SD Lab 5: Reverse Engineering

:::success # SD Lab 5: Reverse Engineering ### Name: Daniil Sinelnik ::: ## Task 1: Theory :::info a. What kind of file did you receive (which architecture 32bit or 64bit, stripped or non-stripped, etc)? b. What is stripped binaries and how does it affect reversing? c. What are GOT and PLT? d. What are binary symbols in reverse engineering? How does it help? ::: :::info a. What kind of file did you receive (which architecture 32bit or 64bit, stripped or non-stripped, etc)? ::: ![image](https://hackmd.io/_uploads/ryAx17c3a.png) First 4 files are non stripped meanwhile 2 last files are stripped. And only the last file is statically linked another version of GNU/Linux. :::info b. What is stripped binaries and how does it affect reversing? ::: Non-stripped binary files contains debugging information into it, it turns out there if you compile an executable with `gcc -g` flag. Whereas stripped binary file remove debug information which is no neccesary to reduce the size of the executable file. :::info c. What are GOT and PLT? ::: `GOT` is a `Global Offset Table`, while `PLT` is a `Procedure Linkage Table.` * The Global Offset Table is a data structure that contains addresses of global variables and functions that are accessed by a program. In the context of function calls, the GOT is used to store addresses of external functions that are dynamically linked at runtime. When a program makes a function call to an external library, the address of the function in the GOT is resolved by the dynamic linker/loader, which then redirects the control flow to the actual function address. Calling `PLT` address of a function is the same as calling the function itself. While The `GOT` address contains adresses of functions in libc, and the `GOT` is within the binary * The Procedure Linkage Table is another data structure that works in conjunction with the GOT to facilitate dynamic function calls in a program. The PLT contains code stubs that act as intermediaries between the program and external functions. When a function call is made to an external library, the PLT stub first checks if the corresponding address in the GOT is resolved. If not, it triggers the dynamic linker/loader to resolve the address and update the GOT entry. Subsequent calls to the same function will directly use the resolved address from the GOT without going through the PLT again. :::info d. What are binary symbols in reverse engineering? How does it help? ::: In reverse engineering, binary symbols refer to the symbols or identifiers present in compiled binary code that represent various elements such as functions, variables, classes, and other program constructs. These symbols are crucial for understanding the functionality and structure of a binary executable. Binary symbols includes: * Function names * Variable names * Symbol tables * Debugging info * Import/export tables All of that helps to understand the functionality, reconstruct the souce code, indetifying vulnerabilities and code navigation. To summarize everything that has been stated so far: binary symbols play a crucial role in reverse engineering by providing valuable information about the structure and functionality of a binary executable, helping reverse engineers analyze, understand, and modify software without access to the original source code. ## Task 2: Reversing :::info a. Inside the ZIP file, you will have multiple binaries, what does each binary do? b. Is there any form of security protection in the code? If yes, what is the protection mechanism and which of the binaries is it applicable to?. c. Try to reverse the binaries by recreating them using any programming language of your choice (C is more preferred). ::: :::info a. Inside the ZIP file, you will have multiple binaries, what does each binary do? ::: From the first inspection i have found that files: `bin2` and `bin3` are exactly the same by using `diff bin2 bin3` <center> ![image](https://hackmd.io/_uploads/Hy1p4Uq3T.png) </center> 1. bin1 shows the datetime, but it's modified. 2. bin2 and bin3 are exactly the same, returns an array while the elements are double index like: `index*2`. 3. bin4 asks for the input and tells is the number `even` or `odd`. 4. bin5 returns output in the form of: `%d = %llu`. 5. bin6 prodices the summary of 2 numbers. :::info b. Is there any form of security protection in the code? If yes, what is the protection mechanism and which of the binaries is it applicable to?. ::: I have analyzed the code using `IDA`. All of the files are using `Relocation Read-Only`. But in the same time in file `bin6` section `.got` is not executable. Meanwhile `bin1-bin5` files used full `Relocation Read-Only`. Also files `bin1-bin5` have stack canaries. They call `__stach_chk_fail`. <center> ![image](https://hackmd.io/_uploads/rkOxaCa2p.png) </center> And also i have used `checksec` and realized that all the files has `NX bit`. No execute protection.