
CylabAcademy (picoCTF challenge) | Reverse Engineering
RAMESH
0 followers

In this challenge I experience Debugging without Ghidra, Whenever before that I tries to solve reverse engineering puzzle my mostly used tools are GDB (GNU Debugger) and Ghidra. I did always use Ghidra to get pseudo code from machine language, then try to explore runtime activities inside that using GDB.
But In this challenge I feel helpless without GDB and Ghidra. I have to reverse engineer binary file bypassme.bin within from server itself using tool LLDB (Low Level Debugger). So first I start from reading about LLDB and how does it different from GDB.
As I previously know commands for GDB while debugging, now I want to know commands used for LLDB and below are list of those commands:
lldb bypassme.binimage lookup -r -n .disassemble --name <main>di --pc --count <N>s # step one code linen # step one code line, but not goes inside function calledsi # single instruction stepni # single instruction step, without goinh inside function called
In machine language, when a function is called it's argument are passed into specific registers. $RDI always hold first argument value for function, same as $RSI second argument value and third value are stored at $RDX register. If we are calling any syscall then $RAX register will hold syscall number (e.g. 0 for read).
Now as we can see in out disassemble code of main function it's first called function are decodepassword, which seams suspicious to me. Also we can see that $RAX register moves it's value to $RDI register just before function call, that means $RDI are used as buffer to store some value. To find that what value are stored inside $RDI after function called we use step commands to came control flow of execution to main+55 then read register using these commands:
memory read $rdi
As we can see that $rdi address value are SuperSecure, this seams like a password, then I try this and access granted!!

Some other commands I used while analyzing binary:
settings set target.x86-disassembly-flavor inteltarget stop-hook adddi -p -c 10register readThank You!!!