Hacker News new | past | comments | ask | show | jobs | submit login
Linux Reverse Engineering CTFs for Beginners (osandamalith.com)
286 points by 1nvalid on Feb 13, 2019 | hide | past | favorite | 31 comments

For some great fun and learning I recommend Googles beginner CTF. https://capturetheflag.withgoogle.com/#beginners/

The last thing that glued me to my seat like this was maybe 10 years ago. Good to have had that feeling again. Hope they make a 2019 version! :)

As someone who is not very knowledgeable about the field, I find reverse engineering fascinating. One thing I've been curious about is the economics of the security industry and the role reverse engineering plays in it.

To my novice eyes it seems that reverse engineering is more of an academic exercise and I don't see any direct ways to commercialize that skillset. How do you make a living doing this? Are you essentially paid a stipend to conduct fundamental research (finding zero days) that is inherently risky (no exploits = no return on investment)?

I see the reverse engineering skillset as not essentially different from low level systems programming, and as such it's very valuable even outside of "pure" security research.

I work as a Python programmer building scientific apps (so not security-related or systems programming at all), but at work every so often we're confronted with legacy code in binary form, or particularly nasty segfaults, etc. The thing with abstractions is that every so often the lower levels bleed through. At times like these, if you know your way around gdb, the ELF format, linking conventions, and can reason in assembly, you'll find yourself highly sought-after.

It gets even more fun when things work nicely on Linux and go haywire on Windows. Often there are no docs on Windows, so you need something who is ready to crack their knuckles, fire up IDA pro, and descend into the 7 circles of hell.

Vulnerability research & exploit dev. To break a system you must first know how it works.

There are also things like anti-cheat which requires reversing the cheats that are used and reversing the os to figure out methods you can use for detection.

Somewhat related to that, there's antimalware which is based upon the same principles.

Competitive analysis, reversing someone else's product so you can determine how they do stuff compares to how you do stuff. Some companies will even analyze a competitors product and then reimplement parts of it, you just have to be careful with copyrights and patents.

Fixing compatibility issues is also a thing. For example, GOG hires reverse engineers to get old games running on modern versions of windows.

Reverse engineers are also sometimes hired to make two pieces of software interoperate. Take for example, an oscilloscope that saves traces in a proprietary format, and a data visualization tool that uses a different proprietary format. A reverse engineer could reverse the details of the two formats and make a tool that converts in-between.

There are plenty of money to be made, just not in the way you typically do with other kinds of software. For example, a company named Bossland reversed many popular games and made bots for those. Their most recent effort was Pokémon Go. Nobody has reversed the newest versions of Pokémon Go and I believed you can make millions off it if you play your cards right.

Not really ethical though.

Some companies have security departments that analyze malware that targets their employees or the users of their services. Penetration testers might also use reverse engineering because people who hired them don't have the source code of some relevant thing, or because they want to see what an attacker who didn't have it could do, or because for some kinds of attacks looking at the actual binary might be more informative than looking at source code.

There are also antivirus developers who reverse engineer malware that doesn't necessarily target a particular class or group of users.

I've also met a reverse engineer who works with cases where proprietary software publishers have lost their old source code (this is really a thing!).

Reverse engineering can be as simple as, hey this code is supposed to be fast but it's slow, and I wonder what the compiler is doing to my code. So you compile the code, reverse engineer it and see what the compiler is emitting. That way you can steer the compiler into the right path. This is very useful for micro optimizations.

Just save the intermediate assembly files, with all helpful annotations, and analyze those. Much easier!

Once you are used to reading assembly, there's not much difference between reading the output of objdump -d and gcc -S.

> Up to how many characters does it loop? Here’s how I found it. Basically, our password must be of 7 characters in length.

One way to see this without running the program is look for where $ebp-0x24 is set:

  1210: c7 45 dc 07 00 00 00  mov    DWORD PTR [ebp-0x24],0x7

I recommend anyone who is attempting to do a ctf reversing challenge to checkout r2.


It's a free and open source set of tools specifically for reverse engineering.

There are some commercial options as well such as HexRays IDA Pro (probably the defacto standard tool) and binary ninja.

IDA also has a freeware version (that has some restrictions) https://www.hex-rays.com/products/ida/support/download_freew...

Or wait for the RSA conference in March and go crazy with Ghidra.

Do you use Cutter or the CLI?

I use the CLI when I use it (mind you; it's largely for CTF style questions most of the time).

I'd definitely recommend trying the flare-on RE challenges - they do a new compo every year, and the previous compos, with helpful hints / solutions, are available.


Can anyone recommend a guide for network security CTFs, ideally including how they are typically set up and common tools? It would be great to know what is typically allowed to be done in such contests and what is explicitly against the rules.

For Beginners, I'd begin with defining "CTF".

I don't see that defined anywhere in the article.

From some googling, I guess it's a "Capture the Flag" challenge? It's worth stepping back and explaining that general concept.

It's about obtaining some hidden information (the "flag") in a computer security context, where you're either trying to penetrate a hardened (computer) target, or reverse-engineer an obfuscated binary.

It's a constructed exercise, as opposed to a "live" situation.

"CTFs are computer security/hacking competitions which generally consist of participants breaking, investigating, reverse engineering and doing anything they can to reach the end goal, a 'flag' which is usually found as a string of text." https://ctfs.github.io/resources/

Are you trolling, joking or just misinformed? CTF in the context of the OP absolutely means Capture the Flag.


> From some googling, I guess it's a "Capture the Flag" challenge?

Yes, the goal of these is to obtain a flag.

In short, replace "CTF" with "exercise". They are basically challenges that go by the name Capture The Flag: https://trailofbits.github.io/ctf/

this is now an hn trope (complaining about some jargon in the title). newsflash the meaning of the title isn't "Linux reverse engineering for beginning humans that don't know anything about the universe, language, or electricity" because then you'd need to define Linux and engineering as well. the meaning of the title is always "____ thing for people that know a little about ____ thing but not everything". i think it's a very reasonable assumption on the part of the author that the only people he/she is accountable to for the intelligibility of such a title is someone who searches out the article, since after all this isn't about regattas nor is it assigned reading in some kind of primary education course. this kind of bad faith reading of these articles is beyond worthless (and certainly doesn't merit a comment). what I can't for the life of me understand is why hn is like the epicenter of this kind of pseudo-critical engagement with media - neither Reddit not Facebook has these kinds of comments nearly as often (nor the closely related "... didn't read after ___" where ___ is a word in the first sentence). my hypothesis is that it has something to do "intelligence signaling" because people wrongly believe that being critical is an indicator of intelligence.

While some people might post such comments for the sake of "intelligence signaling", the GP seemed to not know what "CTF" meant. I think he offered a fair and simple criticism, and I found your comment needlessly harsh and presumptuous.

Even if some people post comments like that as a trope, some - if not many - post them sincerely. I think the original criticism makes perfect sense: an article for beginners might better benefit its readers if it offers just a simple sentence or even link that briefly explains what the topic is before delving into its details. I personally have read a number of articles where I've encountered this problem, despite my familiarity with the given topic.

Also, I think it benefits the HN community at large if we try our best to read people's comments in a positive light, within reasonable, and encourage giving and receiving constructive criticism from one another.

> this kind of bad faith reading of these articles

Speaking of bad faith, how about some benefit of the doubt? My comment was not meant to be critical, but helpful for others who might have that same nagging question in the back of their mind while they read the article: "But what are CTFs"? It might be obvious to you, but I couldn't tell if CTFs were some RE tool, a part or category of ELFs, or some other binary format (and I do indeed know a thing or two about Linux/Engineering/Electricity) Probably a better comment could have been "Great overview, very helpful, but I had to google CTFs: Capture the Flag". Let me know if that would have set off any other "hn trope" triggers for you....Sheesh

This is often true, but if the article is "for Beginners" (it is even in the title), one would expect the article to explain what the acronym CTF is, somewhere near the beginning.

Capture the File.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact