Note: Most of the below information is summarized from Dr. Yan Shoshitaishvili’s pwn.college lectures from the “Binary Reverse Engineering” module. Much credit goes to Yan’s expertise! Please check out the pwn.college resources and challenges in the sources
Functions and Frames
Control Flow Graphs: a way of visually representing a function
- graph: word used to describe the entire function map
- block: set on instructions that will execute one after the other
- edges: represent conditional/unconditional jumps
- Blue (Unconditional Jump): a jump that will always be taken
- Green (Conditional Jump): the condition is met (true)
- Red (Conditional Jump): the condition is not met (false)
- prologue: sets up the stack frame
- save off the caller’s base pointer
- set current stack pointer as the base pointer
- “allocate” space on the stack (subtract from the stack pointer)
- epilogue: tears down the stack frame
- “deallocate” the stack
mov rsp, rbp
- Note: data is NOT destroyed by default
- restore the old base pointer
- “deallocate” the stack
- stack frame: reserved place in memory for the stack to operate
- stack pointer (rsp): points to the leftmost side of the stack frame
- base pointer (rbp): points to the rightmost side of the stack frame
What is the stack:
- a memory region used to store local variables
- when you
push
to the stack,rsp
is decreased by 8 - when you
pop
from the stack,rsp
is increased by 8
- when you
- the stack starts out storing the environment variables and the program arguments (among other things)
Data Access
Locations for Data:
- .data: used for pre-initialized global writable data (such as global arrays with initial values)
- .rodata: used for global read-only data (such as string constants)
- .bss: used for uninitialized global writable data (such as global arrays without initial values)
- stack: used for statically-allocated local variables
- heap: used for dynamically-allocated (malloc()ed) variables
Static Tools
Static Tools: tools used to reverse engineer a program at rest
Simple Tools:
- kaitai struct: file format parser and explorer
- nm: lists symbols used/provided by ELF files
- strings: dumps ASCII (and other format) strings found in a file
- objdump: simple disassembler
- checksec: analyzes security features used by an executable
Advanced Tools (Disassemblers):
- Commercial:
- IDA Pro: the “gold standard” of disassemblers
- Binary Ninja: IDA’s main commercial competitor
- Free:
- Binary Ninja Cloud: a version of Binary Ninja that runs in your browser!
- Open source:
- angr management: an academic binary analysis framework!
- ghidra: a reversing tool created by the National Security Agency
- cutter: a reversing tool created by the radare2 open source project
Dynamic Tools
Dynamic Tools: tools used to reverse engineer a program at runtime
Tools:
- ltrace: traces library calls
- strace: traces system calls
- gdb: used to walk through a program as it is running
- gdb has its own scripting language, here’s an example of it:
disp/5i $rip
break *0x401025
commands
x/s $rsp
c
end
- this will display the first five instructions of the code, then break right after the instruction located at *0x401025 is executed, and finally will display what is stored in the rsp register
Please share using the links if you enjoyed!