The “What” and “Why” of Reverse Engineering

The “What” of Reverse Engineering

Reverse engineering in software is usually described as the process of analyzing a binary and understanding its working, to either audit its goals or to replicate them. This usually involves using several tools and techniques to translate machine code into a high level programming language. But don’t be fooled, even in CTFs this might not be enough as it’s scope and applications are limitless.

Reverse engineering by the authors of Practical Reverse Engineering is defined as the process of understanding a system, i. e. a problem solving process. This is the definition that has made the most sense to me in the practical situations I have encountered reverse engineering in. It can be said that the process has a broad meaning and it encompasses a lot of things even in software. Hence I find the term “Problem Solving” to be closer to the real thing.

The “Why” of Reverse Engineering

Learning to reverse engineer and doing so will help you to gain a deeper and more thorough understanding of the applications and operating systems you use. The understanding of how a particular set of data can make a computer do all kinds of things opens new doors of opportunity for further learning and application. You are also likely to encounter several situations where, reverse engineering is going to be an helpful skill to possess.

A practical and real life example of reverse engineering that you will most probably come across is having to work with someone else’s undocumented, badly written code. This can be a painful and troublesome experience for an average coder but having worked with all kinds of poorly decompiled code as a reverse engineer, these situations can turn out to be a walk in the park and even a fun little challenge.
A similar case can be of when you have lost the source code and all you have is the compiled binary or when you receive suspicious software and you are doubtful of its intentions.
In such commonplace situations, having mastery over the skill of reverse engineering is going to be of great advantage.

Professionally in the field of cybersecurity, reverse engineering is used by Malware Analysts to analyze and develop signatures that help in detecting malicious software and viruses.
It is used to detect vulnerabilities in a system which can be then used to exploit the said system, for example – cracking a game/software. This knowledge can then be used to prevent misuse or unauthorized use of systems. In several cases, analysis/reverse engineering of malicious software like ransomware will actually help us beat the bad guys and save the day!

 

Write-up: Little Doggy Tables, Square CTF 2017

This is a write-up for the challenge Little Doggy Tables from Square CTF 2017.

The challenge can be found here: https://squarectf.com/challenges/little-doggy-tables

The challenge requires us to use SQL injection to extract the flag from a table in the database.

On running this command:

I got the following output:

Which means I can run SQL queries through this command.

Furthermore, the challenge details also include the source code , which looks like this:

From checking out the source code it is obvious that SQL injection is possible and that SQLite3 was used in the database.

To check if it was working, I ran:

Which gave this Output:

Internal Server Error

unrecognized token: “‘\”;”

WEBrick/1.3.1 (Ruby/2.3.4/2017-03-30) at little-doggy-tables.capturethesquare.com:443
 

Now that I knew SQL injection was working, I had to access the meta data. Unfortunately, the information_schema table does not exist here since it is SQLite and not MySQL. I searched for an equivalent table in SQLite and came across this question on Stack Overflow:

Which gave me enough to realize that sqlite_master is the information_schema alternative in sqlite. I changed commands mentioned in the answer to the to suit my search.

All meta data in sqlite can be accessed simple by using the command:

So I modified my payload to:

Which gave the output:

Now we know both the name of the table and the name of the required column which is  obviously secret. The SQL query now required to be executed is:

The corresponding payload would be:

The resulting output:

On refining the above output we get that the flag is :