SlideShare a Scribd company logo

Reverse-engineering: Using GDB on Linux

Download as PPTX, PDF
R
Rick Harris

The document discusses a reverse-engineering project at Holberton School involving cracking an executable password using tools like gdb and ltrace. It details the process of analyzing assembly code, employing breakpoints, and interpreting register data to identify the password hidden in the executable. The author outlines their experience with debugging and highlights the tools they find most useful for reverse engineering.

Software
Related topics:
Insights on Software Development
1 of 24
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Reverse-engineering Using GDB on Linux
Reverse-engineering: Using GDB on Linux At Holberton School, we have had a couple rounds of a ‘#forfun’ project called crackme. For these projects, we are given an executable that accepts a password. Our assignment is to crack the program through reverse engineering. For round one we were given four Linux tools to use, and we had to demonstrate how to find the answer with each tool. It was quickly apparent that using a standard library string comparison is a bad idea as was hardcoding passwords into the executable in plain text. Another round demonstrated that the ltrace tool could gather not only the password from string comparisons, but the encryption method (MD5 in that case) to decrypt the password.
Reverse-engineering: Using GDB on Linux This week we were given another crack at hacking. I went to my go-to tool for reverse-engineering, the GNU Project Debugger (aka GDB), to find the password. If you would like to take a shot at cracking the executable, you can find it at Holberton School’s Github. The file relevant to this post is crackme3.
Program Checks Before I dig too deep into the exec file, I check what information I can get from it. First, I do a test run of the file to see what error information is provided. $ ./crackme3 Usage: ./crackme3 password For this executable the password is expected to be provided on the command line.
Program Checks The next check I run is ltrace just to see if the password will appear. In addition, it can provide some other useful information about how the program works. $ ltrace ./crackme3 password __libc_start_main(0x40068c, 2, 0x7ffcdd754bd8, 0x400710 <unfinished …> strlen(“password”) = 8 puts(“ko”ko ) = 3 +++ exited (status 1) +++ The return shows that the program is checking the length of the string, but there is no clear indication that this is a roadblock. Time to break down the program.
The GNU Project Debugger GDB is a tool developed for Linux systems with the goal of helping developers identify sources of bugs in their programs. In their own words, from the gnu.org website: GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes—or what another program was doing at the moment it crashed.
The GNU Project Debugger When reverse engineering a program, the tool is used to review the compiled Assembly code in either the AT&T or Intel flavors to see step-by-step what is happening. Breakpoints are added to stop the program midstream and review data in the memory registers to identify how it is being manipulated. I will cover these steps in more detail below.
The Anatomy of Assembly To get started, I entered the command to launch the crackme3 file with GDB followed by the disass command and the function name. The output is a list of Assembly instructions that direct each action of the executable. $ gdb ./crackme3 (gdb) disass main
The Anatomy of Assembly
The Anatomy of Assembly In the previous slide, the AT&T and Intel syntaxes are displayed side-by-side. However, the output will actually display only one of the two. I prefer to use the AT&T format because the flow makes more sense to me. The first column provides the address of the command. The next column is the command itself followed by the data source and the destination. Jumps and function calls have the jump location or function name following those lines. Intel syntax reverses the data source and destination in its display. There are additional differences in the command names and data syntaxes, but this is common when comparing scripts of two different languages that perform the same function. If I were writing Assembly, my syntax preference might be different and would be based on more than just flow of information.
The Logic Flow Every script depends highly on logic flow. Depending on the compiler and options selected when compiled, the flow of the Assembly code could be straightforward or very complex. Some options intentionally obfuscate the flow to disrupt attempts to reverse engineer the executable. Below is the output of the disass main command in AT&T syntax.
The Logic Flow
The Logic Flow The portions of the command not highlighted are jumps and closing processes before exit. There are four types of jumps in the output of main and check_password; je, jmp, jne, and jbe. The jmp command performs the described jump regardless of condition. The other three are conditional jumps. The first two, je and jne, are straightforward. They mean jump if equal and jump if not equal. The last command, jbe, is a jump used in a loop that means jump if less than or equal.
The Heart of the Question Ultimately we are looking for the password. Based on the information from the main output, it is primarily depending on the check_password function to determine whether to exit or provide access. To analyze the process happening in that function, I entered disass check_password.
The Heart of the Question
The Heart of the Question The first thing I confirm is that the length of the password entered is important. The program looks for a password that is four characters long. The instruction at 0x400632 actually shows the password in integer form, but I did not recognize it immediately. That value is stored in memory four bytes before the memory address stored in the RBP register. I use x/h * $RBP - 0x04 to print the value. The ‘h’ stands for hexadecimal and it is the easiest format to to see how the password is stored. From the instruction set, a comparison of two registers, rax and rdx, occurs at 0x40066a. This is where the next step of my investigation leads.
Registered and Certified (gdb) b *0x40066a (gdb) run test Starting program: /home/vagrant/reverse_engineering/crackme3/crackme3 test Breakpoint 1, 0x000000000040066a in check_password () (gdb) info registers
Registered and Certified I set a breakpoint to analyze the data in process. Breakpoints do exactly what they say, they interrupt the process at the given instruction address. Once the breakpoint is set, I initialize the executable with the command run test. The value ‘test’ is the four character password I used to get past length test and into the password comparison. Once the breakpoint is triggered I enter info registers to view the data in the registers at the point the program was interrupted.
Registered and Certified Register Data On Each Loop 1: RDX—0x41 = A 2: RDX—0x42 = B 3: RDX—0x43 = C 4: RDX—0x4 = ^D or EOF Blue — User input | Green — Stored Password
Registered and Certified From the register information, I find two integers are stored; 0x74 and 0x41. The ASCII value of the letter ‘t’ is 0x74. The printable letter for 0x41 is ‘A’. I also noticed that in RCX is an integer value of 0x4434241. If read in reverse, it is 41, 42, 43 and 4. Converted to the character values it is A, B, C, ^D or EOF.
Registered and Certified Inputting the password is tricky. Bash interprets the EOF file command so it isn’t passed to the executable. In fact, it is used to exit executables. I tried to store it in a file, but emacs reads ^D (Ctrl + D) as an end of buffer command. My workaround is to use an online ASCII to text converter and paste into a file through Atom. It adds a new line character which I remove with emacs.
Registered and Certified To get the password past Bash and into the executable, I use the command line below. This keeps Bash busy with passing the values to the executable so it does not interpret the EOF, end of file or transmission. $ ./crackme3 $(< 0-password) Congratulations!
Conclusion Gdb is a powerful tool that is useful for much more than I have covered in this post. Take the time to read the documentation from GNU to learn more. I am confident there are many other tools that can be used as well. Share your go-to tool for reverse-engineering or debugging in the comments below.
About Rick Harris Student at Holberton School, a project-based, peer-learning school developing full-stack software engineers in San Francisco. Involved in the IT industry for 6+ years most recently as a part of the Office of Information Technologies at the University of Notre Dame. Keep in Touch Twitter: @rickharris_dev LinkedIn: rickharrisdev

More Related Content

PDF
The impact of jitter on the HEVC video streaming with Multiple Coding
HakimSahour
 
PDF
[IGC2018] 넷마블 이상철 - 모바일 게임 보안 AR(Android Republic) 변조앱 내부를 파헤치다
강 민우
 
PDF
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
Cory Forsyth
 
PDF
Virtualization Architecture & KVM
Pradeep Kumar
 
PPTX
Devops ppt
Sulekha IT Training
 
PDF
Microservicios - RabbitMQ
Mariano German Egui
 
PPTX
IBM Cloud Integration Platform High Availability - Integration Tech Conference
Robert Nicholson
 
PPTX
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
AWSKRUG - AWS한국사용자모임
 
The impact of jitter on the HEVC video streaming with Multiple Coding
HakimSahour
 
[IGC2018] 넷마블 이상철 - 모바일 게임 보안 AR(Android Republic) 변조앱 내부를 파헤치다
강 민우
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
Cory Forsyth
 
Virtualization Architecture & KVM
Pradeep Kumar
 
Devops ppt
Sulekha IT Training
 
Microservicios - RabbitMQ
Mariano German Egui
 
IBM Cloud Integration Platform High Availability - Integration Tech Conference
Robert Nicholson
 
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
AWSKRUG - AWS한국사용자모임
 

Viewers also liked (20)

PPTX
GDB: A Lot More Than You Knew
Undo
 
PDF
Give me 15 minutes and i'll change your view of gdb
gregthelaw
 
PPS
/Users/teacher/desktop/going up reading.ppt
m_garrido
 
PPSX
CyberLab CCEH Session - 5 System Hacking
CyberLab
 
PPT
Virtualized Platform Migration On A Validated System
gazdagf
 
PPT
Net App At Egis English
gazdagf
 
PDF
Hunting segfaults (for beginners)
uwevoelker
 
ODP
Tools used for debugging
Marian Marinov
 
PDF
Gdb cheat sheet
Piyush Mittal
 
DOCX
Төгсөлтийн сургалтыг зохицуулах журам
naranbatn
 
PPT
Introduction to gdb
Owen Hsu
 
PPTX
How STP works?
NetProtocol Xpert
 
PPTX
Route Redistribution between OSPF and EIGRP
NetProtocol Xpert
 
PPTX
оутт 5
Khaliuna Khina
 
PDF
Gdb remote debugger
shanghai jiaotong university
 
PDF
GDB Rocks!
Kent Chen
 
PDF
AWS Certified Solution Architect - Associate Level
Yabin Meng
 
PDF
Gdb tutorial-handout
Suraj Kumar
 
KEY
淺入淺出 GDB
Jim Chang
 
PDF
Python + GDB = Javaデバッガ
Kenji Kazumura
 
GDB: A Lot More Than You Knew
Undo
 
Give me 15 minutes and i'll change your view of gdb
gregthelaw
 
/Users/teacher/desktop/going up reading.ppt
m_garrido
 
CyberLab CCEH Session - 5 System Hacking
CyberLab
 
Virtualized Platform Migration On A Validated System
gazdagf
 
Net App At Egis English
gazdagf
 
Hunting segfaults (for beginners)
uwevoelker
 
Tools used for debugging
Marian Marinov
 
Gdb cheat sheet
Piyush Mittal
 
Төгсөлтийн сургалтыг зохицуулах журам
naranbatn
 
Introduction to gdb
Owen Hsu
 
How STP works?
NetProtocol Xpert
 
Route Redistribution between OSPF and EIGRP
NetProtocol Xpert
 
оутт 5
Khaliuna Khina
 
Gdb remote debugger
shanghai jiaotong university
 
GDB Rocks!
Kent Chen
 
AWS Certified Solution Architect - Associate Level
Yabin Meng
 
Gdb tutorial-handout
Suraj Kumar
 
淺入淺出 GDB
Jim Chang
 
Python + GDB = Javaデバッガ
Kenji Kazumura
 
Ad

Similar to Reverse-engineering: Using GDB on Linux (20)

PDF
My solution to malware.lu HackGyver's challenges.
Aodrulez
 
PDF
Usage of GDB
Jongseok Choi
 
PPT
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
PPTX
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
securityxploded
 
PDF
Linux binary Exploitation
Arcangelo Saracino
 
PPTX
Reverse Engineering: Protecting and Breaking the Software (Workshop)
Satria Ady Pradana
 
PPTX
Reversing with gdb
Mihir Shah
 
PPTX
(Workshop) Reverse Engineering - Protecting and Breaking the Software
Satria Ady Pradana
 
PDF
Shellcode Disassembling - Reverse Engineering
Sumutiu Marius
 
PDF
The walking 0xDEAD
Carlos Garcia Prado
 
PPTX
Gnu debugger
Gizem Çetin
 
PPTX
GNU Debugger
Gizem Çetin
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
PPTX
Advanced Debugging with GDB
David Khosid
 
PPT
Debug(1).ppt
HebaEng
 
PPT
Gccgdb
selva raj
 
PDF
CNIT 127: Ch 4: Introduction to format string bugs
Sam Bowne
 
PDF
How To Beat An Advanced CrackMe
Souhail Hammou
 
PDF
Linux Shellcode disassembling
Harsh Daftary
 
PDF
x64 Assembly Language Step-by-Step: Programming with Linux (Tech Today), 4th ...
nasonjijue
 
My solution to malware.lu HackGyver's challenges.
Aodrulez
 
Usage of GDB
Jongseok Choi
 
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
securityxploded
 
Linux binary Exploitation
Arcangelo Saracino
 
Reverse Engineering: Protecting and Breaking the Software (Workshop)
Satria Ady Pradana
 
Reversing with gdb
Mihir Shah
 
(Workshop) Reverse Engineering - Protecting and Breaking the Software
Satria Ady Pradana
 
Shellcode Disassembling - Reverse Engineering
Sumutiu Marius
 
The walking 0xDEAD
Carlos Garcia Prado
 
Gnu debugger
Gizem Çetin
 
GNU Debugger
Gizem Çetin
 
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
Advanced Debugging with GDB
David Khosid
 
Debug(1).ppt
HebaEng
 
Gccgdb
selva raj
 
CNIT 127: Ch 4: Introduction to format string bugs
Sam Bowne
 
How To Beat An Advanced CrackMe
Souhail Hammou
 
Linux Shellcode disassembling
Harsh Daftary
 
x64 Assembly Language Step-by-Step: Programming with Linux (Tech Today), 4th ...
nasonjijue
 
Ad

Recently uploaded (20)

PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Introduction Database Management System for Course Database
ReinertYosua
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
System and Network Administraation Chapter 3
jaramharo
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 

Reverse-engineering: Using GDB on Linux

  • 2. Reverse-engineering: Using GDB on Linux At Holberton School, we have had a couple rounds of a ‘#forfun’ project called crackme. For these projects, we are given an executable that accepts a password. Our assignment is to crack the program through reverse engineering. For round one we were given four Linux tools to use, and we had to demonstrate how to find the answer with each tool. It was quickly apparent that using a standard library string comparison is a bad idea as was hardcoding passwords into the executable in plain text. Another round demonstrated that the ltrace tool could gather not only the password from string comparisons, but the encryption method (MD5 in that case) to decrypt the password.
  • 3. Reverse-engineering: Using GDB on Linux This week we were given another crack at hacking. I went to my go-to tool for reverse-engineering, the GNU Project Debugger (aka GDB), to find the password. If you would like to take a shot at cracking the executable, you can find it at Holberton School’s Github. The file relevant to this post is crackme3.
  • 4. Program Checks Before I dig too deep into the exec file, I check what information I can get from it. First, I do a test run of the file to see what error information is provided. $ ./crackme3 Usage: ./crackme3 password For this executable the password is expected to be provided on the command line.
  • 5. Program Checks The next check I run is ltrace just to see if the password will appear. In addition, it can provide some other useful information about how the program works. $ ltrace ./crackme3 password __libc_start_main(0x40068c, 2, 0x7ffcdd754bd8, 0x400710 <unfinished …> strlen(“password”) = 8 puts(“ko”ko ) = 3 +++ exited (status 1) +++ The return shows that the program is checking the length of the string, but there is no clear indication that this is a roadblock. Time to break down the program.
  • 6. The GNU Project Debugger GDB is a tool developed for Linux systems with the goal of helping developers identify sources of bugs in their programs. In their own words, from the gnu.org website: GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes—or what another program was doing at the moment it crashed.
  • 7. The GNU Project Debugger When reverse engineering a program, the tool is used to review the compiled Assembly code in either the AT&T or Intel flavors to see step-by-step what is happening. Breakpoints are added to stop the program midstream and review data in the memory registers to identify how it is being manipulated. I will cover these steps in more detail below.
  • 8. The Anatomy of Assembly To get started, I entered the command to launch the crackme3 file with GDB followed by the disass command and the function name. The output is a list of Assembly instructions that direct each action of the executable. $ gdb ./crackme3 (gdb) disass main
  • 9. The Anatomy of Assembly
  • 10. The Anatomy of Assembly In the previous slide, the AT&T and Intel syntaxes are displayed side-by-side. However, the output will actually display only one of the two. I prefer to use the AT&T format because the flow makes more sense to me. The first column provides the address of the command. The next column is the command itself followed by the data source and the destination. Jumps and function calls have the jump location or function name following those lines. Intel syntax reverses the data source and destination in its display. There are additional differences in the command names and data syntaxes, but this is common when comparing scripts of two different languages that perform the same function. If I were writing Assembly, my syntax preference might be different and would be based on more than just flow of information.
  • 11. The Logic Flow Every script depends highly on logic flow. Depending on the compiler and options selected when compiled, the flow of the Assembly code could be straightforward or very complex. Some options intentionally obfuscate the flow to disrupt attempts to reverse engineer the executable. Below is the output of the disass main command in AT&T syntax.
  • 13. The Logic Flow The portions of the command not highlighted are jumps and closing processes before exit. There are four types of jumps in the output of main and check_password; je, jmp, jne, and jbe. The jmp command performs the described jump regardless of condition. The other three are conditional jumps. The first two, je and jne, are straightforward. They mean jump if equal and jump if not equal. The last command, jbe, is a jump used in a loop that means jump if less than or equal.
  • 14. The Heart of the Question Ultimately we are looking for the password. Based on the information from the main output, it is primarily depending on the check_password function to determine whether to exit or provide access. To analyze the process happening in that function, I entered disass check_password.
  • 15. The Heart of the Question
  • 16. The Heart of the Question The first thing I confirm is that the length of the password entered is important. The program looks for a password that is four characters long. The instruction at 0x400632 actually shows the password in integer form, but I did not recognize it immediately. That value is stored in memory four bytes before the memory address stored in the RBP register. I use x/h * $RBP - 0x04 to print the value. The ‘h’ stands for hexadecimal and it is the easiest format to to see how the password is stored. From the instruction set, a comparison of two registers, rax and rdx, occurs at 0x40066a. This is where the next step of my investigation leads.
  • 17. Registered and Certified (gdb) b *0x40066a (gdb) run test Starting program: /home/vagrant/reverse_engineering/crackme3/crackme3 test Breakpoint 1, 0x000000000040066a in check_password () (gdb) info registers
  • 18. Registered and Certified I set a breakpoint to analyze the data in process. Breakpoints do exactly what they say, they interrupt the process at the given instruction address. Once the breakpoint is set, I initialize the executable with the command run test. The value ‘test’ is the four character password I used to get past length test and into the password comparison. Once the breakpoint is triggered I enter info registers to view the data in the registers at the point the program was interrupted.
  • 19. Registered and Certified Register Data On Each Loop 1: RDX—0x41 = A 2: RDX—0x42 = B 3: RDX—0x43 = C 4: RDX—0x4 = ^D or EOF Blue — User input | Green — Stored Password
  • 20. Registered and Certified From the register information, I find two integers are stored; 0x74 and 0x41. The ASCII value of the letter ‘t’ is 0x74. The printable letter for 0x41 is ‘A’. I also noticed that in RCX is an integer value of 0x4434241. If read in reverse, it is 41, 42, 43 and 4. Converted to the character values it is A, B, C, ^D or EOF.
  • 21. Registered and Certified Inputting the password is tricky. Bash interprets the EOF file command so it isn’t passed to the executable. In fact, it is used to exit executables. I tried to store it in a file, but emacs reads ^D (Ctrl + D) as an end of buffer command. My workaround is to use an online ASCII to text converter and paste into a file through Atom. It adds a new line character which I remove with emacs.
  • 22. Registered and Certified To get the password past Bash and into the executable, I use the command line below. This keeps Bash busy with passing the values to the executable so it does not interpret the EOF, end of file or transmission. $ ./crackme3 $(< 0-password) Congratulations!
  • 23. Conclusion Gdb is a powerful tool that is useful for much more than I have covered in this post. Take the time to read the documentation from GNU to learn more. I am confident there are many other tools that can be used as well. Share your go-to tool for reverse-engineering or debugging in the comments below.
  • 24. About Rick Harris Student at Holberton School, a project-based, peer-learning school developing full-stack software engineers in San Francisco. Involved in the IT industry for 6+ years most recently as a part of the Office of Information Technologies at the University of Notre Dame. Keep in Touch Twitter: @rickharris_dev LinkedIn: rickharrisdev