Reverse Engineering and Malware Analysis are now becoming fields of growing research. Here’s a jump start for all of you interested in Reverse Engineering.

I’ll be using the GNU Debugger (GDB) for this tutorial. There are other tools out there (which might make the task easier) like IDA, radare2 etc that can be used too!

In this tutorial, we will be reversing a C Program that uses the strcmpfunction to validate user input.

Here’s the snapshot of the code:

#include <stdio.h>
#include <string.h>int main(int argc, char **argv)
{
 char flag[] = "catchmeifyoucan";
 if(strcmp(argv[1], flag) == 0) {
  printf("Correct!\n");
 }
 else {
  printf("Try Again xP\n");
 }
 return 0;
}

Compile the code using gcc -o stringcmp stringcmp.c

Let’s now fire up GDB using: gdb stringcmp

Before starting, we need to change the disassembly style to Intel (for a better readability);

set disassembly-flavor intel

Next, we shall see all the functions used in this binary;

info functions

Among all the functions, only main is what we have to concentrate at!

disassemble main

The assembly code for the main function will be dumped. We can see the strcmp function call at address 0x40063c (might be different in your case).

0x000000000040063c <+79>: call   0x4004e0 <[email protected]>

To examine the state of the program at that address, we need to set a breakpoint at the strcmp function call: b *0x40063c

Now, we run the code with some sample input: run helloworld, and check the status of the registers at this state; info registers.

From the assembly, it can be noted that the user input (from the command line arguments is stored in the rax register). And the strcmp function compares the rax register with the rdx register, which must mean that the rdx register must contain the required string. On examining both the registers (rax, rdx). We get the required input!

On deleting the breakpoints and running the program via GDB, we see the Correct! response!

Hope you learnt something out of this!