer overflow to RBP.
● Next step
○ How to replace RIP?
○ What address that we want to return?
What happened right now?
RIP Address (8 bytes)
RBP Address (8 bytes)
Buf [10]

57. Overwrite RIP (exit and get in gdb again first)
Control Pointer

58. No one call?
Can we call it?
Unused function

59. 0x00000000004011da
Unused function (Disassembly)

60. Data: 0x01020304
Little Endian vs Big Endian
Little Endian
Big Endian
04 03 02 01
01 02 03 04

61. Linux: lscpu | grep Endian
How to check byte order

62. run <<< $(python -c “print ‘A’*18+’xdax11x40’”)
0x4011da -> xdax11x40
Return to smash() function

63. Please solve this challenge from root-me.org
Pwnable Lab

64. JUNE 25, 2021 - 12H
Meeting with Company A
JULY 11, 2021 - 11H
Meeting with Company A
AUGUST 8, 2021 - 16H
Meeting with Company A
JUNE 15, 2021 - 18H
Meeting with Company A
JUNE 15, 2021 - 15H
Meeting with Company A
JUNE 15, 2021 - 15H
Meeting with Company A
MARCH 22, 2021 - 15H
Meeting with Company A
RIL 15, 2021 - 15H
ting with Company A
minutes
45

65. Format String Vulnerability

66. ● The Format Function is an ANSI C conversion function.
● Example function:
○ printf
○ fprintf
● Converts a primitive variable of the programming language into a
human-readable string representation.
Format Function

67. ● The Format String is the argument of the Format Function and is
an ASCII Z string which contains text and format parameters.
● Example: printf (“The magic number is: %dn”, 1911);
● The Format String Parameter, like %x %s defines the type of
conversion of the format function.
Format String

68. #include <stdio.h>
void main(int argc, char **argv)
{
// This line is safe
printf("%sn", argv[1]);
// This line is vulnerable
printf(argv[1]);
}
Vulnerable Code
No input validation

69. Normal Situation

70. Memory Leaked

71. Denial of Service

72. Common parameters used in a Format String Attack

73. Real Life?

74. Reverse Engineering

75. Public Vulnerability

76. Payload:
https://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingPro
file:%08x:%08x:%08x:%08x:%08x:%08x:%08x:%08x
Log Result:
Nov 29 08:41:47 bigip.example.org soap[4335]: query:
WSDL=ASM.LoggingProfile:0000004c:0000004c:08cb31bc:08cba210:08c
c4954:01000000:ffeaa378:f5aa8000
Public Vulnerability

77. Public Vulnerability

78. Secure coding perspective
● Developer need to understand the function that they will use.
Web Application Firewall (WAF)
● You can block the specific message like %s, %x, %p, …
Attack Analysis
● You can analyze common attack parameter like %s, %x, %p, …
Pentester
● You know more technique :D
Format String Summary

79. False Positive (URL Encoding)

80. Please solve this challenge from root-me.org
Pwnable Lab

81. Summary

82. ● https://ctf101.org [Basic to intermediate]
● http://pwnable.kr/ [Basic to advance]
● https://www.youtube.com/@LiveOverflow [Basic to expert]
● https://guyinatuxedo.github.io/ [Basic to expert]
● https://exploit.education/ [Basic to expert]
Learning Resources

83. ● Tool is just tool!!!
● Tool could help you, when you have a knowledge.
● To solve reverse engineering/pwnable CTF you need to learn a lot.
● Self-learning is the key!!!!
Final Thing

84. Thank You
Any Question?