Reverse Me - 42 Cybersecurity Piscine

A comprehensive reverse engineering project featuring three progressively challenging binary cracking exercises. This project demonstrates practical application of reverse engineering techniques, assembly analysis, and binary exploitation.

📋 Table of Contents

• Project Overview
• Tools Used
• Project Structure
• Level 1: Basic String Comparison
• Level 2: Character Encoding
• Level 3: Advanced Validation
• Binary Patching
• Key Takeaways

---

🎯 Project Overview

The Reverse Me project consists of three crackme challenges of increasing difficulty. Each level requires:

• Understanding binary program behavior without source code
• Reverse engineering using GDB and disassembly tools
• Writing a C program that replicates the binary's functionality
• Finding the correct password to validate each level

Objectives

• Master GDB debugging techniques
• Understand x86/x64 assembly language
• Analyze program flow and logic
• Implement binary patching techniques

---

🛠️ Tools Used

Tool	Purpose
GDB	Dynamic analysis and debugging
strings	Extract printable strings from binaries
WSL	Linux environment for binary execution

---

📁 Project Structure

reverse/
├── level1/
│   ├── level1          # 32-bit ELF binary
│   ├── password        # Correct password
│   └── source.c        # Reconstructed C source
├── level2/
│   ├── level2          # 32-bit ELF binary
│   ├── password        # Correct password
│   └── source.c  		# Reconstructed C source
└── level3/
    ├── level3          # 64-bit ELF binary
    ├── password        # Correct password
    └── source.c        # Reconstructed C source

---

🔓 Level 1: Basic String Comparison

Binary Analysis

Architecture: ELF 32-bit LSB executable (Intel 80386)

GDB Analysis Process

# Start GDB
gdb level1

# Disassemble main function
(gdb) disassemble main

# Set breakpoint at main
(gdb) break main

# Run the program
(gdb) run

# Step through instructions
(gdb) stepi

# Examine registers
(gdb) info registers

# Examine memory/strings
(gdb) x/s $address

Key Findings

The program performs a simple strcmp() between user input and a hardcoded string:

# Key assembly snippet
call   <scanf@plt>
mov    $secret_string, %eax    # Load secret
call   <strcmp@plt>            # Compare with input
test   %eax, %eax              # Check result
je     success                 # Jump if equal

Discovery Method:

1. Used strings level1 to find potential passwords
2. Found string: __stack_check
3. Verified by running: echo "__stack_check" | ./level1

Password

__stack_check

Source Code Recreation

The reconstructed C program implements simple scanf + strcmp logic with hardcoded password validation.

---

🔐 Level 2: Character Encoding

Binary Analysis

Architecture: ELF 32-bit LSB executable (Intel 80386)

GDB Deep Dive

gdb level2

# Disassemble main
(gdb) disassemble main

# Key breakpoints
(gdb) break *0x0000132c    # After first '0' check
(gdb) break *0x00001345    # After second '0' check
(gdb) break *0x00001465    # Before strcmp

# Run with test input
(gdb) run
Please enter key: 00101108097098101114101

# Examine the constructed string
(gdb) x/s $ebp-0x1d
0xbffff7e3: "delabere"

# Check comparison
(gdb) x/s $ebx-0x42cd
0x0804a337: "delabere"

Critical Assembly Analysis

# Check first character must be '0'
0x1345: movsbl -0x35(%ebp),%ecx
0x1349: mov    $0x30,%eax          # ASCII '0' = 0x30
0x134e: cmp    %ecx,%eax
0x1350: je     0x135e              # Jump if equal

# Check second character must be '0'
0x132c: movsbl -0x34(%ebp),%ecx
0x1330: mov    $0x30,%eax
0x1335: cmp    %eax,%ecx
0x1337: je     0x1345

# Build string from triplets
0x13fe: mov    -0x14(%ebp),%eax    # Load index
0x1404: mov    -0x35(%ebp,%eax,1),%al   # Get 3 chars
0x1425: call   <atoi@plt>         # Convert to int
0x142f: mov    %cl,-0x1d(%ebp,%eax,1)   # Store as char

Password Algorithm

The program:

1. Validates input starts with "00"
2. Processes remaining characters in triplets (3 digits at a time)
3. Converts each triplet to ASCII value using atoi()
4. Builds target string: "delabere"
5. First character 'd' (100) is hardcoded

Password Construction:

00 + 101 + 108 + 097 + 098 + 101 + 114 + 101
│    │     │     │     │     │     │     └── 'e' (101)
│    │     │     │     │     │     └──────── 'r' (114)
│    │     │     │     │     └────────────── 'e' (101)
│    │     │     │     └──────────────────── 'b' (98)
│    │     │     └────────────────────────── 'a' (97)
│    │     └──────────────────────────────── 'l' (108)
│    └────────────────────────────────────── 'e' (101)
└─────────────────────────────────────────── Required prefix

Password

00101108097098101114101

GDB Commands Used

# Trace execution flow
(gdb) display/i $pc               # Show current instruction
(gdb) display/x $ebp-0x35         # Monitor input buffer
(gdb) display/s $ebp-0x1d         # Monitor result string

# Step through loop
(gdb) break *0x13ad               # Loop start
(gdb) commands
> x/s $ebp-0x1d
> continue
> end

---

🛡️ Level 3: Advanced Validation

Binary Analysis

Architecture: ELF 64-bit LSB executable (x86-64)

GDB Analysis (64-bit)

gdb level3

# Disassemble with AT&T syntax
(gdb) disassemble main

# Switch to Intel syntax (easier to read)
(gdb) set disassembly-flavor intel
(gdb) disassemble main

# Key breakpoints
(gdb) break *0x0000000000001365   # After scanf check
(gdb) break *0x000000000000137b   # After first char check
(gdb) break *0x0000000000001391   # After second char check
(gdb) break *0x000000000000147a   # Before switch statement

# Run and inspect
(gdb) run
Please enter key: 42042042042042042042042

# Examine 64-bit registers
(gdb) info registers rax rbx rcx rdx rsi rdi rbp rsp

# Check constructed string
(gdb) x/s $rbp-0x21
0x7fffffffd9df: "********"

# Examine switch jump table
(gdb) x/20i 0x147d

Critical 64-bit Assembly

# Check first character must be '4' (0x34)
0x137b: movsbl -0x40(%rbp),%ecx
0x137f: mov    $0x34,%eax
0x1384: cmp    %ecx,%eax
0x1386: je     0x1391

# Check second character must be '2' (0x32)
0x1365: movsbl -0x3f(%rbp),%ecx
0x1369: mov    $0x32,%eax
0x136e: cmp    %eax,%ecx
0x1370: je     0x137b

# Build string (64-bit addressing)
0x13b0: movb   $0x2a,-0x21(%rbp)  # Set first char to '*' (0x2a = 42)

# Loop processing triplets
0x1413: mov    -0x18(%rbp),%rax
0x1417: mov    -0x40(%rbp,%rax,1),%al
0x1438: call   <atoi@plt>
0x1443: mov    %cl,-0x21(%rbp,%rax,1)

# strcmp and switch
0x1475: call   <strcmp@plt>
0x147a: mov    %eax,-0x10(%rbp)   # Store result
# Switch on comparison result (only 0 = success)

Password Algorithm

The program:

1. Validates input starts with "42"
2. Processes triplets to build string
3. First character '*' (ASCII 42 = 0x2a) is hardcoded
4. Target string: "********" (8 asterisks)
5. Uses switch statement on strcmp result (only 0 succeeds)

Password Construction:

42 + 042 + 042 + 042 + 042 + 042 + 042 + 042
│    └──────────────────────────────────────── Seven '*' characters (042 = ASCII 42)
└───────────────────────────────────────────── Required prefix

Password

42042042042042042042042

Advanced GDB Techniques

# Monitor memory changes during loop
(gdb) watch *(char*)($rbp-0x21)

# Conditional breakpoint
(gdb) break *0x1413 if $rax == 7

# Examine strcmp parameters
(gdb) break strcmp
(gdb) commands
> x/s $rdi
> x/s $rsi
> continue
> end

# Trace all function calls
(gdb) catch syscall

🎓 Key Takeaways

Technical Skills Developed

1. Static Analysis

   • Reading and understanding x86/x64 assembly
   • Using objdump, strings, and file utilities
   • Identifying key functions and control flow

2. Dynamic Analysis

   • GDB debugging (32-bit and 64-bit)
   • Setting breakpoints and watchpoints
   • Memory inspection and register manipulation

3. Reverse Engineering Techniques

   • Pattern recognition in assembly code
   • Identifying encryption/encoding schemes
   • Understanding comparison and validation logic

Assembly Patterns Learned

# String comparison pattern
lea    rax, [string1]
lea    rbx, [string2]
call   strcmp
test   eax, eax          # Check if equal (0)
je     success           # Jump if strings match

# Character validation pattern
movzx  eax, byte [input]
cmp    eax, 0x30         # Compare with '0'
jne    fail              # Jump if not equal

# Loop processing pattern
mov    rcx, [counter]
cmp    rcx, [limit]
jae    done              # Jump if above/equal
# ... process ...
add    rcx, 3            # Increment by 3
jmp    loop_start

Best Practices

• ✅ Always start with static analysis (strings, objdump)
• ✅ Use GDB to verify hypotheses dynamically
• ✅ Document findings and assembly patterns
• ✅ Test patches in controlled environment
• ✅ Recreate source code to verify understanding

---

🚀 Running the Project

Prerequisites

# Install required tools
sudo apt-get update
sudo apt-get install gdb binutils

# For 32-bit binaries on 64-bit system
sudo dpkg --add-architecture i386
sudo apt-get install libc6:i386

Testing Solutions

# Level 1
echo "__stack_check" | ./level1/level1

# Level 2
echo "00101108097098101114101" | ./level2/level2

# Level 3
echo "42042042042042042042042" | ./level3/level3

Compiling Recreated Sources

# Compile the C sources
gcc level1/source.c -o level1_recreated
gcc level2/source.c -o level2_recreated
gcc level3/source.c -o level3_recreated

# Test them
echo "__stack_check" | ./level1_recreated

---

📚 References

• GDB Documentation
• x86 Assembly Guide
• Intel x64 Manual
• Reverse Engineering for Beginners

---

👨‍💻 Author

42 Beirut - Cybersecurity Piscine

This project demonstrates practical reverse engineering skills for educational purposes only.

---

⚖️ License

This project is part of the 42 Cybersecurity Piscine curriculum and is intended for educational purposes only.

---

Project Completion Date: November 2025