In approach to solving the TryHackMe challenge –
There is a binary that needs to be reversed and understood, including why and how it works and how to get around it.
What is Reverse Engineering?
Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accomplishes a task with very little (if any) insight into exactly how it does so. It is essentially the process of opening up or dissecting a system to see how it works, in order to duplicate or enhance it. Depending on the system under consideration and the technologies employed, the knowledge gained during reverse engineering can help with repurposing obsolete objects, doing security analysis, or learning how something works.
Wikipedia
Downloading the file and doing some simple reconnaissance, we get the following –
Further running the file, gives us the following –
We can see that the file type suggests – “MSB unknown arch 0x3e00 (SYSV)“. This refers to a Shell Code that has been Obfuscated. Now, how can we De-obfuscate this?
The obfuscation plays with the Linux ELF format. Some bytes in the ELF file header can be changed without changing how the program normally runs. For example, you can make it seem like your executable is 32 bits even though it’s really 64 bits. You can also say that your binary is made for a big-endian platform, even if that’s not true. [Reference]
Now, what can we do?
- The 5th byte defines format 32 bits (1) or 64 bits (2)
- The 6th byte defines endianness LSB (1) MSB (1)
Now, using hexedit to access the hex values –
We can see that the 5th bit is 0x02, denoting that it is a 64-bit file. But the 64th bit seems to be altered. Changing the 6th bit from 0x02 to 0x01 and saving it.
We have clearly, de-obfuscated the file. Now, let us spin up ghidra and see what the program actually does.
We can see that FUN_00101165 contains the function that the program was actually showing to us.
We can see 3 variables are declared –
These are hex strings as well. Now, decoding them gives us –