Homework 3-A1 ASM REV

# Homework 3-A1 ASM REV ## Introduction We are given a binary file. Our task is to reverse the assembly code and obtain the flag. https://training.firebird.sh/challenges?id=15 ## Solutions ### Obtaining the assembly We first obtain the assembly code from the binary file by executing the command below. (The -d flag for objdump means disassemble.) ``` objdump -d asm_rev ``` I have also tried the following commands below to see if i can obtain .bss, .data and .text sections seperately but it doesn't seem to be useful. (The -s flag stands for showing full contents while the -j flag stands for extracting sections) ``` objdump -s -j .bss asm_rev objdump -s -j .data asm_rev objdump -s -j .text asm_rev ``` ### Understanding the code Observing the assembly code, we may notice the following - The program starts with sys_close, closing a file. (seems weird ?) - The register %rax stores a random integer, which is actually an address. - The register %rbx stores an address close to %rax throughout the 10 loops. - Throughout the loops, the address in %rbx has been dereferenced and modified many times. ### Debugging the code To begin with, I execute the code with the gdb command ``` gdb asm_rev ```. Below shows some useful commands with gdb ``` b: adding a breakpoint d: delete all breakpoints i r / info registers: shows all information stored in registers p: print r / run: run the program s: step until the next breakpoint x: extract bytes from memory ``` I first add a breakpoint at _start and run the program. The program automatically adds all labels as breakpoints afterwards so we dont have to add one by one for the loops. ``` b _start run ``` Then, I tried to extract stuff by dereferencing %rax. Reference: https://stackoverflow.com/questions/23476898/dereferencing-a-register-gdb ``` x /64b $rax # Extract 8 bytes starting from the address in %rax p *((char**) $rax) # Also tried this to print strings but it does not work p *((char*) $rax) # Only prints one bit, so useless ``` I continued debugging and observing information stored in memory address %rax loop after loop but nothing useful appears. This is because the program terminates immediately after loop_a since there isn't any breakpoints afterwards. Finally, i add a breakpoint on line 0x401193 ```b *0x401193``` and run it again. This time, i observe the program right before it terminates and something useful appears. The numbers 102 108 97 103 appeared and i immediately realize that was the decimal representation for the characters flag. ## Edits - We should actually check whether the file is a 32-bit or 64-bit executable before we start. They have different syscall numbers and operate in different ways. (```file asm_rev```). This time, it's a 64-bit one. - It was discovered afterwards that the flag can be obtained immediately simply using ```strace ./asm_rev```.