Reverse Engineering for CTFs

Slides:



Advertisements
Similar presentations
Calling sequence ESP.
Advertisements

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.
1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
September 22, 2014 Pengju (Jimmy) Jin Section E
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
1 Memory Model of A Program, Methods Overview l Memory Model of JVM »Method Area »Heap »Stack.
Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Memory & Storage Architecture Seoul National University GDB commands Hyeon-gyu School of Computer Science and Engineering.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Carnegie Mellon Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton D’Souza.
Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009.
Carnegie Mellon 1 Odds and Ends Intro to x86-64 Memory Layout.
Assembly and Bomb Lab : Introduction to Computer Systems Recitation 4: Monday, Sept. 16, 2013 Marjorie Carlson Section A.
AMD64/EM64T – Dyninst & ParadynMarch 17, 2005 The AMD64/EM64T Port of Dyninst and Paradyn Greg Quinn Ray Chen
Chapter 2 Parts of a Computer System. 2.1 PC Hardware: Memory.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
X86_64 programming Tutorial #1 CPSC 261. X86_64 An extension of the IA32 (often called x86 – originated in the Intel 8086 processor) instruction set to.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Exploiting & Defense Day 1 Recap
Buffer Overflows ...or How I Learned to Never Trust the User
Instructions for test_function
Assembly function call convention
Instruction Set Architecture
Credits and Disclaimers
Recitation 5: Attack Lab
Intel Architecture.
Computer Architecture & Operations I
Static and dynamic analysis of binaries
Credits and Disclaimers
MIPS Assembly Language Programming
More GDB, Intro to x86 Calling Conventions, Control Flow, & Lab 2
Computer Architecture and Assembly Language
Recitation: Attack Lab
Debugging with gdb gdb is the GNU debugger on our CS machines.
Homework Reading Machine Projects Labs PAL, pp ,
143A: Principles of Operating Systems Lecture 4: Calling conventions
Computer Architecture and Assembly Language
Introduction to Compilers Tim Teitelbaum
The Stack & Procedures CSE 351 Spring 2017
C Basics.
Introduction to Computer Systems
Recitation: Attack Lab
Register Use Policy Conventions
Computer Architecture “Bomb Lab Hints”
Recitation: Attack Lab
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Assembly Language Programming II: C Compiler Calling Sequences
The Stack & Procedures CSE 351 Winter 2018
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.
Machine-Level Representation of Programs (x86-64)
Get To Know Your Compiler
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Ithaca College Machine-Level Programming VII: Procedures Comp 21000: Introduction to Computer Systems & Assembly Lang Spring 2017.
Credits and Disclaimers
Credits and Disclaimers
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
Visual Studio x64 C Compiler function entrance code
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Reverse Engineering for CTFs
Return-to-libc Attacks
By Hugues Leger / Intro to GDB debugger By Hugues Leger / 11/16/2019.
Presentation transcript:

Reverse Engineering for CTFs Unit 3:

Overview Homework questions? Java RE Pwntools Stack basics GDB

JAD Java Decompiler Jad is a command line utility for decompiling Java class files. Why can we decompile Java but not C/C++? Java is compiled into Java-bytecode which is then executed by the JVM. The byte code is closer to Java source than assembly is to C source code. Java class files contain metadata, whereas C files do not. To install http://www.javadecompilers.com/jad/Jad%201.5.8e%20for%20Linux%20(statically%20link ed).zip unzip Jad1.5.8eforLinux(statically linked).zip Run: ./jad file.class

Sample Java Code

Java Bytecode

pwntools pwntools is a CTF framework and exploit development library. Written in Python. Designed for rapid prototyping and development intended to make exploit writing as simple as possible Follow the instructions at https://docs.pwntools.com/en/stable/install.html to install. Documentation at https://docs.pwntools.com/en/stable/.

pwntools

32 Bit Stack Example

32 Bit Stack Example Each stack entry is 4 bytes (32 bits) Function arguments are pushed on the stack from right to left. The return address is pushed after the arguments. The function prologue of foo then saves the ebp and adjusts esp to allow room for local variables. EBP minus a value = local variable EBP plus a value = arguments

64 Bit Stack Example

64 Bit Stack Example

64 Bit Stack Example Each stack entry is 8 bytes (64 bits) Arguments are passed right to left using registers, until the RDI, RSI, RDX, RCX, R*, and R9 registers are used. Once all 6 of the mentioned registers have been used, any remaining arguments are passed left to right by pushing them on the stack. Function prologue saves rbp and adjusts rsp to create room for local variables.

GDB: print value at [ebp-0xff] x/xw (int*)($ebp +/- 0xHexValue) x = Examine memory /xw = Examine hex value of 1 word size (4 bytes) (int*) Cast value to an integer ($ebp +/- 0xHexValue) = The address to examine Note: this could also be ($esp +/- 0xHexValue) or any address on the stack.

GDP: Print string at an address x/100s ADDRESS X = Examine memory /100 = Length to be examined s = Examine string ADDRESS = Hex address to be examined

GDB: context Use the ‘context’ command to reopen pwndbg’s or peda’s context display.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.