---
title: 'Project'
tags: enee459b-fall23
---
## Project 1: Algorithms
You are working at a company called ‘**OurCompany**.’ Your supervisor has come to you because he heard you took a class on Reverse Engineering.
Apparently, they found some **anomalous outbound traffic on the network** late at night. They ran **Wireshark** to capture the traffic and found **TCP connections that contained binary blobs being sent to an IP address** in an eastern European country. When they examined the machine where the traffic was coming from, they found a binary running. They have provided you with:
* A copy of the binary
* The payloads of a few of the binary blobs they saw
* By payload, I mean the contents of the socket connection with all the TCP/IP information stripped (In other words, the content passed to socket APIs such as `send()` and `recv()`).
“TheBoss” wants to know what is going on. What was this program doing? What information is in these binary blobs that appear to be random data with no patterns/signatures?
### Resources
* [Full Description of the project](https://yonghwi-kwon.github.io/class/enee459b/data/Project1.pdf)
* [Download the project 1's binaries](https://yonghwi-kwon.github.io/class/enee459b/data/project1.zip)
* You have been provided with the files ‘**binary**’, ‘**bin1**’, ‘**bin2**’, and ‘**bin3**.’ The ‘**binary**’ file is the **executable**. The **other bin files** were pulled from **Wireshark** and are the payloads of the communication that was viewed.
* Obtain the binary in the class VM server
```=csh
$ mkdir project1
$ cd project1
$ cp /class/project1/* ./
```
* FAQ
* Q1. Please provide both library file name and library's project name. For example, for libc.so.6, provide `libc.so.6` and `Standard C libraries` (from https://man7.org/linux/man-pages/man7/libc.7.html)
* Q2. There can be two forms of Internet address. Domain name and IP. A domain name is a string (e.g., google.com), while an IP address is a sequence of integers, separated by `.` characters. For example, a domain name `localhost` means the current machine (itself), and the corresponding IP address is `127.0.0.1`.
* Please provide all the addresses that you found, along with port numbers.
* Q3. What are the inputs used in the identified algorithm?
* In this sub question, the inputs essentially mean configuration of the algorithm (or arguments of the algorithm's functions).
* Q5. Are there any signatures you can look for to detect this on other hosts on your network?
* Assume that there is a malicious activity detector. It can monitor (1) API calls (or system calls) of all the programs and (2) file operations (e.g., creation/deletion of files with target file paths). This is a typical system monitoring agent that most anti-virus services may have.
* What information you would like to give to such a system to detect whether this program is actively executing?
## Project 2: Binary Formats
Your boss has come to you with a new problem. He says there was a very **old program** that was used to **track emails for the help desk.** They would store them in **some kind of password-protected database** that was written by an intern many years ago.
The problem is they need to **retrieve data from the database**, and the original source code is gone. To make matters worse, **the passwords used to access the database are gone** as well. All that is known is that some kind of **JSON-based input is used to fill the database**.
“TheBoss” provides you with:
* A copy of the binary (program)
* Their existing database (bin.db)
### Turn in
* A **written report** detailing all findings – Be as complete as possible.
* Please use screenshots to describe important code sections.
The code should have variables and functions properly renamed and labeled.
* A copy of your annotated **Ghidra database**.
* [How to obtain the Ghidra Database?](https://yongkwon.notion.site/Ghidra-Export-Binary-Database-02bc6b5e771a45cd8ad222a6a3182bb1?pvs=4)
* A dump of the database provided with **some of the emails extracted**.
### Resources
* [Full Description of the project](https://yonghwi-kwon.github.io/class/enee459b/data/Project2.pdf)
* [Example of Q5's answer format](https://yongkwon.notion.site/Describing-Bitmap-File-Format-645a0b4cfef54dc1bbf9c9bf219313ed)
* [Download the project 2's binaries](https://yonghwi-kwon.github.io/class/enee459b/data/project2.zip)
* Obtain the binary in the class VM server
```=csh
$ mkdir project2
$ cd project2
$ cp /class/project2/* ./
```