Reverse engineering & Linux

Question 1

What type of architecture is x86-64 (amd64, i64)?

Answer 1

64-bit CISC

Question 2

What are some properties of CISC?

Answer 2

A single instruction can do multiple things at once (mem access, register read, etc.)

Variable length instruction set

Question 3

What is the x86-64 architecture?

Answer 3

CISC

The registers used extend an extra 32-bit on the Intel’s x86 architecture

Question 4

What is a property of x86-64?

Answer 4

The architecture allows for a multi-sized register access, meaning you can access certain parts of a register which are different sizes.

Question 5

How can multi-sized access be done?

Answer 5

The RAX register can have it’s lower 32-bits accessed using EAX.

The lower 16 bits can be accessed using AX.

The lower 8-bits can be accessed using AL.

Question 6

How is the x86-64 registers structured?

Question 7

What is the RAX register in x86-64?

Answer 7

64-bit “long” register

Question 8

What is the EAX register in x86-64?

Answer 8

32-bit “int” register

Question 9

Name 3 special registers in x86

Answer 9

RIP: Instruction pointer

RSP: Stack pointer

RBP: Base pointer

Question 10

How are instructions executed in x86?

Answer 10

Fetch instruction at address in RIP

decode it

run it

Question 11

Explain the following instruction:
mov rax, 0xdeadbeef

Answer 11

Mov the immediate “0xdeadbeef” into register rax

Question 12

Explain the following instruction:
mov rax, [0xdeadbeef + rbx * 4]

Answer 12

Move the data at address “0xdeadbeef + rbx * 4” into rax

Question 13

How are conditionals used in x86?

Answer 13

Use jumps and jump if the provided conditional is true:
- jnz <address>
- je <address>
- jge <address>
- jle <address>
- etc.

Question 14

What does the conditional jump-flags check?

Answer 14

Checking EFLAGS

Question 15

What are EFLAGS?

Answer 15

Special registers that stores flags on certain instructions.

Question 16

Give an example of flags that EFLAGS store

Answer 16

The instruction “add rax, rbx” sets the o flag (overflow) if the sum is greater than what the 64-bit register can hold, and wraps around.

This flag is used to jump by the jo instruction

Question 17

What instruction is often used in combination with jumps?

Answer 17

cmp

Example:
cmp rax, rbx
jle error

Question 18

Name 4 vulnerable C-functions

Answer 18

gets
strcpy
strcat
strcmp

Question 19

What C-functions can cause buffer overflows?

Answer 19

gets
strcpy
strcat

Question 20

What C-function can cause timing attacks?

Answer 20

strcmp

Question 21

What is a disassembler?

Answer 21

A tool that breaks down a compiled program into machine code

Question 22

What is IDA?

Answer 22

Industry standard for binary disassembly

Question 23

What is IDA’s Hex Rays decompiler?

Answer 23

A feature in IDA which can convert assembly code back into a pseudo code like format

Question 24

What is pwndb?

Answer 24

A GDB plug-in that solves a lot of problems with vanilla GDB obscuring a lot of information and being unintuitive.

Question 25

How can you get the dissassembly of a program using gdb?

Answer 25

gdb program

Display disassembly of frame/function:
(gdb) disassemble [address/symbol]

Display disassembly of main:
(gdb) disas main

Question 26

What is the gdb command:

display/[# of instructions]i $pc [± offset]

Answer 26

Display: shows data with each step

/[#]i: shows how much data in the format i for instruction

$pc: means the pc register

Question 27

What does the DGB command “display/10i $pc - 0x5” do?

Answer 27

Displays the 10 instructions on screen with an offset from the next instruction of 5

Question 28

When listing processes using ps -o stat, what does the different stats mean?

Answer 28

T: suspended
S: sleeping while waiting for input
R: Running
+: Process is in the foreground

Question 29

What does it mean that a process is running in the foreground?

Question 30

What does it mean that a process is running in the background?

Question 31

What does a file type “c” mean?

Answer 31

The file is a “character device” meaning interacting with it results in changes to the display output rather than changes to disk storage (as for a normal file)

Question 32

What does rwx permissions allow for directories?

Answer 32

r: List the directory
w: Create/delete files in directory
x: Enter the directory using cd

Question 33

What is the shell variable PATH?

Answer 33

Stores directory paths in which the shell will search for programs corresponding to commands.