Challenge 4: Linux Reverse Engineering

Reverse engineering is the process of taking something (a device, an electrical component, a software program, etc.) apart and analyzing its workings in detail. The idea is to gain a deeper understanding about the design and functionality of the analyzed object.

For software programs, reverse engineering often has the purpose of interoperability, for example, in order to support undocumented file formats or hardware peripherals. Other purposes include security auditing, removal of copy protection (cracking), and circumvention of access restrictions often present in consumer electronics.

Reverse engineering of software can be accomplished by various methods. The two main groups of reverse engineering are analysis using static techniques (in particular, disassembling the binary) and analysis using dynamic techniques (in particular, using a debugger). This challenge aims to give you some hands on experience in application reverse engineering to understand the difficulties of creating binaries that cannot be re-engineered.

The task of this challenge is to reverse engineer two binary programs. Both programs feature simple authentication routines. The first program, installed under /usr/local/bin/prog5, takes only a serial number, while the second program /usr/local/bin/prog6 expects both a user name and a serial number. Both programs print out a secret message when the correct authentication tokens are provided and exit with an error message otherwise.

The task for the first program is to bypass the authentication routine such that the secret message is displayed no matter what serial number is provided. To this end, you have to modify the binary code of the program appropriately. We have installed hexedit as a hex editor to perform the necessary modifications. When you have successfully altered the program, you have to create a binary patch that eventually needs to be submitted. To create the required binary patch, use the bsdiff (man bsdiff) tool that is installed on bandit. We will apply the patch to the original program and check whether the resulting program accepts an arbitrary serial number. The name of the patch has to be pass.patch.

The task for the second program is more elaborate. In this case, your task is to understand the authentication routine and develop a serial string generator. That is, you have to write a C program that, given an arbitrary user name as input, outputs the corresponding serial string that is accepted by the second program.

Your program is supposed to take exactly one argument. When an incorrect number of arguments is provided, the program should return with exit code 1. Otherwise, the program should write to stdout the correct serial string that corresponds to the user name that was passed as the first argument. We will take our user name and your output as input parameters to the second program. So, please make sure that you only output the serial string and nothing else to stdout. The name of your serial string generator has to be serial.c.

• Both programs employ (mild) anti-reverse-engineering techniques. A mix of static (disassembler) and dynamic (debugger) analysis is recommended.
• You can use objdump -d (man objdump) as a simple disassembler and gdb for debugging.

To submit your challenge solution to us, you need to follow these steps:

1. Copy your pass.patch file and the serial.c source file to your lab account.
2. In the directory where your files are located, call /usr/local/bin/submit4
3. Read any error or success messages. Then, wait a couple of minutes and read your e-mails on bandit to view the results of the automatic grading program.

This is an individual project. The project is due on Tuesday, 10.05.2011, 23:59:59 PST.