About ¶
This website collects my attempts at reverse engineering binaries – mostly crackmes and keygens – and the notes I took in the process in an effort to learn more about a discipline I was interested in many years ago but gradually abandoned. Posts are listed in order of increasing complexity (kind of) as I find more difficult challenges to solve. To follow these posts with an RSS reader, use this feed .
The tools and techniques presented here are for educational purpose only. No commercial software is reversed, attacked, or disassembled in any way.
Please exercise caution when running unknown binaries, especially if they were made by people who are interested in bypassing software protections.
Disclaimer: challenge websites ¶
Some of the binaries presented here come from challenge websites, which sometimes have leaderboards to track progress. Please respect the integrity of these challenges and use these resources responsibly for your own learning, not to undermine the spirit of these competitions. By cheating you will not only not find enough solutions here to get anywhere near the top of these leaderboards, but you will also have entirely missed the point of these challenges. The goal is to practice and learn, not to score meaningless points.
Docker image ¶
I usually run unknown binaries in a Docker container with no network access, based on an image with a few different tools pre-installed.
The image is built from a short Dockerfile
and includes the
GDB dashboard
tool, which is packaged as a standalone .gdbinit
file and provides a great user interface for GDB. Download the GDB dashboard .gdbinit
file
from their GitHub project
and the custom settings to save as gdbinit-re.local
here
.
FROM debian:11
RUN apt-get update
RUN apt-get install -y libc6-i386 lib32stdc++6 binutils less man manpages-dev strace gdb \
gdbserver gcc ltrace curl wget unzip xxd python3 vim-nox procps python3-pip \
silversearcher-ag upx-ucl
RUN pip3 install pygments
# Dashboard
COPY .gdbinit /root/.gdbinit
# Custom settings
RUN mkdir /root/.gdbinit.d
COPY gdbinit-re.local /root/.gdbinit.d/
# Add non-root user
RUN mkdir -p /home/re && useradd -N -d /home/re -u 1001 -s /bin/bash re && chown re /home/re
CMD ["/bin/bash"]
To build the image and tag it as re-tools
:
$ docker build -t re-tools .
I run it with SYS_PTRACE
enabled and networking disabled, and with a local directory mounted to /re
:
$ docker run --rm --network none --cap-add=SYS_PTRACE --privileged \
--security-opt seccomp:unconfined -ti -v ~/reverse-engineering:/re re-tools
In some cases I have also found it useful to disable address space layout randomization (ASLR) inside the container (see also this page explaining the feature):
# echo 0 > /proc/sys/kernel/randomize_va_space
Reverse engineering software ¶
I use the following software for reverse engineering. Some need a license, but if you are looking for a free option I would highly recommend Ghidra.
- Ghidra (Free software, multi-platform)
- Hopper Disassembler (Commercial with free trial, macOS and Linux)
- Binary Ninja (Commercial with free trial, multi-platform)
- Radare2 (Free software, multi-platform)
- Hex Fiend (Free software, macOS only)
Reference documents ¶
- Table of system calls for x86_64 (and for x86 )
- Intel® 64 and IA-32 Architecture Manual, volume II:
Instruction Set
see also the full list of Intel manuals - AMD64 Architecture Manual, volume 3: general-purpose and system instructions
- ELF header format (Wikipedia)
This work is © Nicolas Favre-Felix, licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
You can reach me on Twitter, Mastodon, or by email at n.favrefelix@gmail.com.