I HC QUC GIA TP H CH MINH

TRNG I HC CNG NGH THNG TIN

THC HNH LP TRNH H THNG

LAB 3: REVERSE ENGINEERING BASIC
YU CU 1 MC TIU BI THC HNH

1 Gii thiu
Bi lab ny s gip cc bn sinh vin lm quen vi ngn ng assembly intel x86 v
cc k thut RE n gin.
Yu cu bi lab:
y l mt bi lab c bin son li t b Lab Assignment ca trng CMU USA,
bi lab ny tng i kh v cn nhiu n lc ca cc bn sinh vin lm. Cc kin
thc cn gii bi lab ny gm c:
- Ton b kin thc v ngn ng assembly x86 trong chng 3 sch
Computer System: A Programmers Perspective.
- Cch thc s dng mt chng trnh assembler bt k : GDB, OllyGDB,
Immunity, IDA Khuyn ngh s dng IDA.
- Kin thc v remote debugger trn desktop khi s dng IDA.
Trong ni dung bi lab, gio vin thc hnh s hng dn s lc v cch thc ci
t, lm quen vi trnh assembler IDA cng nh cch remote debugger trn desktop.
Tuy nhin cc bn sinh vin cn phi nghin cu nhiu hn mi c th hon tt c
bi lab.
Sinh vin lm bi lab theo hng dn v ghi p n vo file c dng
MSSV_LTHTLab3.docx.

2 Ni dung bi lab
2.1 Bomb defusing Game
Trong bi lab ny, CMU xy dng mt tr chi t b kin thc trong chng 3
sch CSAPP. Mt chng trnh c lp trnh sn v c hot ng nh mt qu
bomb my tnh. Qu bomb ny gm 6 pha, mi pha yu cu mt input ring ngt
pha. Nu input sai, bomb s n v tr chi kt thc.
ph hp vi nng lc ca trng UIT, ngi bin son ti cu trc li cc pha
nh sau:
B pha c bn : Pha 1 , 2 , 3
B pha trung bnh kh : Pha 4 v 5
B pha rt kh : Pha 6
kh ca mi pha c nh gi bng du (*) nh sau:
Pha 1: *
Pha 2: **
Pha 3: ***
Pha 4: *****
Pha 5: ****
Pha 6: ******
Trong bi lab ny sinh vin s gii mi pha ca Bomb khi thc thi file thc thi
bomb v ghi li p n vo file dng text.
2.2 Cch thc chy file v gii Pha
nh km theo bi lab ny l mt file thc thi ELF trn h iu hnh linux c tn
bomb.
Dng lnh file trn linux xem thng tin ELF ca file.
Dng lnh chmod cho file chy ton quyn r, w, x
Dng lnh strings c s lc ni dung trong file.
Hng dn ti chng trnh IDA v Remote Desktop Debuging:
Cc bn ti chng trnh IDA Pro 6.6 trong link sau:
https://www.dropbox.com/s/klhyb93a1wmk26y/IDAPro6.6full.7z?dl=0
Gii nn v copy th mc IDAPro6.6full vo C:\Program Files\
Double click v th mc IDAPro, vo th mc dbgsrv copy file linux_server v
linux_serverx64 vo th mc cha file bomb trn my linux
Trong my Linux, cd vo th mc cha 3 file , chy lnh:
chmod 777 *
./linux_server
Copy file bomb ln my windows chy IDA. Trn my windows, chy chng trnh
IDA bn 32bit. Trong ca s IDA: Quick Start hin ra chn New, chn file bomb.
Trn thanh menu, chn Debugger/Select Debugger, chn Remote Linux Debugger.
Bm start process ( du mi tn mu xanh l), mt ca s hin ra hi thng tin ca
Linux debugger. Ta nhp nh hnh
Mc Hostname nhp IP ca my linux. Mc Password l password ng nhp ca
my linux. Sau bm OK. Lc ny chng trnh s t lin kt vi file linux_server
trn my linux debug.
Ti y cc bn sinh vin phi t tm hiu thm v IDA v ngn ng assembly
hon tt vi lab. im ca bi lab s c tnh nh sau:
Pha 1: 2 im
Pha 2: 2 im
Pha 3: 3 im
Pha 4: 1 im
Pha 5: 1 im
Pha 6: 1 im

Cc thng tin lin quan:

Hng dn Remote Desktop Debugger ca anh ng Minh Tr lp ANTN2012:
https://www.youtube.com/watch?v=Lh2TXlyrSIM
Hng dn s dng IDA:
Cc bn c th tm c 2 quyn sch sau:
Mc c bn: Chng ni v IDA trong sch Practical Malware Analysis
 Mc nng cao: Quyn IDA Pro Book

Kin thc v Assembly, cc bn c th tm c quyn Practical Reverse

Engineering
YU CU 2 THC HIN

1. Chun b
- Chng trnh IDA 6.6
- File source code ca Bom Lab gm cc file: bomb
- My Windows chy IDA dng cho qu trnh debug
- My o Linux cha source code ca Bomb Lab.

2. Thc hin
2.1 Thit lp mi trng

- Sao chp source code ca Bomb Lab vo my o Linux mt th mc nht

nh.
- Vo th mc ci t trn Windows ca IDA (thng l C:\Program Files\ hay
C:\Program Files (x86)), vo th mc dbgsrv sao chp 2 file linux_server v
linux_serverx64 vo cng th mc vi file bomb sao chp.
- th mc cha cc file bomb v file ca IDA, thc hin cc lnh sau:
chmod 777 *
./linux_server
- Chy IDA bn 32 bit v m file bomb. Chn Debugger l Remote Linux
Debugger vi a ch l a ch ca my o Linux, cn thm password ng nhp khi
kt ni n my o.

2.2 Thc hin cc pha

Thc thi th file bomb trn Linux: thc thi file ta c th thy ta cn nhp mt
input, v ban u cha bit input cn nhng yu cu g nn chng trnh thng bo sai
v thot.
 Sau khi m file bomb trong IDA, m View -> Open Subviews -> Functions
hin ca s mt s function c trong file. Cc chng trnh thng bt u vi mt s
hm c tn l start hay main, ta th xem xt t nhng hm ny trc.

Ta c th xem trc Flow Chart ca hm ny d theo di vi View Flow

Chart. Ta tin hnh debug hiu hot ng ca hm.
Trn my o Linux dng debug, thc thi file linux_server bt u lng
nghe kt ni n:

m assembly ca main, nhp chn dng lnh bt u ca hm a ch

0x080489B0 t breakpoint y.
 Khi bn my o Ubuntu s nhn c kt ni n v file bomb c thc
thi:

Trn IDA, dng icon xem hot ng qua tng dng code ca hm
main. Ta chy n dng xut hin trong ln chy th trc : Welcome to my
fiendish little bomb. You:
 Hm main y gi mt hm read_line c input t ngi dng, sau a
vo %eax trc khi gi phase_1 (pha 1), nh vy c th thy hm main c mt
input t ngi dng v truyn tham s ny cho pha 1. Tng t main cng c input
t ngi dng v truyn cho cc pha khc. Nu cc pha ny tr v bnh thng th s
gi phase_defused(), y l hm c gi khi pha c gii thnh cng. Vy yu cu
cn thc hin l lm sao cc pha c gi vi input c nhp tr v bnh thng.
Pha 1
y ta function c tn l phase_1, y l phn source code ca pha 1.
Nhp p chut vo tn hm xut hin m assembly ca pha.

Phn tch t hm main trc , tham s truyn cho phase_1 l a ch ca mt

mng. T m assembly, ta c nhng hot ng sau:
- a a ch ca input ngi dng nhp vo lu thanh ghi %eax.
 - Cc a ch ca input v mt chui aPublicSpeaking ca chng trnh c a
vo stack trc khi gi strings_not_equal. Cc chui ny c xem l tham s
ca hm .
- C th coi s hot ng hm strings_not_equal bng m gi bng cch chn
hm v nhn F5: hm ny tr v 1 nu 2 chui khng bng, 0 nu ngc li

Chui k t c nhp vo c so snh vi dng Public speaking is very

easy.. Nu chui khc nhau th bom s n, cn li th tr v v thc thi phase
k tip.

V m assembly tng i kh theo di, c th nhn tip F5 xem m gi ca

phase_1:

Vy input cn nhp ca pha 1 l: Public speaking is very easy.

Kim tra kt qu:
 Pha 2
Tng t vi pha 2, ta tm v xem code ca phase_2 di dng assembly:

Vi Flow Chart nh sau (nhim v l trnh cc nhnh dn n hm

explore_bomb)
 Quan st m assembly, sau khi a chui nhp vo pha, ban u phase_2 gi
hm read_six_number() vi tham s %eax l chui m chng ta nhp vo. Quan
st code ca hm ny (nhp p chut vo tn hm) ta c:
 C th thy c, vi hm sscanf, read_six_number s c 6 s nguyn t
chui nhp vo (nh dng %d %d %d %d %d %d) v gn vo cc a ch theo th
t t edx n edx + 0x14 vi edx l a ch ca mng lu cc s ny.
Cn nhp mt mng gm 6 s nguyn. Ta cn tm cc gi tr ny.
Trc khi hm read_six_numbers c gi, c 2 gi tr trong %eax v %edx
c push vo stack, l tham s ca hm ny c v lu gi tr t input. Ta c
ebp_var18 l a ch ca mng lu kt qu c s.

Mt khc vi cu lnh cmp s u tin v 1, nu khc th th bom s n, do

s u tin l 1. Vy ta cn debug li vi s bt u l 1 xem tip cc hot ng:

Vi phn code ny, trong qu trnh debug, ta thu c hot ng sau: khi gi tr
i t 1 cn nh hn hoc bng 5:
- Ly (i + 1)*a[i 1] a vo eax
- So snh eax v a[i]
- Nu khng bng s nhy n explore_bomb, bng th tip tc vng lp
 T ta suy ra c quy lut: vi cc s cn nhp, a[k] = a[k-1]*(k+1) vi k
t 1 n 5 v a[0] = 1, ln lt c cc phn t c gi tr:
- a[0] = 1
- a[1] = a[0]*(1 + 1) = 1*2 =2
- a[2] = a[1]*(2 + 1) = 2*3 =6
- a[3] = a[2]*(3 + 1) = 6*4 = 24
- a[4] = a[3]*(4 + 1) = 24*5 = 120
- a[5] = va[4]*(5 + 1) = 120*6 = 720
Vy dy s cn nhp l: 1 2 6 24 120 720
Kim tra kt qu:

Pha 3
Vi phng php 2 pha trc, pha 3 khng th xem m gi ca phase_3 (v
mt s l do).

thc hin ta tin hnh debug tng dng m assembly ca pha ny. Chn
function phase_3 (nhp p chut). Ta thu c kt qu m assembly ca phase_3:
 Ch dng lnh a ch 0x08048BB1 c mt chui format dng %d %c
%d sau gi hm sscanf(), ta c th on c u vo ca phase_3 c th l b 3
tham s gm 1 s nguyn 1 k t 1 s nguyn. t breakpoint u pha 3 v
debug:

Khi , trn my o Linux s xut hin thng bo c kt ni t my Windows

debug file bomb, ta tin hnh nhp cc p n tm c phase 1 v 2, cn
phase 3, ta th nhp mt b ba tham s bt k dng 1 s nguyn n1 1 k t c 1 s
nguyn n2.
 n y IDA, qu trnh debug bt u, ta thc hin trace theo tng dng code
assembly xem hot ng vi input nhp.
Lu , phn ly a ch ca mt s v tr a vo thanh ghi %eax ri push vo
stack ca phase_3, y thc cht l a ch lu nhng bin c s c c t input
c nhp vo vi sscanf(), vi th t c push vo stack :
- n2 lu ebp + var_4
- c lu ebp + var_5
- n1 lu ebp + var_C
Nhng gi tr ny s hu ch trong nhng phn tch tip theo.

Phn tch tip hot ng sau khi c d liu vo. on code ny, lnh cmp
c dng so snh gi tr ebp + var_C, tc l n1 trn vi s 7, nu ln hn th
nhy n mt a ch no . y ta nhp n1 l 5, nn s thc hin tip lnh a gi
tr ca n1 vo thanh ghi %eax v thc hin 1 lnh nhy no lin quan n
off_80497E8.
 hiu r v thng s ny, nhp p chut v c kt qu sau: y l mt
bng jump table ca cc trng hp ca cu lnh switch vi nhiu trng hp khc
nhau tng ng vi n1. C tt c 9 trng hp lin quan n gi tr s ban u, trong
c mt trng hp default lun n.

n y ta c th on c kt qu ca pha ph thuc vo s u tin chng

ta nhp vo. Vi trng hp ang th n1 = 5, debug tip tc ta c on code:

Mt gi tr 0x74h c a vo trong byte thp bl ca thanh ghi %ebx. Sau

gi tr lu thanh ghi ebp + var_4, tc n2 c nhp, c so snh vi 0x1CA =
458, lnh jz s thc thi nu kt qu ca cmp set ZF = 1, khi hiu 2 s bng 0, tc l n2
= 458. Tuy nhin trng hp th nghim ny, n2 ta nhp l 1 nn kt qu s sai,
bom n.
Ta tin hnh debug li vi gi tr c nhp vo cho phase 3 l cc tham s
tm c n1 = 5, n2 = 458 tm c.

Debug n on code thc hin trc , ln ny lnh jz s c thc hin

n on code sau:
 y ta thy gi tr lu a ch ebp + var_5, tc l k t c c so snh vi
gi tr byte thp bl trong thanh ghi %ebx. ln th trc, ta c gi tr ny l
0x74, tng ng vi k t t trong bng m ASCII. Lnh jz c thc hin nu kt qu
so snh l bng nhau, ngc li th bom n, do y l k t cn nhp vo input.
Nh vy ta tm c b 3 tham s nhp: 5 t 458.
Pha ny c nhiu trng hp switch khc nhau ty thuc vo gi tr ca s
nguyn u tin c nhp vo nn c th c nhiu p n ng, cng c th l l
do lm cho phase_3 khng th c xem m gi vi IDA 6.6.
Kim tra kt qu:

Ta c th dng cch tng t tm ra cc trng hp khc c th dng nh:

- 0 q 777
- 1 b 214
- 2 b 755
- 3 k 251
- 4 o 160
- 5 t 458
- 6 v 780
- 7 b 524
Pha 4
Chn vo function c tn phase_4 trong danh sch cc tn hm xem code
assembly ca pha ny.
 Vi nh dng %d cho hm sscanf(), gi tr cn nhp vo l mt s nguyn.
S c nhp li c so snh vi 0, nu nh hn hoc bng th gi explode_bomb.

Do iu kin ban u ca input l mt s nguyn dng. Trong function

ca pha ny, c gi mt lm khc l func4() vi tham s truyn vo l s nhp.
Yu cu s ny phi c kt qu tr v tng ng l 55 (0x37).
 Nhp p chut xem code ca func4().

Func4() l mt hm quy, trong kt qu c xc nh da vo tham s

truyn vo a1 l mt s nguyn:
- Nu a1 <= 1 th kt qu tr v l 1.
- Nu a1 > 1 th kt qu tr v l func4(a1 1) + func4(a1 2). (dy Fibonacci)
tm a1 c result = 55, ta c th tnh ln lt kt qu ca func4 vi a1 tng
dn. Vd:
- a1 = 1 1 - a1 = 4 5 - a1 = 7
21
- a1 = 2 2 - a1 = 5 8 - a1 = 8
34
- a1 = 3 3 - a1 = 6 13 -
a1 = 9 55
T ta c a1 cn tm l 9. y l input yu cu vi pha ny. Ta cng c th t
ng ha qu trnh tm a1 nh sau:
Kim tra kt qu:

Pha 5
Chn function c tn phase_5, nhn F5 xem c m gi:
 T d liu u vo l a ch ca mt mng k t, cu lnh so snh
string_length cho thy mng a1 ny cn c 6 k t no . Trong pha ny, c dng
n mt mng c tn l array_123, p chut vo tn ny xem d liu ca n:

Tra cu m ASCII ta c array_123 = isrveawhobpnutfg.

Phn tch on code trong vng while, ta thy, vi a1 l a ch ca mng:
- (v1 + a1) vi v1 l s nguyn tr n v tr ca a1[v1], sau ly gi tr ca
phn t ny v & vi 0xF, vic ny c ngha ch ly gi tr 4 bit thp nht ca
gi tr ny.
- Gi tr tnh c coi nh mt s nguyn 4 bit (0 n 15) tr n phn t v
tr tng ng trong mng array_123.
- Cc k t c ly trong mng array_123 s c gn ln lt vo mng v3.
Kt qu yu cu v3 phi c gi tr l giants.
c kt qu l giants, ta c th t ch s ca cc k t cn ly t
array_123 ln lt l: 15 (0xF), 0 (0x0), 5 (0x5), 11 (0xB), 13 (0xD), 2 (0x2). V
& vi 0xF, nn y cng ln lt l 4 bit cui ca cc k t c yu cu input. Do
ch trong code ch s dng 4 bit cui trong 8 bit ca k t, nn s c nhiu t hp k
t tha mn yu cu vi 4 bit cui nh trn. V d nh chui sau: O@EKMA (0x4F
0x40 0x45 0x4B 0x4D 0x42).
C th t ng ha qu trnh tm chui 6 k t tha yu cu nh sau (t k t c
gi tr thp phn l 32 tr i l cc k t in c):
 T hp gm k t bt k ly t mi dng u tha mn yu cu.
Kim tra kt qu:

Pha 6
Chn function c tn phase_6 xem m gi ca pha 6:
 T hm read_six_number() phn tch phase 2, ta c d liu nhp vo
gm 6 s nguyn v c lu trong mng v14.
Vng lp do-while thc hin cng vic sau:
- Kim tra gi tr ca s nhp tr i 1 c ln hn 5 hay khng. Nu c th n
bom.
- Vi s nhp, so snh n vi cc phn t pha sau n xem c ging nhau hay
khng. Nu c th n bom
Cn nhp vo 6 s nguyn nh hn hoc bng 6 v khc nhau tng i mt.
 Phn code sau c s dng mt thng s l &node1, nhp p vo tn ny
xem d liu ca n. y l mt bin ca chng trnh, ngoi ra ta cn c th thy mt
s bin tng t gn nh node2, node3, node4

V phn code sau kh phc tp nn ta th debug xem hot ng c th ca

chng trnh. t breakpoint cu lnh bt u ca phase_6 (ch b cc breakpoint
t trc ). Nhp d liu u vo bn my o Linux cho pha ny l 6 s nguyn
t 1 n 6 th t bt k.
 Do kt qu nhp vo c suy ra t phn code u tin nn chc chn on
code ny khng lm n bom. Ta ch t phn code sau (t dng 32 tr i).

Vng lp do-while trn thc hin cng vic sau:

- Ly gi tr a ch ca node1 vo bin v4.
- Trong vng lp do-while th I, thc hin vng lp for n ln, vi n l s th i
trong mng nhp vo. Vi mi ln lp, gi tr nh c a ch v4 + 8 c
gn cho v4.
- Gi tr v4 c lu vo mng v13.
C th d on gi tr ca v4 thng l a ch nh ( c th nhy n v ly
gi tr ti ), c kh nng mng v13 s cha 6 a ch nh nht nh. Vi cc gi tr
nhp th, ta c:
- n=3 v4 = 0x0804B254 (node3)
- n=2 v4 = 0x0804B260 (node2)
- n=1 v4 = 0x0804B26C (node1)
- n=4 v4 = 0x0804B248 (node4)
- n=5 v4 = 0x0804B23C (node5)
- n=6 v4 = 0x0804B230 (node6)
T y c th thy mng v13 cha a ch ca cc bin node theo th t ty vo
dy s c nhp vo. V s i c nhp vo s c kt qu l a ch nodei.
 Xem cc gi tr trong v13 thc s l nhng con tr n nhng nh tng ng
vi cc node, ta thy vng lp do-while ny thc hin cng vic: lu a ch ca node
th i + 1 trong mng vo nh pha trn 8 byte so vi a ch ca node th i.
Ring vi node cui cng th nh trn 8 byte ny c gi tr 0. V d trong trng
hp th trn s c:
(t1 + 8) &node4
t1 = 0x0804B26C node1 (i = 3)
(t2 + 8) &node1
t2 = 0x0804B260 node2 (i = 2)
(t3 + 8) &node2
t3 = 0x0804B254 node3 (i = 1)
(t4 + 8) &node5
t4 = 0x0804B248 node4 (i = 4)
(t5 + 8) &node6
t5 = 0x0804B23C node5 (i = 5)
(t6 + 8) 0
t6 = 0x0804B260 node6 (i = 6)

Tng t vi on code c vng lp do-while ny, vi gi tr cc a ch

c sp xp v lu nh bng trn, cng vic c thc hin l: ly gi tr ca node
th i so snh vi gi tr ca node c a ch lu pha trn n 8 byte, hay ni cch
khc l so snh gi tr ca node th i v gi tr node th i + 1 trong mng v13. C
th thy c, bom khng n trong qu trnh so snh, gi tr node th i >= gi tr
node th i + 1.
Do , cng vic ta cn lm l nhp th t cc node sao cho gi tr cc node
gim dn, lm c cn xem gi tr lu cc node ra sao.
 T nhng hnh trn ta c gi tr cc node l (DWORD ly 4 byte):
- node1: 00 00 00 FD
- node2: 00 00 02 D5
- node3: 00 00 01 2D
- node4: 00 00 03 E5
- node5: 00 00 00 D4
- node6: 00 00 01 B0
Sp xp theo th t gim dn ca gi tr: node4 > node2 > node6 > node3 >
node1 > node5. Do dy s cn nhp l: 4 2 6 3 1 5.
Kim tra kt qu: