Assignment: RE2

Changelog:

  • 27 Jan 2025: explicitly mention the Window menu in Ghidra, and double-clicking on cross-references.
  • 28 Jan 2025: fix sqlite source link
  • 29 Jan 2025: more explicitly mention using debugger to examine how interesting function for Part B is called
  • 29 Jan 2025: add that Ghidra tracks cross-references for functions and variables to the hints
  • 29 Jan 2025: restate in Part B that the example way to run should be by providing appropriate input
  • 31 Jan 2025: in hints: add “Symbol References” to list of particularly helpful views; mention show references to context menu option
  • 31 Jan 2025: in hints: mention explicitly using cross-references and/or matching to C code for part B

Your Task

  1. This homework is intended to be by using Ghidra or some similar tool and/or with a debugger like gdb or lldb. My goal is to give you some experience using such tools (both because you might use them later in the semester and to give an idea what these tools are good and bad at).

    For this homework, please submit a writeup in PDF format. Your writeup needs include the items described below. We do not need complete sentences or similar.

Part A

  1. Download this mystery executable.

  2. Analyze the executlabe, probably in a tool like Ghidra. Figure out and include in your writeup:

    • A short description (likely not more than one sentence) of what kind(s) of functionality the program appears to implement.

    • Two examples of interesting inputs to the program that uses the functionality you identified.

    • A description of a way to cause the program to either:

      • access out-of-bounds memory
      • perform another illegal operation that will likely crash it

      and brief explanation of why it does so supported by your analysis of the program.

Part B

  1. Download this modified copy of the sqlite3 command-line utility

  2. There is a function that prints out “YOUR TASK — FIND HOW TO REACH THIS CODE”. Figure out how to make the executable run it by providing input to the executable.

    Hint: running the usage example below will reach one of the functions that contains a conditional call to that function. You can use a debugger to figure how that function is called.

    For reference, there is a an example of normal usage of this utility below. Also, you might refer to the original, unmodified code (see src/ subdirectory of this zip archive).

  3. Include in your writeup:

    • An example way to run the program to cause the function to be run (by providing appropriate input).

    • A description, including relevant output from tools and/or screenshots, of how you determined how to run the function.

      (If you cannot figure out how to cause the function be run, you may include what information you did determine for partial credit.)

Submission

Hints

Debugging generally

  1. Here is a “cheat sheet” of GDB commands.

Debugging without symbols

  1. To load an executable and immediately pause the debugger (before executing any code), you can use starti (GDB) or process launch --stop-at-entry (LLDB).

  2. You can set a breakpoint at the instruction with a particular (virtual) memory address with break *0x12345678 (GDB) or break set --address 0x12345678 (LLDB).

Selected Ghidra usage notes

  1. For finding specific Ghidra functionality, the “Window” menu is helpful.

    The “Listing”, “Function Graph”, “Decompiler”, “Defined Strings”, and “Symbol References” views are particularly helpful.

  2. You can double-click on cross-references in the Listing view to jump to them.

  3. Ghidra tracks cross-reference information for functions and variables.

  4. For looking at a function of interest, I think the decompile and function graph views are probably most useful.

  5. You can refine functions and globals that Ghidra names automatically (from the right-click context menu or with the “L” hot key).

  6. For viewing disassembly of functions, there is both a “listing” and “function graph” window available (window menu). Sometimes you might find one more useful than the other.

  7. In the listing disassembly view, there are arrows on the left-hand side indicating where instructions jump to.

  8. You can tell Ghidra about a global variable being an array and help it refine its decompilation accordingly with by using right-click (from the listing view) and “Data > Create array”.

  9. The “Function Call Tree” window can help you track down how functions are used.

  10. You can also view cross-refernces by right-clicking something and selecting references > show references to … from the context menu

Part B

SQLite Usage

SQLite is a file-based database implementation. By default the command line tool uses an in-memory database and supports SQL queries.

So, the following is an example normal session with this utility

      SQLite version 3.47.2 2024-12-07 20:39:59
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> select pow(0.9, 3), format('%.09f', pow(0.9, 3));
0.729|0.729000000
sqlite> select substr('abcdefghijklmnopq', 3, 7); 
cdefghi
sqlite> select random(), random(), random(), random();
4094928279487347533|4549742813197521190|-909555064641621291|-147216299745909800
sqlite> create table some_numbers (x real, y real, z real);
sqlite> insert into some_numbers values (random(), random(), 1.0);
sqlite> insert into some_numbers values (random(), random(), 2.0);
sqlite> select * from some_numbers;   
-3.69399745157505e+18|-1.43077975928745e+18|1.0
2.19928476700877e+18|7.67820678924125e+18|2.0
sqlite> update some_numbers where z > 1 set x = 4.0;
Parse error: near "where": syntax error
  update some_numbers where z > 1 set x = 4.0;
                      ^--- error here
sqlite> update some_numbers set x = 4.0 where z > 1; 
sqlite> select * from some_numbers;
-3.69399745157505e+18|-1.43077975928745e+18|1.0
4.0|7.67820678924125e+18|2.0
sqlite> select datetime();
2025-01-18 03:34:26
sqlite> select timediff(datetime('2025-01-01 00:00:00+00:00'), datetime('2020-02-05 00:00:00+00:00'));
+0004-10-27 00:00:00.000
sqlite> .quit

Possible plan

  1. Searching for the string and references to it would be a good first step.

    To search for a string you might use:

    • the strings utility;
    • Ghidra’s search memory tool (under the search menu);
    • Ghidra’s defined strings or defined data window;
    • GDB’s find command or LLDB’s memory find command

  2. Some code close to the “backdoor” code is run in normal usage of SQLite. You can set a breakpoint there and examine what is contained functions/local arguments/etc.

  3. You can search the decompiled view and/or use Ghidra’s cross-references tool to see how values/functions are used. You might also be able to find ways to match code to the C sources.

On installing Ghidra

  1. You can install Ghidra on your own machine (but see next item re: usinjg it on department machines). Ghidra comes with an installation^ guide (in the “docs” subdirectory of the zip archive available for download), which you may need to refer to, especially if you want to get its debugger functionality working.

Ghidra on department mchines

  1. You can use Ghidra on department machines through NoMachine.

    After logging in run:

    source /etc/profile.d/modules.sh
module load apptainer
module load ghidra
apptainer run $CONTAINERDIR/ghidra-11.2.1.sif

    Then you should get an Apptainer> prompt. In this prompt, you can run

    ghidraRun