Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Password Extraction: Advanced Binaries

Following up on the previous, guided exercise, you will be given here a series of binaries performing a check against a correct password which value is hardcoded within the program in some form. Your goal is again to reverse-engineer the program's behaviour and extract the correct password. The binaries are:

⚠️ Once again these binaries are generated on a per-student basis, do not work on binaries downloaded by another student.

These binaries differ from the guided example we have seen previously in various ways:

  • The correct password may not be stored anymore using a string type.
  • The metadata present in the binary helpful for disassembly (e.g. metadata helping to separate disassembled machine code on a per-function basis) may be missing.
  • The correct password may be generated at runtime rather than being present in static memory.
  • The password check may be done outside of the source code's main function.

Use objdump and GDB to investigate the machine code and runtime behaviour of each of these programs, and extract the correct passwords. For some binaries you may find this challenging: please read the following to learn more about at tool that can help.

Decompiling with RetDec

RetDec is a decompiler: it disassembles a binary similarly to objdump, and then attempts to recover the C source code that was compiled into the considered binary. The decompiled C source code will not look exactly the same as the original code, for various reasons:

  • A lot of source level information is lost at compile time: variables and function names, comments, code formatting, type information, inlined/dead code, etc.
  • Decompiling is not an exact science, and certain steps of the process (such as recovering the program's control flow graph at the machine code level) need to rely on heuristic that may produce invalid results.

Still, attempting to get a source-level view of the program, even if incomplete, can be invaluable for reverse-engineering its behaviour.

Downloading and Installing RetDec

Let's first create a folder in the VM to install RetDec in:

mkdir -p ~/Software/RetDec
cd ~/Software/RetDec

We can then download a release from RetDec's GitHub repository, uncompress the archive and then delete it as it's no longer needed:

wget https://github.com/avast/retdec/releases/download/v5.0/RetDec-v5.0-Linux-Release.tar.xz
tar xf RetDec-v5.0-Linux-Release.tar.xz
rm RetDec-v5.0-Linux-Release.tar.xz

Decompiling a Binary

The decompilation tool of RetDec is bin/retdec-decompiler. To use it simply pass the binary to analyse as parameter:

~/Software/RetDec/bin/retdec-decompiler crackme02

After the analysis is done, a C source file (in this example crackme02.c) should have been created in the local folder. This is the result of the decompilation process, open it in an editor and explore the recovered source code to attempt to extract the password. Proceed similarly for crackme03-06.

Submission

Input the extracted passwords in the corresponding lines of the CSV file in the submission git repository, i.e.:

crackme02,password-for-crackme02-here
crackme03,password-for-crackme03-here
crackme04,password-for-crackme04-here
crackme05,password-for-crackme05-here
crackme06,password-for-crackme06-here