🐻
CTF Notes
  • Home
  • General
    • Hints
    • Formats
    • Links
    • Reversing
  • Binary
    • Basics
    • Vectors
    • Evasion
    • Payloads
    • Heap
    • Tools
  • Web
    • Web
    • Javascript
    • PHP
  • System
    • Escape
    • Escalation
    • Shells
  • Crypto
    • Hints
Powered by GitBook
On this page
  • Anti-debugging
  • /proc/self/status
  • Code mangling
  • Custom tooling
  • Custom GDB scripts
  • Custom Ghidra scripts
  • Fat binaries
  • Hidden code
  • Polyglots
  • Python interpreter with modifications
  • Self-modifying code
  • Windows Tools
  1. General

Reversing

PreviousLinksNextBasics

Last updated 3 years ago

Here are some tools for general evaluation of targets:

  • file --keep-going

  • auto-decodes strings using various methods

Anti-debugging

Several techniques exist to prevent dynamic analysis. This section needs more info on that.

/proc/self/status

Does strace appear to show a different execution than the normal one? If the program reads /proc/self/status, that's probably why. TracerPid in there is non-zero if any debugger is connected:

$ grep TracerPid /proc/self/status
TracerPid:      0

$ strace grep TracerPid /proc/self/status
TracerPid:      6553

Code mangling

Instruction encodings may have some undefined/reserved bits. If these are garbled, the program may still be valid, but your disassembler might choke.

Custom tooling

It can pay off, during bigger challenges, to write robust tools.

Custom GDB scripts

import os

class MyCMD (gdb.Command):
  """Implements the run_my_stuff command, which will be available at the gdb prompt"""

  def __init__(self):
    super(MyCMD, self).__init__("run_my_stuff", gdb.COMMAND_USER)

  def invoke(self, arg, from_tty):
    gdb.execute("info breakpoints")
    rax = gdb.parse_and_eval("$rax")

MyCMD()

If you know what a binary is up to, you can set breakpoints at well-chosen locations and use a GDB script to pretty-print program state.

Custom Ghidra scripts

Fat binaries

Macintosh apps can be both Intel and PPC (and presumably ARM now).

Hidden code

There are a few mechanisms to run code before main() gets invoked. Look for _init_array (called by __libc_start_main) and the even sneakier _preinit_array (invoked by the loader). Try LD_DEBUG=all to see what ld is up to.

Polyglots

JAR is zip and zip can be combined with all kinds of stuff.

Python interpreter with modifications

Apparently it's pretty common to mess with the byte-to-opcode mapping of Python and then embed your custom interpreter.

Self-modifying code

EXE packing

Windows Tools

(see article 19:04)

has excellent i/o facilities, on top of all the exploit development goodies. makes GDB a lot friendlier.

It's surprisingly easy to implement your own GDB commands using the :

of ghidra-python reference

Windows PE can have a windows portion and a DOS portion in the same .exe. Usually the DOS part just prints a helpful message, but nothing prevents a narnia door to another world... is an example of this in the wild.

can help map out files like this. Beware zip bombs, PDF bombs and the like, they can make output explode.

can generate 2-polyglots between a large number of formats

shows all kinds of info about binaries. emulates the processor to safely let the binary unpack itself. file can identify UPX packing, and the can also unpack. of DOS/Windows packers. can identify several DOS/Windows packers.

has a bunch of small utilities

Detect it Easy
TrID
Polyfile
binwalk
Decodify
Tell me more
pwnlib
pwndbg
python API
Snippets
API
Rusty from justCTF2020
Tell me more
Polyfile
Mitra
Tell me more
Writeup
Detect it Easy
xvolkolak
tool
Helpful list
PEiD
bytepointer