This website collects my attempts at reverse-engineering binaries – mostly crackmes and keygens – in an effort to learn more about a discipline I was interested in many years ago but gradually abandoned. Posts are listed in order of increasing complexity (kind of) as I find more difficult challenges to solve. To follow these posts with an RSS reader, use this feed.
The tools and techniques presented here are for educational purpose only; no commercial software is reversed, attacked, or disassembled in any way.
Please exercise caution when running unknown binaries, especially if they were made by people who are interested in bypassing software protections.
Docker image ¶
I usually run unknown binaries in a Docker container with no network access, based on an image with a few different tools pre-installed.
The image is built from a short
Dockerfile and includes the GDB dashboard tool, which is packaged as a standalone
.gdbinit file and provides a great user interface for GDB. Download the GDB dashboard
.gdbinit file from their GitHub project and the custom settings to save as
FROM debian:stable RUN apt-get update RUN apt-get install -y libc6-i386 lib32stdc++6 binutils less man manpages-dev strace gdb \ gdbserver gcc ltrace curl wget unzip xxd python3 vim-nox procps python3-pip \ silversearcher-ag upx-ucl RUN pip3 install pygments # Dashboard COPY .gdbinit /root/.gdbinit # Custom settings RUN mkdir /root/.gdbinit.d COPY gdbinit-re.local /root/.gdbinit.d/ # Add non-root user RUN mkdir -p /home/re && useradd -N -d /home/re -u 1001 -s /bin/bash re && chown re /home/re CMD ["/bin/bash"]
To build the image and tag it as
$ docker build -t re-tools .
I run it with
SYS_PTRACE enabled and networking disabled, and with a local directory mounted to
$ docker run --rm --network none --cap-add=SYS_PTRACE --privileged \ --security-opt seccomp:unconfined -ti -v ~/reverse-engineering:/re re-tools
A command that’s not included in the
Dockerfile but that I have found useful is this
echo to disable address space layout randomization (ASLR) inside the container:
# echo 0 > /proc/sys/kernel/randomize_va_space
- Hopper Disassembler
- Binary Ninja
- Rizin, a fork of Radare2 (see also the Cutter UI which uses Rizin as its back end)
- Hex Fiend
Reference documents ¶
- Table of system calls for x86_64 (and for x86)
- Intel® 64 and IA-32 Architecture Manual, volume II: Instruction Set
- AMD64 Architecture Manual, volume 3: general-purpose and system instructions
- ELF header format (Wikipedia)
This work is © Nicolas Favre-Felix, licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
You can reach me on Twitter, by email at firstname.lastname@example.org, or via Keybase.