Assembly Language Programming projects from the Fall 2021 semester at UAF.
Purpose: Disassemble a binary and add relevant comments under each line.
This project started with an EC2 instance on AWS running Amazon Linux. I practiced running class examples of x86 assembly, shifting towards two Capture The Flag (CTF) events that dealt with reverse engineering binary files. Some early attempts at running code are in the practice
directory.
Reverse engineering binary and executable files is a crucial skill for several reasons. Functional analysis and understanding the behavior allow for a better notion of the intentions behind its construction and purpose – both vitally important for cyber defense and malware deconstruction.
Upon becoming more accustomed to MetaCTF's Baffling Buffer 1
and Google CTF’s rev-cpp
challenges, I focused on annotating unknown assembly and source code. Initial feedback followed with the recommendation of the Binary Bomb Challenge – a unique problem set to hone skills in both reverse engineering and understanding of the underlying assembly language.
Ghidra is a free and open-source tool developed by the National Security Agency, which provides fascinating insights into both a loaded binary via its automatic analysis. As shown below, this allows us to use the imported results summary to understand how the binary was compiled and use auto analysis to determine the flow of the program to best guess C code based on its respective assembly language.
One example process includes the annotation of unrecognized assembly. With hosting support from the UAF Cyber Security Club, I used a Kali Linux virtual machine to run the challenge’s executables and static binaries through Ghidra for the initial project scope.
Finalized and commented code can be found in the annotation.asm file in the src
directory, along with additional notes from the Binary Bomb Challenge in the NOTES.md and STRINGS.md files.
Some of the most common instructions inside the binary’s function main included: PUSH
, MOV
, SUB
, CMP
, JNZ
, JMP
, CALL
, TEST
, and XOR
. As shown below, Ghidra greatly assisted in best guessing the flow of control of C code based on the assembly language.
Lessons learned with this project included code comment consistency and the organization of a project across multiple operating systems (Linux, macOS, & virtual machine). My favorite aspect would be exploring different binary files and comprehending the data structures and control flow from various diffusion tasks.
In the future, I hope to experiment more with tracking my progress of code translation into other high-level languages and trying out other disassemblers, such as IDA Pro. I look forward to taking what I have learned from the Binary Bomb Challenge and applying it to future CTF events and projects – all while inter-splicing an improved understanding of the underlying assembly language.