On this task we will be doing some reverse engineering!! We will be taking compiled code and turning it back into the basic code for the assembly instructions. These instructions are specific to processors, which is why you can’t run a 64-bit binary on a 32-bit processor. The good thing is that you can still run 32-bit binaries on 64-bit processors because they are backward compatible.
For this challenge we will be using a program called Radare2. I have never used this before, but it should be able to disassemble the binary so we can read it.
First let’s log into the machine we deploying through ssh.
ssh elfmceager@10.10.25.242
We will use the password of adventofcyber
We can use to Radare2 to open programs in debug mode and then analyze the binary using the aa command.
We can use ? to find more options or a? to get information about a specific command, in this case a.
Once analysis is complete we can use the afl command to list out the functions.
We can use the Print Disassembly Function to view the assembly code for a function. The function will need a prefix of @ so the command to analyze main would be
pdf @main
We can set breakpoints using db and then the memory address. When you run the program using pdf @main it will halt the program at the memory address you gave as the breakpoint. You can have multiple breakpoints as you analyze programs.
Let’s do an ls and we can see there are 2 files challenge1 and file1. We will be using the challenge1 file.
First let’s analyze the binary using Radare2 by opening the file in debugging mode.
r2 -d ./challenge1
Now let’s analyze it using the aa command.
I got a few errors around the block size exceeding the max block size, so we can make it bigger using
e anal.bb.maxsize = 80000
You can check it changed by running
e anal.bb.maxsize
Now let’s run aa again and look at the functions using afl
There’s a lot of functions in here. Let’s pipe the result into grep “main”. Now we can see the main function called sys.main.
Now we can analyze that function using pdf @main
We can see below that the value of eax will be the variable of local_8h, which is set to 6.
Now we need the local_4h value before eax is set to 0. Find the instruction where you see mov eax, 0 and got a line able it.
We can see that local_4h is getting the value of eax. The line above we set eax equal to the value of local_8h, therefore local_4h is equal to 6.
That completes today’s task of analyzing a binary using Radare2! I had a lot of fun using this new program!