Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reverse Engineering for CTFs

Published byNiina Maija-Leena Karjalainen Modified over 5 years ago

Similar presentations

Presentation on theme: "Reverse Engineering for CTFs"— Presentation transcript:

1 Reverse Engineering for CTFs
Unit 3:

2 Overview Homework questions? Java RE Pwntools Stack basics GDB

3 JAD Java Decompiler Jad is a command line utility for decompiling Java class files. Why can we decompile Java but not C/C++? Java is compiled into Java-bytecode which is then executed by the JVM. The byte code is closer to Java source than assembly is to C source code. Java class files contain metadata, whereas C files do not. To install ed).zip unzip Jad1.5.8eforLinux(statically linked).zip Run: ./jad file.class

4 Sample Java Code

5 Java Bytecode

6 pwntools pwntools is a CTF framework and exploit development library.
Written in Python. Designed for rapid prototyping and development intended to make exploit writing as simple as possible Follow the instructions at to install. Documentation at

7 pwntools

8 32 Bit Stack Example

9 32 Bit Stack Example Each stack entry is 4 bytes (32 bits)
Function arguments are pushed on the stack from right to left. The return address is pushed after the arguments. The function prologue of foo then saves the ebp and adjusts esp to allow room for local variables. EBP minus a value = local variable EBP plus a value = arguments

10 64 Bit Stack Example

11 64 Bit Stack Example

12 64 Bit Stack Example Each stack entry is 8 bytes (64 bits)
Arguments are passed right to left using registers, until the RDI, RSI, RDX, RCX, R*, and R9 registers are used. Once all 6 of the mentioned registers have been used, any remaining arguments are passed left to right by pushing them on the stack. Function prologue saves rbp and adjusts rsp to create room for local variables.

13 GDB: print value at [ebp-0xff]
x/xw (int*)($ebp +/- 0xHexValue) x = Examine memory /xw = Examine hex value of 1 word size (4 bytes) (int*) Cast value to an integer ($ebp +/- 0xHexValue) = The address to examine Note: this could also be ($esp +/- 0xHexValue) or any address on the stack.

14 GDP: Print string at an address
x/100s ADDRESS X = Examine memory /100 = Length to be examined s = Examine string ADDRESS = Hex address to be examined

15 GDB: context Use the ‘context’ command to reopen pwndbg’s or peda’s context display.

Download ppt "Reverse Engineering for CTFs"

Similar presentations

Calling sequence ESP.

Calling sequence ESP.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.

Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
1 Memory Model of A Program, Methods Overview l Memory Model of JVM »Method Area »Heap »Stack.

1 Memory Model of A Program, Methods Overview l Memory Model of JVM »Method Area »Heap »Stack.
15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Memory & Storage Architecture Seoul National University GDB commands Hyeon-gyu School of Computer Science and Engineering.

Memory & Storage Architecture Seoul National University GDB commands Hyeon-gyu School of Computer Science and Engineering.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,

Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Carnegie Mellon 15-213 Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton D’Souza.

Carnegie Mellon Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton D’Souza.
Derived from x86 Assembly Registers and the Stack by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009.

Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009.
Carnegie Mellon 1 Odds and Ends Intro to x86-64 Memory Layout.

Carnegie Mellon 1 Odds and Ends Intro to x86-64 Memory Layout.
Assembly and Bomb Lab 15-213: Introduction to Computer Systems Recitation 4: Monday, Sept. 16, 2013 Marjorie Carlson Section A.

Assembly and Bomb Lab : Introduction to Computer Systems Recitation 4: Monday, Sept. 16, 2013 Marjorie Carlson Section A.
AMD64/EM64T – Dyninst & ParadynMarch 17, 2005 The AMD64/EM64T Port of Dyninst and Paradyn Greg Quinn Ray Chen

AMD64/EM64T – Dyninst & ParadynMarch 17, 2005 The AMD64/EM64T Port of Dyninst and Paradyn Greg Quinn Ray Chen

Similar presentations

Ads by Google