CobolStone Profile picture
The place for hackers and builders. #web3 #security #ai #software

Aug 10, 2021, 13 tweets

You are starting #ReverseEngineering and don't really know what to do with your binary ? Let's see how you can use @cutter_re to approach a reverse challenge in a CTF competition. Thread ⬇️

First of all, let's install cutter AppImage: cutter.re/download/ and then give it execution rights. This tool is a GUI built on top of @rizinorg, a radare2 fork with a better focus on stability and code quality.

Then open cutter, select your binary and run it with aaa for basic analysis. Note that you can also select the "Load in write mode" if you want to edit the binary (i.e. change its behavior).

When cutter opens a new binary, you can see the Dashboard tool. Here you can see various information that will be very useful for your analysis: the binary format, the targeted OS, the programming language used, protections like stripping and used libraries.

Then you can head to the Strings tool to see all strings present in the binary and their address. Try to search for strings like "GG here is your flag" to see where you shoud look in the next steps.

Before heading to the core of our analysis, let's check the Imports tool which can give us some hints on where to look, especially for pwn challenges: we can see which external functions are used and if they are safe or not! Here the binary is pretty simple but has a warning

Quick note: a fun way to use this feature is on old games challenges with CD-ROM licence checks. Just head to Imports and look for functions like GetLogicalDrives or GetDriveTypeA, then go where they are used in the binary to patch the licence check!

Now that we have a good overview of the binary, let's understand what the binary is doing. To do so you have two easy to use and really convenient tools: the Graph View and the Decompiler. In those tools, you can focus a function by selecting it on the left-side widget.

For the decompiler, you should select the Ghidra engine, which often has better result than the others. In this view there are a lot of ugly things, try to focus on:
1. Variable initialization (not declaration)
2. Conditions
3. Prints (look for success print for a ctf chall)

Also, don't hesitate to rename variables and function parameters, it can make the analysis easier, especially on big binaries.

For crackmes, the best tool is the Graph view. To use it we recommend
1. Zoom out as much a possible to simply see the logical branching, usually what you want is to look for loops and error management
2. Zoom in the boxes that seem interesting, like where the loop condition is

If you want to run the binary to study its behavior, you can use the debugger (in beta). Once you've specified the program parameters, you can start executing instructions, looking at the stack and the registers. You can also edit their value during the run!

@cutter_re is a great tool to start #ReverseEngineering ctf challenges. If you want to learn more, check out their documentation (cutter.re/docs/) and their featured articles here cutter.re/blog/

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling