Reverse engineering is an exercise in breaking a problem down into bite sized pieces and doing a little bit of deduction. The following is a challenge that has been edited by yours truly but MAY resemble challenges seen before in the NCL *coughCyberSkylinepleasedontkillmecough*. This one is an easy challenge, but can get us to try out the reverse engineering process.
The first thing we should do is make observations about the code we’re looking at.
- Right off the bat, we know this code is checking some kind of user input against a correct value.
- The input value must be the flag since no other output (print statements) is generated except a yes or no to confirm we put the correct answer in.
- There is a variable (specifically an array) called vals that seems to have some important numbers.
- This program was written in python.
The second thing we should do it take a look at each of these parts individually and see what they’re doing. In python, sections of code prefaced with def are functions, so we can take a look at the verify function (the only available function in this example):
(1) The function passes in the user’s input and (2) for each character in the input (3) the loop passes the character into the ord() function and (4) verifies whether or not the value is equal to the corresponding number in the “vals” array.
If you don’t know off the bat what the ord() function does, a google to find the python documentation will help us out:
So, if this function is comparing each of the character of our input to the values in the “vals” array, the vals array must be the flag encoded with the ord() function. Now you could look at a unicode table to decode the characters in “vals”, or you could write a little program using ord()’s inverse function chr().
Of course, this is not the only way to come to this conclusion either.
If you know that the input is the flag value and the numbers in “vals” are important, you might also notice that there are 13 characters in a standard NCL flag (SKY-XXXX-1111) and there are 13 values stored in “vals”:
You might notice that all the numbers in “vals” are in the number and letter range of an ASCII/Unicode table and decode it straight from there.
You might have seen this challenge before, and knew how to solve it before opening the file.
The important part is understanding the individual pieces and where/how they’re being used within the program. Use any context clues you’re given to help your understanding, and keep asking questions until you’re able to tease apart the knot of code you’re looking at. The following are some good questions to start with:
- What language is it written in?
- What is the code supposed to do?
- How does the program know I am correct/incorrect?
- Is there important information hard coded?
- What terms/functions do I know? What do I not know? What can I google?
This is obviously not the most complicated reverse engineering problem, but keeping the above questions in mind should work as a good foothold as you start to tackle tougher and tougher ones.