Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Friday, April 03 2020 @ 05:48 AM CEST

Reversing A Simple Linux App with OBJDUMP

   

TutorialsLevel : beginner

Basic disassembly on linux platform using only Objdump.
Target is the small linux starter crackme.


Reversing A Simple Linux App with OBJDUMP
TARGET = here
DIFF = Tomato ketchup its just Diff
TOOLS USED = OBJDUMP
Requirements
1) I assume that you have some flavour of linux installed in your computer
2) by prompt i mean prompt on your commandline like you@someserver:~>
3) you have the standard binutils avl in this installation

Let's Start

First we will investigate this linux binary with some tools that are included in almost every distribution (binutils package). For easier reversing we will use some customized tools. Find them here.

Ofcourse we could use IDA Pro or another commercial disassembler, but for this tuts we stick with tools that are freely available.

The process of investigating a linux / unix binary is not that different from windows binaries. We start by doing a quick scan to see if the binary is packed/stripped, the we check its header (ELF header, not PE this time ;) ), look for interesting strings, and finally we dig in the disassembly.

Let's start our deadlisting...

Binary details
First off all we use the file command to know the details about the file we are examining

On the prompt > type without quotes
"file small"
And press enter

You will get an output in this format

small: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped

We come to know that this app is not stripped So most of the function calls will look like
call &ltlibc.cout&gt
Instead of call $0x80485634

If it has been stripped we need to look for symbol table and Our task becomes a little more difficult

Strings
Ok we now look for strings inside that file

On the prompt > type without quotes
"strings small"
And press enter

You see lot of strings along with these strings in side this app


-> Small crackme for stingduk 
Disassembling with objdump

Ok we will look at the headers inside this file
On the prompt > type without quotes
" objdump -h small"
And press enter

The output is as follows
small: file format elf32-i386

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  


 12 .fini         0000001a  08048a94  08048a94  00000a94  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 13 .rodata       000000d0  08048ac0  08048ac0  00000ac0  2**5
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 14 .eh_frame_hdr 0000002c  08048b90  08048b90  00000b90  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 15 .data         0000000c  08049bbc  08049bbc  00000bbc  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 16 .eh_frame     000000a0  08049bc8  08049bc8  00000bc8  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 17 .dynamic      000000e0  08049c68  08049c68  00000c68  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 18 .ctors        0000000c  08049d48  08049d48  00000d48  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 19 .dtors        00000008  08049d54  08049d54  00000d54  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 20 .jcr          00000004  08049d5c  08049d5c  00000d5c  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 21 .got          00000038  08049d60  08049d60  00000d60  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 22 .bss          00000128  08049d98  08049d98  00000d98  2**3
                  ALLOC
 23 .comment      000000d9  00000000  00000000  00000d98  2**0
 


We need to dissemble the file now
On the prompt > type without quotes
" objdump -d small > dump "
And press enter

Open this file with cat dump | more

If you scroll through the dump you will see the main function like I pasted below

Though it is absolutely ok it would be better to look at the disassembly
If we dont have those hex bytes displayed it would also be better to look at
Disassembly if we see0xffffffff(%ebx) as -0x01(%ebx)
Also some xrefs to data section and jump xrefs on the disassembly would also be fine
For analyzing the disassembly easily




 804884a:       c7 85 34 ff ff ff 00    movl   $0x0,0xffffff34(%ebp)
 8048851:       00 00 00
 8048854:       8d 45 b8                lea    0xffffffb8(%ebp),%eax
 8048857:       03 85 34 ff ff ff       add    0xffffff34(%ebp),%eax
 804885d:       80 38 00                cmpb   $0x0,(%eax)
 8048860:       75 02                   jne    8048864 
 8048862:       eb 42                   jmp    80488a6 
 8048864:       8d 85 38 ff ff ff       lea    0xffffff38(%ebp),%eax
 804886a:       89 c1                   mov    %eax,%ecx
 804886c:       03 8d 34 ff ff ff       add    0xffffff34(%ebp),%ecx
 8048872:       8d 45 b8                lea    0xffffffb8(%ebp),%eax
 8048875:       03 85 34 ff ff ff       add    0xffffff34(%ebp),%eax
 804887b:       8a 00                   mov    (%eax),%al
 804887d:       66 0f be d0             movsbw %al,%dx
 8048881:       66 c7 85 26 ff ff ff    movw   $0xa,0xffffff26(%ebp)
 8048888:       0a 00
 804888a:       89 d0                   mov    %edx,%eax
 804888c:       66 99                   cwtd
 804888e:       66 f7 bd 26 ff ff ff    idivw  0xffffff26(%ebp)
 8048895:       88 d0                   mov    %dl,%al
 8048897:       83 c0 30                add    $0x30,%eax
 804889a:       88 01                   mov    %al,(%ecx)
 804889c:       8d 85 34 ff ff ff       lea    0xffffff34(%ebp),%eax
 80488a2:       ff 00                   incl   (%eax)
 80488a4:       eb ae                   jmp    8048854 
 80488a6:       8d 85 38 ff ff ff       lea    0xffffff38(%ebp),%eax
 

Tools of the trade
we use an utility called gendump that was coded by Dion Mendel
for his prize winning honeynet reverse-engineering entry it basically uses objdump but gives a little more visually attractive display along with routines

on the prompt > type without quotes
"./gendump small > dump1"
and press enter

you will have a file called dump1 in the directory

you can look at this file by using this command type on prompt
cat dump1 | more

this will output the file page by page
I am showing here only the user code, which is denoted, by main



# 080487bc :



0804884a: movl   $0x0,0xffffff34(%ebp)
08048854: lea    0xffffffb8(%ebp),%eax
08048857: add    0xffffff34(%ebp),%eax
0804885d: cmpb   $0x0,(%eax)
08048860: jne    0x08048864 
08048862: jmp    0x080488a6 
08048864: lea    0xffffff38(%ebp),%eax
0804886a: mov    %eax,%ecx
0804886c: add    0xffffff34(%ebp),%ecx
08048872: lea    0xffffffb8(%ebp),%eax
08048875: add    0xffffff34(%ebp),%eax
0804887b: mov    (%eax),%al
0804887d: movsbw %al,%dx
08048881: movw   $0xa,0xffffff26(%ebp)
0804888a: mov    %edx,%eax
0804888c: cwtd
0804888e: idivw  0xffffff26(%ebp)
08048895: mov    %dl,%al
08048897: add    $0x30,%eax
0804889a: mov    %al,(%ecx)
0804889c: lea    0xffffff34(%ebp),%eax
080488a2: incl   (%eax)
080488a4: jmp    0x08048854 
080488a6: lea    0xffffff38(%ebp),%eax


we also use other utility coded by Don Mendel those are
decomp_fixup_signs
decomp_xref_data
decomp_xref_jumps
the first utility will fix unwieldy 0xffffffff(%ebp)
entries to a more readable form like -1(%ebp)
the second utility will point the data that is being used
like push $0x807654 will now look as
possible reference to string "small crackme for stingduk"
the third will show the jump references it looks easier for visualization

on the prompt > type without quotes
"./decomp_fixup_signs dump2"
and press enter

on the prompt > type without quotes
"./decomp_xref_data small dump3 "
and press enter

on the prompt > type without quotes
"./decomp_fixup_jumps dump4"
and press enter

after performing these you will have dump1,dump2,dump3,and dump4 files in your directory
if you want to explore you can use cat "filename" | more to go through the contents
I am pasting here the final content of dump4 main function



# 080487bc :
080487bc: push   %ebp
080487bd: mov    %esp,%ebp
080487bf: sub    $0xe8,%esp
080487c5: and    $-0x10,%esp
080487c8: mov    $0x0,%eax
080487cd: sub    %eax,%esp
080487cf: sub    $0x8,%esp
080487d2: push   $0x80486d8
080487d7: sub    $0xc,%esp

# Possible reference to rodata '-> Small crackme for stingduk 
080487e9: add    $0x14,%esp
080487ec: push   %eax
080487ed: call   0x08048658 
080487f2: add    $0x10,%esp
080487f5: sub    $0x8,%esp

# Possible reference to rodata 'Give me your name (max 50 chars): '
080487f8: push   $0x8048b00

# Possible reference to data in bss
080487fd: push   $0x8049d98
08048802: call   0x08048698 
08048807: add    $0x10,%esp
0804880a: sub    $0x8,%esp
0804880d: lea    -0x48(%ebp),%eax
08048810: push   %eax

# Possible reference to data in bss
08048811: push   $0x8049e28
08048816: call   0x080486c8 
0804881b: add    $0x10,%esp
0804881e: sub    $0x8,%esp

# Possible reference to rodata 'Pass me the serial (max 50 chars): '
08048821: push   $0x8048b40

# Possible reference to data in bss
08048826: push   $0x8049d98
0804882b: call   0x08048698 
08048830: add    $0x10,%esp
08048833: sub    $0x8,%esp
08048836: lea    -0x88(%ebp),%eax
0804883c: push   %eax

# Possible reference to data in bss
0804883d: push   $0x8049e28
08048842: call   0x080486c8 
08048847: add    $0x10,%esp
0804884a: movl   $0x0,-0xcc(%ebp)
08048854: lea    -0x48(%ebp),%eax              *
08048857: add    -0xcc(%ebp),%eax              |
0804885d: cmpb   $0x0,(%eax)                   |
08048860: jne    0x08048864                  * |
08048862: jmp    0x080488a6                  |*|
08048864: lea    -0xc8(%ebp),%eax            *||
0804886a: mov    %eax,%ecx                    ||
0804886c: add    -0xcc(%ebp),%ecx             ||
08048872: lea    -0x48(%ebp),%eax             ||
08048875: add    -0xcc(%ebp),%eax             ||
0804887b: mov    (%eax),%al                   ||
0804887d: movsbw %al,%dx                      ||
08048881: movw   $0xa,-0xda(%ebp)             ||
0804888a: mov    %edx,%eax                    ||
0804888c: cwtd                                ||
0804888e: idivw  -0xda(%ebp)                  ||
08048895: mov    %dl,%al                      ||
08048897: add    $0x30,%eax                   ||
0804889a: mov    %al,(%ecx)                   ||
0804889c: lea    -0xcc(%ebp),%eax             ||
080488a2: incl   (%eax)                       ||
080488a4: jmp    0x08048854                   |*
080488a6: lea    -0xc8(%ebp),%eax             *
080488ac: add    -0xcc(%ebp),%eax
080488b2: movb   $0x0,(%eax)
080488b5: lea    -0x88(%ebp),%eax
080488bb: lea    -0xc8(%ebp),%edx
080488c1: sub    $0x8,%esp
080488c4: push   %eax
080488c5: push   %edx
080488c6: call   0x08048668 
080488cb: add    $0x10,%esp
080488ce: test   %eax,%eax
080488d0: jne    0x080488fa                   *
080488d2: sub    $0x8,%esp                    |
080488d5: push   $0x80486d8                   |
080488da: sub    $0xc,%esp                    |

# Possible reference to rodata 'Great work!'
080488dd: push   $0x8048b64                   |

# Possible reference to data in bss
080488e2: push   $0x8049d98                   |
080488e7: call   0x08048698       |
080488ec: add    $0x14,%esp                   |
080488ef: push   %eax                         |
080488f0: call   0x08048658       |
080488f5: add    $0x10,%esp                   |
080488f8: jmp    0x08048920                  *|
080488fa: sub    $0x8,%esp                   |*
080488fd: push   $0x80486d8                  |
08048902: sub    $0xc,%esp                   |

# Possible reference to rodata 'No luck here mate :('
08048905: push   $0x8048b70                  |

# Possible reference to data in bss
0804890a: push   $0x8049d98                  |
0804890f: call   0x08048698      |
08048914: add    $0x14,%esp                  |
08048917: push   %eax                        |
08048918: call   0x08048658      |
0804891d: add    $0x10,%esp                  |
08048920: mov    $0x0,%eax                   *
08048925: leave
08048926: ret
08048927: nop



Analysis

well we can now analyze the executable and see how it works we notice init is called after every push of a string so we can safely assume this to be a printf or cout function this takes a format parameter and input parameter and prints to stderr

yes we see there are two pushes to each of the call one is a string and other is from bss section which would be the format like %X,%c,%s etc

ok we leave it at it now and go down to a place where it we have entered our serial we see a loop starting from 8048854




0804884a: movl   $0x0,-0xcc(%ebp)		  ;moves 0 in [ebp-0xcc]	
08048854: lea    -0x48(%ebp),%eax              *  ;loads address of name string :)
08048857: add    -0xcc(%ebp),%eax              |  ;well effectively adds 0 [ebp-0xcc] to eax 
0804885d: cmpb   $0x0,(%eax)                   |  ;tests if eax contains 0 
08048860: jne    0x08048864                  * |  ;if not 0 jumps to 64 else go down
08048862: jmp    0x080488a6                  |*|  ;basically jumps to end of loop
08048864: lea    -0xc8(%ebp),%eax            *||  ;loads address in [ebp-0xc8] strlength :)
0804886a: mov    %eax,%ecx                    ||  ;moves the content of eax to ecx
0804886c: add    -0xcc(%ebp),%ecx             ||  ;adds 0 to ecx in first round [ebp-0xcc] = 0
08048872: lea    -0x48(%ebp),%eax             ||  ;loads address in [ebp-0x48] to eax  
08048875: add    -0xcc(%ebp),%eax             ||  ;adds 0 to eax in first round [ebp-0xcc] = 0
0804887b: mov    (%eax),%al                   ||  ;eax will become equal to al 
0804887d: movsbw %al,%dx                      ||  ;moves the content of al to dx
08048881: movw   $0xa,-0xda(%ebp)             ||  ;moves 0xa to [ebp-0xda]
0804888a: mov    %edx,%eax                    ||  ;moves contents of edx to eax
0804888c: cwtd                                ||  ; preparing for division
0804888e: idivw  -0xda(%ebp)                  ||  ;divides eax by [ebp-0xda] == eax/0xa(10 dec) 
08048895: mov    %dl,%al                      ||  ;moves remainder of the above division to al
08048897: add    $0x30,%eax                   ||  ;adds 0x30 to remainder of division
0804889a: mov    %al,(%ecx)                   ||  ;moves the (remainder+0x30) to ecx
0804889c: lea    -0xcc(%ebp),%eax             ||  ;well effectively adds 0 [ebp-0xcc] to eax 
080488a2: incl   (%eax)                       ||  ;adds 1 to [eax] == [ebp-0xcc]
080488a4: jmp    0x08048854                   |*  ;jumps back to start of loop
080488a6: lea    -0xc8(%ebp),%eax             *



so we can safely assume the serial calculation routine is
== ((chars in name string % 0xa)+0x30)
and when all chars are done it jumps to 080488a6: lea -0xc8(%ebp),%eax *
here is the comparison routine



080488a6: lea    -0xc8(%ebp),%eax             ;loads eax with [ebp_0xc8]
080488ac: add    -0xcc(%ebp),%eax             ;adds eax with [ebp_0xc8]
080488b2: movb   $0x0,(%eax)                  ;appends null terminator to calculated hash
080488b5: lea    -0x88(%ebp),%eax             ;loads eax with [ebp-0x88]
080488bb: lea    -0xc8(%ebp),%edx             ;loads edx with [ebp-0xc8]
080488c1: sub    $0x8,%esp                        
080488c4: push   %eax
080488c5: push   %edx
080488c6: call   0x08048668       ;must be strcmp
080488cb: add    $0x10,%esp
080488ce: test   %eax,%eax                    ;test 
080488d0: jne    0x080488fa       ;good guy bad guy jump


Outtro
Till now this was all about deadlisting and analyzing the executable without running it
now we will run the gnu debugger gdb and do a live debugging on the executable in the second part
of this tutorial :) keep looking

Greetings to BiW-Reversing, and to Detten for this small crackme and the usage of his server.

StingDuk




What's Related

Story Options

Reversing A Simple Linux App with OBJDUMP | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.82 seconds