Set up the environment
Before we begin, it is necessary to get the tools. For this tutorial, the main tool will be Ghidra. To download the Software Reverse Engineering tool at: https://github.com/NationalSecurityAgency/ghidra/releases Next extract the binary. If you are on Linux, you can unzip ghidra*.zip
Start the project and import the binary
Now that you have Ghidra opened and ready you need to start a new project.
This can be done by going to File then New Project or ctr + n.
The first screen asks whether the project is shared or not.
If you do not know what to do, just choose non-shared.
The next question asks where the files should go and where should the files go.
Using the ellipsis, three dots opens a file browser.
The best solution to keep all the files for a project together would be to make a project folder.
After the folder is created, then make a name for the project.
In this example, the project will be called “my-first-reverse-engineer”.
Once there is a project-specific folder and a project name, the next step is to click finish to start the project.
The next part will be to import the needed binaries and to set up the workspace Next will be to import the binary to do this either click “File” then “Import File” or just tap “i”.
Getting to know the work space
Solving this challenge
First jump to the main function.
Start by reading through the code some since this is a small binary in this small binary there is a simple comparison that changes whether it returns “good job” or “Try again”.
Looking at the if statement, it looks as if a variable must be zero.
What would make this happen?
The line above has strcmp that compares strings.
When googling or looking in the manual pages, this function returns zero if both strings are the same.
This compares correct and a local string to check that they are equal.
The line above the string comparison has a getline function.
As the name suggests, this function gets a line from a file.
The file that this reads from would be stdin.
This means that it reads one line from the imputed text.
Now, this means the user inputted text and the correct variable must be the same.
Double-clicking on the correct variable changes the listing to another point in memory.
Double-clicking the s_KEY… text reveals the key.
From what was discovered earlier, this key can be entered into the program to get “Good job” returned.
Now that a solution has been found, it’s time to enter the string into the program.
This would have been easier if the binary accepted newline characters at the end of the line.
Since the program does not accept new lines at the end of the key, it is needed to send the program the key without a new line.
This can be done by piping the user input into the program without a newline.
One solution would be to run a command like this: echo -n KEY-e8f5ba78-4511-4d17-ab73-ecf77f2574f3-KEY | ./challenge6.
Another solution would be to write the key to a file, then run a command to read the input from a file to send it to the program.
This is the command that reads the key from the file: ./challenge6 < key with the key being the name of the file containing the key without any extra newline chars.
The real fun
From a distance
The first step to understanding what the binary does is to look at it from a distance. There are a few methods to go about doing this. One method is to look at a graph of the control flow. Another method is to look at the function calls. Both methods have good results to get a general idea of what’s going on.
The strategy to look at a graph might seem a bit crazy at first, but it can be helpful. The idea for this is to look at the control flow and what goes to where. The place to start would be to find the desired end location. Then work your way back to the start, trying to figure out how to get there. The control flow is what will get you from the start to the end, therefor knowing what it checks will be helpful to get to the end.