As mentioned in the slides, there are a number of useful tools for this assignment!
Here is a (non-exhaustive) list:
gdb will let you run and inspect the state of these programs.
Please check out the Debugging Refresher module.
We have also provided a quick briefer here.
Some useful gdb concepts:
Know the difference between step instruction (si) and next instruction (ni).
It boils down to the fact that si will follow jumps, and ni will step over jumps.
This means that if you use si, you will quickly find yourself crawling through libc code, which is insane and unnecessary.
You can use x/i $rip to disassemble the next instruction that will be executed.
You can call display/i $rip to make the next instruction display every time gdb prompts you for input.
You can also do x/2i and display/2i to print two (or other quantities of) instructions.
The disas command will disassemble the current function that you are looking at.
gdb can be scripted!
Look up conditional breakpoints and scriptable breakpoints in the gdb manual.
Modern binaries are position independent, meaning that they can be loaded anywhere in memory when they run.
GDB will load them at the offset 0x555555554000.
This means that if objdump is telling you that main starts at some address like, 0x100, the address when debugging with GDB will be 0x555555554100
strings will list printable strings in the file.
This is useful for looking for constant strings that the program checks for (such as file names and so on) in the course of getting input.
Keep in mind that the options for string include a minimum size that it will print.
Don't forget about pwntools! You will need to interact heavily with these programs. Do it right (with pwntools).
rappel is a nice tool to help you figure out what certain instructions do.
Tools for reverse engineering actual binaries:
IDA, accessible via the Desktop in the dojo, is the industry standard of reverse-engineering tools.
Ghidra, also accessible via the Desktop in the dojo, is an open source direct competitor to IDA that is used and loved by many.
angr-management, also accessible via the Desktop in the dojo, is an open source up-and-coming reversing tool with some advanced functionality.
Binary Ninja Cloud, accessible separately through your web browser, is a free binary reverse engineering tool.
In a pinch, objdump -d -M intel the_binary will disassemble the binary you want to look at.
-M intel, in that command, makes objdump give you nice and readable Intel assembly syntax.
Crackmes
The classic reverse engineering challenge is a "crackme", where you are given a binary that will check whether or not you have provided the correct license key.
Reverse engineer this challenge to find the correct license key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Patching
When working with a binaries, sometimes you may want to change the behavior of the binary itself. This can be accomplished by patching the binary. Patching is the process of changing the assembly instructions in the binary to change its behavior. The following set of challenges will allow you to patch a limited number of bytes in the binary at runtime to change its behavior.
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 5 bytes in the binary.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 5 bytes in the binary.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 1 byte in the binary.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 1 byte in the binary.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 2 bytes in the binary, but performs an integrity check afterwards.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this challenge to find the correct license key, but your input will be modified somehow before being compared to the correct key. This challenge allows you to patch 2 bytes in the binary, but performs an integrity check afterwards.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Yan85
Yan85 is a virtual machine and obfuscation engine. It is designed to be a simple, yet powerful, virtual machine that can be used to obfuscate code. The following set of challenges leverage the Yan85 virtual machine. Early time spent understanding how this virtual machine works will pay off in future challenges that use Yan85.
Let's dive into reverse engineering obfuscated code!
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
If you are clever, you won't need to reverse too much VM code.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Let's dive into reverse engineering obfuscated code!
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
If you are clever, you won't need to reverse too much VM code.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Let's continue deeper in reverse engineering obfuscated code!
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Let's continue deeper inreverse engineering obfuscated code!
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
This is a full end-to-end obfuscated challenge, like you might see in real-world obfuscated code!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
This challenge is using VM-based obfuscation: reverse engineer the custom emulator and architecture to understand how to get the flag!
This is a full end-to-end obfuscated challenge, like you might see in real-world obfuscated code!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this custom emulator and architecture to understand how to get the flag!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this custom emulator and architecture to understand how to get the flag!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this custom emulator and architecture, and write your own custom shellcode to get the flag.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this custom emulator and architecture, and write your own custom shellcode to get the flag.
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this custom emulator and architecture, and write your own custom shellcode to get the flag, with a twist.
This is the final boss.
Are you a true Yan-head?
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer this custom emulator and architecture, and write your own custom shellcode to get the flag, with a twist.
This is the final boss.
Are you a true Yan-head?
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Cows and Bulls
Cows and Bulls is a classic code-breaking game where the objective is to correctly guess a random number. This set of challenges will require you to reverse engineer a binary that plays this guessing game with you. Be warned, winning the game (and in turn, getting the flag) may not be as easy as it seems!
Reverse engineer the binary to find out how to win this game of Cows and Bulls!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer the binary to find out how to win this game of Cows and Bulls!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer the binary to find out how to win this game of Cows and Bulls!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
Reverse engineer the binary to find out how to win this game of Cows and Bulls!
Connect with SSH
Link your SSH key, then connect with: ssh hacker@pwn.college
30-Day Scoreboard:
This scoreboard reflects solves for challenges in this module after the module launched in this dojo.