CobolStone Profile picture
Aug 10, 2021 13 tweets 6 min read Read on X
You are starting #ReverseEngineering and don't really know what to do with your binary ? Let's see how you can use @cutter_re to approach a reverse challenge in a CTF competition. Thread ⬇️
First of all, let's install cutter AppImage: cutter.re/download/ and then give it execution rights. This tool is a GUI built on top of @rizinorg, a radare2 fork with a better focus on stability and code quality.
Then open cutter, select your binary and run it with aaa for basic analysis. Note that you can also select the "Load in write mode" if you want to edit the binary (i.e. change its behavior).
When cutter opens a new binary, you can see the Dashboard tool. Here you can see various information that will be very useful for your analysis: the binary format, the targeted OS, the programming language used, protections like stripping and used libraries.
Then you can head to the Strings tool to see all strings present in the binary and their address. Try to search for strings like "GG here is your flag" to see where you shoud look in the next steps.
Before heading to the core of our analysis, let's check the Imports tool which can give us some hints on where to look, especially for pwn challenges: we can see which external functions are used and if they are safe or not! Here the binary is pretty simple but has a warning
Quick note: a fun way to use this feature is on old games challenges with CD-ROM licence checks. Just head to Imports and look for functions like GetLogicalDrives or GetDriveTypeA, then go where they are used in the binary to patch the licence check!
Now that we have a good overview of the binary, let's understand what the binary is doing. To do so you have two easy to use and really convenient tools: the Graph View and the Decompiler. In those tools, you can focus a function by selecting it on the left-side widget.
For the decompiler, you should select the Ghidra engine, which often has better result than the others. In this view there are a lot of ugly things, try to focus on:
1. Variable initialization (not declaration)
2. Conditions
3. Prints (look for success print for a ctf chall)
Also, don't hesitate to rename variables and function parameters, it can make the analysis easier, especially on big binaries.
For crackmes, the best tool is the Graph view. To use it we recommend
1. Zoom out as much a possible to simply see the logical branching, usually what you want is to look for loops and error management
2. Zoom in the boxes that seem interesting, like where the loop condition is
If you want to run the binary to study its behavior, you can use the debugger (in beta). Once you've specified the program parameters, you can start executing instructions, looking at the stack and the registers. You can also edit their value during the run!
@cutter_re is a great tool to start #ReverseEngineering ctf challenges. If you want to learn more, check out their documentation (cutter.re/docs/) and their featured articles here cutter.re/blog/

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with CobolStone

CobolStone Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(