A Reverse Engineering Puzzle

There are quite a few times when I’m discussing my work with friends and they ask “what do you even do?”

Well, there are a lot of answers for that. Information security is a pretty broad field, but the most enjoyable part of my job, and the one I get to do the least, is finding faults in code to exploit vulnerabilities. To show you guys how that works, I threw together a little puzzle in C. The code is available here, for you to download and follow along, BUT if you want to try the challenges without seeing the code, in a MacOS or Linux machine, type the following to download and compile the code.

curl https://gist.githubusercontent.com/moezsayani/9f69eed2ee0ff2541196db3d4ea12d8e/raw/d0887598e6c7886cc23867903f1173dc462477fb/ReverseCode.c > reverse.c

gcc -m32 reverse.c -0 reverse -fno-stack-protector -w

 

Instructions:

Either figure out the password, or bypass the login code.

Solutions:

  1. Buffer Overflow: This is the easiest way to bypass the login. The program expects a 16 character limited password, so just to be safe, I fed it 32 characters. The characters themselves don’t matter. The idea is that the memory stack of the program gets overloaded. The size of the input is larger than the expected input, and overwrites a validating integer to a nonzero number, allowing login. Screen Shot 2017-07-10 at 11.01.31 AM
  2. Disassembly: This method is a little more difficult, since it involves us looking at memory locations and assembly code. Screen Shot 2017-07-10 at 10.28.56 AM.pngFirst we need to run an ‘objdump’ to get the raw hex data, and save it to a dump file. When we open the dump we can ignore the ‘_text‘ section and go straight to the ‘_main‘ function. BUT WAIT! There is a hidden function that isn’t called in the program called ‘_secret‘. What does that do? Screen Shot 2017-07-10 at 10.29.13 AM.pngThere are a couple ways to find out, the easiest of which is to open it in a dissembler like Hopper or IDA. Opening the executable in Hopper tells is that the function’s purpose is to print the password. Like I said, I made this code purposefully vulnerable. Screen Shot 2017-07-10 at 11.00.00 AM.pngLooks like the password is “sciencemoez.com”. The GNU Debugger (GDB) can also be used to print the memory location of the password as a string, or forcing the program to run the secret function by setting a breakpoint, but if you have access to IDA (Free version/paid extra features) or Hopper ($100), that doesn’t make sense to do.

 

Can you guys find another way to break into the application?

One thought on “A Reverse Engineering Puzzle

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s