Reference no: EM133032955
Lab 6
Download the binary lab6-1 Download lab6-1and copy it to your virtual machine.
Using IDA, reverse engineer the binary to determine the password.
This binary requires you to enter non-printable characters. To test this in IDA
Download the binary lab6-2 and copy it to your virtual machine
Using IDA, reverse engineer the binary to determine the password
You will need to create a python function to help you create a 'decrypt' of the 'encrypt' function
Questions
What is the expected password for lab6-1? Explain how you were able to determine this.
What is the expected password for lab6-2? Explain how you were able to determine this.
Create a decrypt function in python for lab6-2.
Lab 7
For both of these binaries, you need to pass a crafted string as the command line argument to the binary. In these cases, you need to pass unprintable values (values that don't correspond to characters on the ASCII table). To do this, you need to leverage another binary or scripting language to print these characters. You can use any language of your choice (within reason) but I would recommend Python. Ultimately, you should be able to run your program like ./lab7-1 $(python2 lab7-1.py)
NOTE: You must disable address randomization in order for you to complete this lab. You can do this using the following command: sudo bash -c 'echo 0 > /proc/sys/kernel/randomize_va_space' - you will have to repeat this command every time you restart your virtual machine.
Part 1: lab7-1
Download the binary lab7-1 Download lab7-1and copy it to your virtual machine.
Using IDA and/or gdb-peda, reverse engineer the binary to determine the argument that causes the 'correct' statement to be printed to screen.
[lab7-1.py] Write a script or source file that when run, prints the argument to standard out so that it can be passed as input to lab7-1.
Part 2: lab7-2
Download the binary lab7-2 Download lab7-2and copy it to your virtual machine.
Using IDA and/or gdb-peda, reverse engineer the binary to determine the argument that causes the 'correct' statement to be printed to screen.
[lab7-2.py] Write a script or source file that when run, prints the argument to standard out so that it can be passed as input to lab7-2.
Questions
For lab7-1, describe how your input alters the execution path of the program.
For lab7-2, draw a diagram of the stack frame for the 'unsafe' function after the call to strcpy(). Highlight how your input alters the execution path of the program.
Lab 8
Setup
You will need to install some of the utilities included in radare2 (namely rasm2). Since we don't need the most 'up-to-date' version of Radare2 we can easily install with apt. Run the command: sudo apt-get install radare2
To check that you have the tools required run: rasm2
If everything is setup properly, you should see output like:
Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax]
[-f file] [-F fil:ter] [-i skip] [-l len] 'code'|hex|-
Helper C Code
int main(int argc, char **argv)
{
char shellcode[] = "";
int (*func)();
func = (int (*)()) shellcode;
(int)(*func)();
}
//rasm2 -a x86 -b 32 -f hello.asm -C
//gcc -m32 -z execstack example_runner.c -o shellcode
Part 1: Hello World!
[lab8-1.asm] Write an assembly listing of shellcode that will write the string "System Calls are Cool!" to the file "/tmp/syscall.txt" using whatever means you deem necessary. (Good system call resource: System Calls Table w/ Arguments (Links to an external site.)
Assemble your shellcode and test it in C to validate it works.
Part 2: No Nulls Allowed.
[lab8-2.asm] Write an assembly listing of shellcode that will spawn a shell (/bin/sh).
Modify your assembly listing to ensure that it would be injected properly if injected via the strcpy function.
Recall which bytes are not allowed for strcpy.
Questions
Which bytes are not acceptable.
Deliverables
Code files: lab8-1.asm, lab8-2.asm
Lab 11.
Installation
This lab utilizes the Ghidra Reverse engineering tool. To install the tool we need to install both a Java Runtime and Ghidra.
Please run the following commands
sudo apt install default-jdk
wget
unzip ghidra_10.0.4_PUBLIC_20210928.zip
To run Ghidra you need to enter the unzipped ghidra directory and run the ghidraRun file
cd ghidra_10.0.4_PUBLIC
./ghidraRun
Lab 11-1
Download lab11-1 Download lab11-1and determine the necessary input to get the 'Correct' output. You will likely want to use a python file for your input.
Lab 11-2
Download lab11-2 Download lab11-2and determine the necessary input to get the 'Correct' output. This lab is almost certainly the hardest of the class. I recommend that you examine the different functions and flow of the program. Start at the end. What makes 'Correct' appear? What data is being compared against? How is user input manipulated and checked? Determine the operations that manipulate the input and write a python program to reverse them (similar to the decrypt step in Lab 6).
Questions
1. How does lab11-1 manipulate the data in the program? How did you determine the correct answer?
2. What operations are occurring in lab11-2? Describe the steps you took to arrive at your solution.
Deliverables
[lab11-1.py]: A python file that when run with lab11-1 will result in the correct output
[lab11-2.py]: A python file that when run with lab11-2 will result in the correct output. This file should essentially work backwards from the provided data within the program. It is not acceptable to just print out the answer.
Attachment:- Labs.rar