11. Reverse Engineering with Debuggers

Exercise 11: Performing Reverse Engineering with Debuggers

In this lab, we will explore reverse engineering techniques using the x32dbg debugger to analyze and understand the functionality of a binary application.

Lab Tasks

  1. Now that we have successfully reverse engineered the crackme binary, lets look at another debugger and that is the x64dbg.

  2. On Windows 11 machine, navigate in the Tools folder to the x32 folder and double-click x32dbg.exe to run the application and then then open the crackme0x00 file in the debugger.

    Screenshot
    Screenshot

  3. Now, we want to set a breakpoint at our main function. Click Breakpoints and verify there is a breakpoint at the PUSH EBP instruction and it is set in main.

    Screenshot

  4. Once you have verified the breakpoint click the run (-->) button to run the program. The result of this should be you are at the start of the main function.

    Screenshot

  5. You can see the address of the start of main is 00401260

  6. If we look at this address in Ghidra it will not 100% match, from the previous steps we can see that the start address of main is 00401310.

  7. As the image shows, we want to enter address of 00401310 into the right click in the code Go To --> Expression window.

    Screenshot
    Screenshot

  8. Now we have the display that we want. Now set a breakpoint (Toggle) at the start of this function then run the program.

    1qsjla1ft.jpg
    Screenshot

  9. Now that we are at the breakpoint we want to step into the code two times.

    Screenshot

  10. Once we reach the sub instruction we can see that the EBP and ESP have the same values.

    Screenshot

  11. The next instruction subtracts the 0x38 and when you step into the next instruction you will see the value change.

    Screenshot

  12. We can step through the instructions and see the changes in the memory and the registers.

  13. As we step through the code you can see that there is the 2nd call to main by the compiler.

    Screenshot

  14. It is a good idea to add a comment to that, so you remember that this is something the compiler added, you just right-click it and select comment.

  15. As you continue to step into the code you will see the strings that we identified earlier.

  16. Once you get to where the password is prompted for you can continue to step into the code and analyze it.

  17. Make sure you enter the wrong string to continue to run through the code.

  18. We have accomplished want we wanted to in this lab and will conclude here.

Previous10. Reverse Engineering a Binary with GhidraNext12. Fuzzing an Application with zzuf

Last updated