Cyber Academy S23

Binary Analysis Tools

Announcements

Week 5: Break!

Week 6:

• Psi Beta Rho Practice: defund (DiceGang and Alum)
• Tuesday 6-8 pm
• Ackerman 3517
• Cyber Academy: Binary Exploitation Tools
• Wednesday 6-8 pm
• MATH SCI 5200
• Cyber DEFCON 31 Trip Interest Form
• bit.ly/cyber-defcon-31-trip
• CS Town Hall
• The UCLA Computer Science Department wants to hear from any student that has taken a Computer Science class at UCLA. Fill out our Town Hall survey to share your thoughts on your experience in classes, teaching practices, and more. The survey is completely anonymous, and you can fill it out here by Friday, May 5 at 11:59 pm: https://forms.gle/L2Z1hE1CNeNcWTfe6.

✨Social Engineering Time ✨

• Introduce Yourself!
• Name
• Year
• Major
• Your hottest food take

What is Binary Analysis?

Binary Analysis

• A subset of reverse engineering!
• Our focus is understanding code that has been compiled down to binary form/the machine level.

01100011 01100001 01101110 00100000 01111001 01101111 01110101 00100000 01110010 01100101 01100001 01100100 00100000 01110100 01101000 01101001 01110011 00111111?

Assembly review

• One level above pure binary, but not quite higher level programming language (like C++ and Python)
• Two types - AT&T syntax and Intel syntax
• Same thing, just slight syntax differences
• CS33 teaches AT&T
• Data stored in memory addresses and registers (%eax, %rdi, etc.)
• Instruction src, dest
• $values, %registers, (%memory address held in registers)
• D(a, b, s) = D + a + b*s
• Cheat sheet

Common Assembly Instructions

• Basics
• mov src, dest movl $1, %eax
• lea src, dest lea 0x2(%r14),%r8d
• push push %eax
• ret retq
• callq address callq 0x400590 <cool_function>
• Jumps - jump to a specific part of the code if certain conditions met
• jmp, jne, etc jmp .L4
• Conditional move - copies src to dest if certain conditions met
• cmovg, cmovle, etc
• cmpq %rsi, %rdi
• cmovle %rdx, %rax // move if %rsi <=%rdi

Common Registers

• %rax - return value
• Arguments, in order
• %rdi
• %rsi
• %rdx
• %rcx
• %r8
• %r9
• %rip - instruction pointer
• %rsp - stack pointer

Why does this matter?

• Binary Analysis helps you understand the fundamentals of how programs work
• Debugging
• Helps import legacy code into new projects
• Reverse engineer software (ACM Cyber does not condone illegal activities)
• Crucial for working on vulnerability research
• Very transferable skill

Tools

GDB

• GNU DeBugger
• Shows assembly of an executable as you run it step by step
• Any OS:
• Use lnxsrv15 or Google Cloud Shell
• Linux:
• Use your system package manager
• Windows:
• Install WSL then follow Linux instructions
• MacOS
• GDB does not exist on M1/arm; use seasnet or cloud shell above
• GDB can be installed via https://brew.sh on intel macs

GEF

• Gdb Enhanced Features
• Download
• Makes your GDB easier to use while adding new features!
• Simple to install and well-documented

Beta GDB 😔

Sigma GEF 😎

Review: GDB's x Command

b = byte = 1 byte, h = halfword = 2 bytes, w = word = 4 bytes,�g = giant = 8 bytes, s = string (these are generally most useful)

Control Flow Graphs

• Show the flow/steps of an executable
• Much faster to read
• Paths code can take depending on the circumstances
• Cutter
• Binary Ninja (Binja)
• Binja Cloud online, but Intel syntax only

While Loop

​

Recursion

Patching Binaries

• These tools can also "patch" binaries (rewriting the opcodes that are being executed)
• You can remove functionality from code by replacing instructions with nops, or even change the code logic!

Demo! Cyber Academy - Minibomb

Any Questions?

Challenge Time!

• Go to platform.acmcyber.com
• Feel free to ask for help :)
• Have fun!

Check out our linktree:

linktr.ee/uclacyber