Project 5: Reverse-engineering


Tutor: Guillaume Didier guillaume.didier AT irisa.fr

Context

Understanding what a binary program does is essential for security researchers, as often you only have the compiled version of a malware. Analysing and debugging is thus a significant activity of people who are working on malware, or are trying to understand a bug in compiled code, e.g., for security purposes or to understand what your program is getting compiled into and why it is not behaving as you would expect.

This project, conceived as a series of challenges, will expose you to x86 assembly and to various tools used to analyze binaries.

Aim

The Evil Dr. Boom has planted a binary bomb in the computer system of the ENS. You are tasked with defusing the bomb, by finding the correct passphrases for the various stages of the bomb.

Once this is done you will then work on analyzing further malware samples.

This project will expose you to Intel assembly and to how common programming structures are translated into machine language.

ENS needs you, you are our only hope!

Logistics

You will be provided with a virtual machine on which the bomb is present, along with the other malware samples.

Please do NOT copy the malware out of the virtual machine. Please only run the bomb in the virtual machine.

You can find more details on how to defuse the bomb here: [PDF]

The two papers we provide are automated tools. Compare what the tools can achieve and what manual analysis can achieve. What are the benefits and drawbacks of both approaches.

Progression

You should first focus on the bomb which is designed to be progressive and to teach you about how the different C control flow structures are translated in assembly.

In order to do this you shall use gdb. We expect you to describe this part in the report. Better analysis tools will be introduced once you have e-mailed us your bomb lab solutions, and a description of how you analyzed it.

Make a text file with the solution for your bomb, with each phase on a separate line.

Once you have fully solved it, send us the file and you will receive further instructions.

We’re bored

Once the bomb is defused, send Clémentine and Guillaume an email with the solutions, and further instructions will be provided for malware analysis using more advanced tools.

Bibliography

During the final presentation, you should summarize these two papers:

Here are other resources for more background information: