Buffl
Buffl
Security Testing

Reverse Engineering

LT
by Lukas T.

Explain the term Reverse Engineering for binary files.

Reverse engineering of binary files involves analyzing compiled executable programs (e.g., .exe, .elf) to uncover their design, implementation, or vulnerabilities without access to the original source code. Attackers use this to understand how a program works, find weaknesses (e.g., hardcoded passwords), or bypass security checks.

Describe the differences between static and dynamic analysis of binaries.

static analysis:

  • Used to collect information about the design and implementation of the software without executing the software. Especially interessting are control flows of a software.

dynamic analysis:

  • explores the software during runntime. Focus is on interactions with environment and data flows.


Describe the following static analysis tools and explain how they work:

file, strings, Ghidra

file

  • Purpose: Identifies the type of binary (e.g., ELF, PE), target platform (e.g., x86-64), and whether debug symbols are present.

  • Example:

    $ file secret secret: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, not stripped

    This shows the binary is a 64-bit Linux executable with debug symbols.

strings

  • Purpose: Extracts human-readable strings (≥4 characters) from the binary.

  • Example:

    $ strings secret "Invalid password!" "ACD0-84F1-9A56-47BC"

    This might reveal error messages or hidden secrets.

Ghidra

  • Purpose: Decompiles machine code into readable pseudocode and generates control flow graphs.

  • Example: Ghidra might decompile a binary to show a main function that checks a password and prints a secret if correct.


Describe the following dynamic analysis tools and explain how they work:

ltrace, strace, gdb

ltrace

  • Purpose: Traces library calls (e.g., strcmp, printf) during execution.

  • Example:

    $ ltrace ./secret test

    strcmp("6LJ53vc6kFtwY_", "test") = -66

    puts("Invalid password!")

Shows the program compared "test" with a hardcoded password.

strace

  • Purpose: Monitors system calls (e.g., file operations, network calls). Interaction of the Software with Kernel

  • Example:

    $ strace ./secret

    open("/etc/passwd", O_RDONLY) = -1

    Reveals attempts to access system files.


gdb

  • Purpose: Debugger for setting breakpoints, inspecting memory, and modifying registers.

  • Example:

    $ gdb ./secret

    (gdb) break main

    (gdb) run

    Pauses execution at the main function to analyze variables.


Describe countermeasures against static analysis of binaries.

  • Remove debug symbols: Compile without -g and use strip to delete symbolic constants.

  • Avoid hardcoding secrets: Never store passwords/keys in the binary.

  • Optimize code: Use compiler flags like -O to make decompiled code harder to read.


Describe countermeasures against dynamic analysis of binaries.

  • Block ptrace(): Prevent tools like gdb from attaching to the process (anti-debugging).

  • Strip symbols: Remove function/variable names to complicate debugging.

  • Hinder static analysis first: Since dynamic analysis relies on static insights, making static analysis harder indirectly protects against dynamic analysis.


Join Course
Preview

Author

Lukas T.

Information

Last changed

Report course
© 2023 Buffl GmbH