TECHNICAL

Reverse Analysis under Linux - A First Look

Dive into the intricacies of reverse analysis on Linux with fairycn, mastering tools like gcc, edb-debugger, and ghidra in UOS Home Edition 21.3, while delving into command parsing, debugging, and decompilation techniques.

fairycn

Aug 30, 2023 • 4 min read

Jose Elgueta, a graphic designer, is deeply devoted to the arts of painting, illustration, and muralism. Continuously striving to hone his graphic and artistic expressions, he possesses a profound fascination with Latin-American shamanic themes. Through his journey, he has crafted a unique visual language, unveiling a world of forms and colors yet to be discovered by others.

Environment Information

System information: UOS Home Edition 21.3

Tools involved: gcc, edb-debugger, ghidra, radare2
Note: This is a translation of the article previously written into English version, if you cannot see the message, I will provide a better translation in this article.

edb-debugger installation
# Install the required dependencies for the build // Set developer mode to enable root privileges.
apt-get install git
apt-get install pkg-config
apt-get install cmake
apt-get install build-essential
apt-get install libboost-dev
apt-get install libqt5xmlpatterns5-dev
apt-get install qtbase5-dev
apt-get install qt5-default
apt-get install libgraphviz-dev
apt-get install libqt5svg5-dev
apt-get install libcapstone-dev
 
# Build and run // only intend to run edb-debugger in the build directory
git clone --recursive https://github.com/eteran/edb-debugger.git
cd edb-debugger
mkdir build
cd build
cmake ..
make
./edb
# All users install in the system
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr/local/ ..
make
make install
edb

Test code test.c
C:

#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>
 
 
void main() {
    puts("test");
}

Basic information
You can use r2 -A . /helllo to open the file to be analyzed Parsing the command: Run the "aaa" command to analyze all referenced code

it //command parsing: calculate file hash information

iI //Command parsing: Display file binary information

ii //Command parsing: Display file import information

iz // command parsing: list the strings in the data segment

iE // Command resolution: Export (global symbols)

afl // Command resolution：Show functions

s main //jump to main function address Command Explanation: To move in the file we are checking, we need to change the offset with the s command.
px hex view
pdf disassembly

or use the pdf@main command to view //@ specify the function name

Or use agf to view the basic function view

View hex information for crucial addresses

Note: If you can't enter the command, you can enter the v command to enter the graphical operation interface.
Debugging

Run after loading

edb open the generated hello file and detect the function entry point to automatically pause
See the crucial code address - 0x402004

Jump to the corresponding address

Right click in the disassembly area and select Goto Expression... Enter the corresponding address

Right click to edit

See this area corresponding to te

The next line corresponds to st

Binary edit string to modify te to fe

Return to see the corresponding data has changed // Right click Goto Rip to return

Output Verification

Decompile check
Use Ghidra to load the hello file, find the main function in the Symbol Tree module's Functios folder, and click into it

The decompiled pseudo-code is found to be error-free and readable in crucial locations compared to the actual code