Shulou(Shulou.com)05/31 Report--

How to carry out the reverse practice of CTF-REVERSE, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Reverse refers to the technology of analyzing the binary executable code of a computer program through some means and tools such as disassembly and debugging, so as to obtain the algorithm details and implementation principle of the program. Moreover, reverse skills play an important role in the specific work of information security, such as malicious code analysis, software vulnerability mining, mobile security and software cracking.

We have previously introduced the real web problem of CTF, so today we choose a REVERSE question from CTF to explain it.

First of all, REVERSE is a common type of questions in the CTF competition, which mainly examines the contestants' knowledge of reverse engineering. The form of examination is to reverse analyze a binary program (exe, dll or elf, etc.) to understand the internal implementation mechanism of the program, and the ultimate goal may be to get a password, or to write a registration machine to calculate the registration code corresponding to the specified user name.

So how can we reverse a program, and how can a complete program see its code?

Of course, others have thought about this problem, so there are several tools to help reverse.

1.PEiD is a famous shell detection tool, which is so powerful that it can almost detect most of the shell and program compilation information. PEiD supports a variety of external plug-ins, as well as user-defined shell signature information.

2.Ollydbg, referred to as OD, is a user-mode debugger with a graphical user interface, which can run under a variety of mainstream Windows operating systems. Ollydbg has the functions of dynamic debugging and static analysis, it is very easy to use, the tracking of exceptions is quite flexible, and many enthusiasts have written a lot of great plug-ins for this debugger, these features make it the first choice of dynamic debugger in user mode on Windows operating system. Ollydbg's disassembly engine is very powerful, can identify thousands of functions frequently used by C and Windows, and can automatically annotate parameters. Here are some commonly used shortcut keys for OD.

F2 sets a breakpoint (if the breakpoint already exists, it will be deleted)

F4 runs to the line of the cursor (automatically breaks when it runs to the line of the cursor)

F7 single-step trace (if a call is encountered, the trace enters)

F8 single step trace (if a call is encountered, the entire call is executed)

F9 continues execution (runs the program until the process exits or encounters the next breakpoint)

3.IDA is an interactive disassembly tool, which is very powerful. It supports the disassembly analysis of binary programs under multi-operating system and multi-processor, and can interact with users to improve processing efficiency. IDA supports plug-ins and IDC scripts. Hex-Rays Decompiler is a very powerful plug-in for IDA, which supports the direct conversion of disassembly code into C language pseudocode, which greatly improves the work efficiency of disassembly analysts. Here are the keyboard shortcuts for ida to help us analyze more efficiently.

Spaces switch disassembly views between graphics mode and list view mode

F5 restores disassembly instructions to pseudocode

X View Cross referenc

N rename the variable name or function name

D interpret binary data as bytes / a double word / four words

C interprets binary data as code

An interprets binary data as a string

Experimental procedure

All right, let's start the experiment by going to the experiment web page: the reverse exploration of CTF-REVERSE exercises.

Topic description:

There is a CrackMe1.exe program in the host C:\ Reverse\ 1 directory. When you run this program, you will be prompted to enter a password. When you enter the correct password, the message box for customs clearance will pop up. Please reverse analyze and debug the CrackMe1.exe program to find the correct password.

We start the first step of external behavior analysis no matter in what scenario, I believe that when you first come into contact with a new thing, you will carefully observe the external characteristics of things, CTF problem is the same, after getting the title, you can run the program, observe where the program can enter data, which button clicked what kind of reaction, what tips appear in the operation process, and so on.

Through the observation of the CrackMe1.exe program, we know that the program needs to enter a password, and when the button is clicked without entering any data, the following information is prompted:

When entering a string of test data, you are prompted with the following information:

There is a pop-up box and a hint. Shall we just look for this hint? But before we reverse analyze a program, in addition to the dynamic behavior of the program, check whether the program is shelled (by what kind of program? What compiler compiled it? ) is also a very critical step. Previously mentioned PEID, we use PEID to check the shell we select the program right-click, in the right-click menu, select the "Scan with PEiD" option, you can view the shell information. What we see here is Microsoft Visual C++ 6. 0, indicating that CrackMe1.exe is not shelled and that it was compiled using VC6.

We switch to OD for dynamic debugging.

Dynamic debugging can help us understand many details of the internal execution logic of the program, and a lot of information will not be seen until the program is running, which can not be easily obtained by static analysis. OD is our first choice for dynamic debuggers under Windows operating systems.

After selecting the CrackMe1.exe program, right-click, and select "use OllyICE" from the right-click menu to open it, which will lead to the main interface of the OD debugger. We right-click in the disassembly instruction list window, and then select "Ultra String Reference" and "Find ASCII" menu items, as shown in the figure:

Then a string list window pops up, which lists the various strings that exist in the current process memory space, and we can see if there are any strings that we are interested in. For example, if we have previously prompted "password error", we can press Ctrl+F, enter "password error" in the pop-up window, and then click OK to find it:

There is also a correct password on it. Congratulations on passing the customs. Is this the key? Let's try and double-click this to see.

Double-click the line that found the string, go to the disassembly window of OD, and you can see the place where the string is referenced in the code instruction. As shown in the following figure:

In this code snippet, we also see a jnz jump instruction, which determines whether the jump will pop up a success prompt or a failure prompt, which is called a key jump. The code above the key jump is often the key password judgment logic, so we can focus on analyzing the code above the key jump. On top of the key jump, we have the next breakpoint at the following location (mouse click this line of code to select, and then press F2):

00401456. 55 push ebp

After setting the breakpoint, press F9 to run the program, enter a random password (such as test) and click the button, and the program automatically breaks down at our breakpoint. Then press F8 to start single-step tracking. When the trace reaches 00401490, we find the password we entered test and the string HeeTianLab, as shown in the figure:

After a careful analysis of the above code, it is found that the characters are taken from the two strings to compare one by one. As long as one character is different, it will eventually jump to the place where the prompt fails. So you can guess that HeeTianLab is the correct password. Let's run another CrackMe1 process, enter HeeTianLab, and pop up a success prompt:

This is customs clearance, and then I will use another artifact IDA to do it again, there is a dynamic artifact, there must be a static artifact.

In addition to dynamic debugging, static analysis is also an important skill. Static analysis can help us quickly understand the code execution logic of the program, especially the function of using IDA's Hex-Rays plug-in to generate pseudo code from assembly code, which can greatly improve our analysis efficiency.

Use IDA to open the CrackMe1.exe program, IDA will prompt you to select the file type, processor type, etc., usually we do not need to modify these settings, just click the "OK" button. After that, IDA will analyze the program and wait for a period of time. After the analysis is finished, it will prompt "The initial autoanalysis has been finished." in the "Output Window" below, as shown in the figure:

Select the "View"-"Open subviews"-"Strings" menu item from the IDA menu to bring up the string list interface, as shown in the figure:

IDA's string list interface does not provide Ctrl+F for quick search, so we need to manually turn the page to find the string we are interested in. When we drag it to a certain place, we see the relevant string prompt:

Double-click the string "password error" to define the string, then click the name of the string, then press the x key for cross-reference lookup, and the pop-up dialog box is shown in the following figure:

Click the OK button to go to the place where the string is referenced. We see a list of disassembly instructions. At this time, we can analyze the assembly instructions here. It doesn't matter if you don't want to see the assembly instructions. Press F5 to generate the pseudo code of the function. We see that the password entered in the pseudo code is compared with HeeTianLab:

Obviously, HeeTianLab is the password we want.

Reverse learning is a process that requires a deep understanding of computer-related and programming knowledge systems, and it is a gradual phased skill. To learn reverse well, you must have a large number of programming language reserves, security-related knowledge, a good understanding of computer principles and common sense. And these are just the basis of reverse!

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.