Reversing using qemu
You won't find the solution to the challenge here. That is against root-me.org rules. We are simply looking at setting up qemu to analyze the executable.
A very useful thing is qemu's ability to run executables made for processor A on a system with processor B. I want to give a quick overview of how to do set this up for an ELF ARM executable challenge from root-me.org
The executable is a 32-bit ARM binary that looks for an interpreter at /lib/ld-linux.so.3
$ file ch23.bin ch23.bin: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.26, BuildID[sha1]=e1b71a8437277ebc3eb417be2bf877b5dfff85c8, strippedAnd at this point, we don't know what this executable does. qemu is capable of letting us execute (and debug!) this program on the x86 host system.
I like to set up an environment that hosts a complete Linux system for the target architecture using chroot. This way, all the required files are in one subdirectory, and can be cleaned up easily at the end. For this, we need to have a static build of qemu installed on the system. This links all the required libraries into the qemu executable, and it does not have to hunt for native libraries in the chrooted environment.
On a clean Ubuntu 18.10 system here is what is needed, using
- http://logan.tw/posts/2018/02/18/build-qemu-user-static-from-source-code/
- http://logan.tw/posts/2017/01/21/introduction-to-qemu-debootstrap/
as a guide:
$ apt-get install python gcc git build-essential zlib1g-dev pkg-config libglib2.0-dev binutils-dev libboost-all-dev autoconf libtool libssl-dev libpixman-1-dev libpython-dev python-pip python-capstone virtualenv bison flex debootstrap schroot qemu-user-static$ git clone git://git.qemu.org/qemu.git$ cd qemu/$ git submodule update --init --recursive$ ./configure --prefix=$(cd ..; pwd)/qemu-user-static --static --disable-system --enable-linux-user$ make -j4$ make install$ cd ../qemu-user-static/bin/$ for i in *; do cp $i $i-static; done$ sudo debootstrap --arch=armhf cosmic arm32-ubuntu$ echo "[arm32-ubuntu]description=Ubuntu Cosmic (arm32)directory=$(pwd)/arm32-ubunturoot-users=$(whoami)users=$(whoami)type=directory" | sudo tee /etc/schroot/chroot.d/arm32-ubuntu$ schroot -c arm32-ubuntuThis produces a 32 bit arm environment. We get an error message when we try to run our executable on it
./ch23.bin /lib/ld-linux.so.3: No such file or directoryTo fix the missing dependency
$ cd /lib$ sudo -S ln -s ld-linux-armhf.so.3 ld-linux.so.3$ cd$ ./ch23.bin Please input password$ ./ch23.bin testpassChecking testpass for password...Loser...$ Ok, we now have the executable we want to exploit running on the PC. And we know it expects a password which we have to reverse. At this point we can just install gdb
$ sudo -S apt install gdb$ gdb ./ch23.bin GNU gdb (Ubuntu 8.2-0ubuntu1) 8.2Copyright (C) 2018 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Type "show copying" and "show warranty" for details.This GDB was configured as "arm-linux-gnueabihf".Type "show configuration" for configuration details.For bug reporting instructions, please see:<http://www.gnu.org/software/gdb/bugs/>.Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>.For help, type "help".Type "apropos word" to search for commands related to "word"...Reading symbols from ./ch23.bin...(no debugging symbols found)...done.(gdb) and trace the execution in the usual way....