Guide to Reverse Engineering Techniques

Mar 30, 2025

Lecture Notes: Reverse Engineering

Cool Security People of the Day (CSPoD)

  • Fabien Sanglard: Known for reverse engineering of retro game consoles and released informative books. More at Fabien's Site
  • Asahi Linux Project: Focuses on reverse engineering Apple GPU drivers to run Linux, more details at Rosenzweig's Blog

Reverse Engineering

  • Definition: The process of understanding how something works, regardless of whether you are supposed to.
  • Examples of Reverse Engineering:
    • Modifying an alarm clock to change its functions.
    • Understanding algorithms like TikTok's video recommendations.
    • Replicating formulas such as Coca Cola's.
    • Disassembling game anti-cheat mechanisms like Valve's for CS2.

Reverse Engineering in Code

  • Often involves understanding what a piece of code does.
  • Example Challenge: Modify code to print "CORRECT!" 
    user_input = input("Password: ")
if user_input == "p4ssw0rd":
    print("CORRECT!")
else:
    print("You smell like rotten eggs!")

The Art of the Crackme

  • Crackmes: Challenges that involve computational complexity and reverse engineering.
  • General Strategies:
    • Add debug print statements.
    • Use a debugger.
    • Always take detailed notes.

Example of a Crackme

  • XOR Technique: An example with magic_mixup function using XOR for encryption and decryption. 
    import binascii
def magic_mixup(input_string, key):
    return ''.join(chr(ord(c) ^ ord(key[i % len(key)])) for i, c in enumerate(input_string))

key = binascii.unhexlify("347d2406445b552b3643240d110a")
user_input = input("Password: ")
if magic_mixup(user_input, key.decode('utf-8')) == "CMSC426{W0Wz!}":
    print("CORRECT!")
else:
    print("You will regret this.")

Binary Reverse Engineering

  • Compiled vs Interpreted Code:
    • Python is interpreted, which means it isn't distributed as a compiled binary.
  • Assembly Language:
    • Assembly is essential for reverse engineering through disassemblers like objdump. 
      objdump -D -Mintel /bin/ls

ELF and Binary File Formats

  • ELF (Executable and Linkable Format): A standard file format for executables in Linux.
  • Commands to explore ELF files: 
    readelf --sections /bin/ls
readelf -a /bin/ls

Strings and Debugging

  • Extracting strings from binaries can reveal important information.
  • Debugging with GDB:
    • Commands: run, b *ADDRESS, continue

Ghidra

  • Purpose: A tool for binary analysis, created by the NSA, providing decompilation capabilities.
  • Using Ghidra:
    • Create a project, import a binary, select architecture, and use SLEIGH for analysis.

Crackme Example with Ghidra

  • Demonstrates the use of Ghidra for decompiling and analyzing binaries.
  • Example Code: Features XOR encryption and password matching logic.

Pwntools

  • Introduction: A Python library for interacting with binary programs.
  • Functions:
    • remote(host, port): Connect to a remote program.
    • process(binary_path): Run a local binary.
    • Methods for sending and receiving data (e.g., sendline, readline).
  • Usage: Ideal for developing scripts for interacting with binaries programmatically.

Summary of Tools

  • Debug Statements: Useful for source code or interpreted languages.
  • Disassembler/Strings: For simple binary analysis.
  • Debugger: For dynamic and complex localized analyses.
  • Ghidra: For comprehensive binary analysis, offering high-level understanding.

Future Topics

  • Further exploration into reverse engineering techniques.
  • Focus on crashing binaries using Ghidra, GDB, and Pwntools.