├── README.md ├── docker ├── Dockerfile └── README.md ├── session-four ├── README.md ├── exercises │ ├── crackmes.one │ │ ├── README.md │ │ ├── auth │ │ ├── half-twins │ │ ├── mbtu │ │ └── noprelo │ ├── script-exercises │ │ ├── README.md │ │ ├── pcode-ex-arm │ │ ├── pcode-ex-ppc │ │ └── pcode-ex-x86_64 │ └── source │ │ └── pcode.c └── slides │ └── session-4.pdf ├── session-one ├── assembly │ ├── c1 │ ├── c1.0 │ ├── c1.s │ └── x86-ex.S ├── elf-exercises │ ├── README.md │ ├── dobby │ └── legolas ├── exercises │ ├── SimpleKeyGen │ ├── c1 │ ├── c2 │ ├── c3 │ ├── c4 │ ├── nasm_crack │ ├── skele │ └── source │ │ ├── Makefile │ │ ├── c1.c │ │ ├── c2.c │ │ ├── c3.c │ │ ├── c4.c │ │ └── skelexor.c ├── slides │ └── session-1.pdf └── test ├── session-three ├── README.md ├── exercises │ ├── files │ ├── pointers │ ├── source │ │ ├── Makefile │ │ ├── enums.c │ │ ├── file.c │ │ ├── pointer-struct.c │ │ └── structs.c │ ├── structs │ └── syscall └── slides │ └── session-3.pdf └── session-two ├── README.md ├── exercises ├── array-example ├── control-flow-1 ├── func-example-1 ├── heap-example-1 ├── loop-example-1 ├── source │ ├── Makefile │ ├── array-example.c │ ├── control-flow-1.c │ ├── func-example-1.c │ ├── loop-example-for.c │ └── variables-example.c └── variables-example └── slides └── session-2.pdf /README.md: -------------------------------------------------------------------------------- 1 | # Hackaday U - Introduction to Reverse Engineering with Ghidra 2 | 3 | This repository contains the exercises and resource materials for the Hackaday-U Course: Introduction to Reverse Engineering with Ghidra. 4 | 5 | The purpose of this course is to provide an overview of how to use Ghidra and how to reverse engineer x86_64 ELF binaries for Linux. 6 | 7 | Links to the course materials, slides and video sessions can be found [here](https://hackaday.io/project/172292-introduction-to-reverse-engineering-with-ghidra) 8 | 9 | ## Contents 10 | 11 | * ```docker```: Dockerfile for running the exercises for this course 12 | * ```session-one```: This folder contains all of the relevant exercises for session one 13 | * ```session-two```: This folder contains all of the relevant exercises for session two 14 | * ```session-three```: This folder contains all of the relevant exercises for session three 15 | * ```session-four```: This folder contains all of the relevant exercises for session four 16 | 17 | Each folder contains exercises and examples for the topics that were covered in class. The slides are also included as a PDF in the slides directory for each session. 18 | 19 | ## Solutions to challenges 20 | 21 | The source will be released to the challenges, however if you have a writeup that you would like included in this repository, reach out or submit a pull request and we will review it to be added to the repo! 22 | ### List of Solution Walkthroughs 23 | * [Session one exercises c1-c4](https://medium.com/@Haddock22/start-your-career-in-cybersecurity-hackaday-ghidra-exercises-walkthrough-part-1a-b552f3fdc67c) 24 | * [Session one exercises nasm crack, skele, simplegenkey](https://medium.com/@Haddock22/start-your-career-in-ethical-hacking-hackaday-ghidra-exercises-walkthrough-part-1b-7b6e43ccecb5) 25 | * [Session two exercises](https://medium.com/@Haddock22/start-your-career-in-cybersecurity-hackaday-ghidra-exercises-walkthrough-part-2-7cc2692054be) 26 | * [Session three exercises](https://medium.com/@Haddock22/start-your-career-in-ethical-hacking-hackaday-ghidra-exercises-walkthrough-part-3-531519cb4093) 27 | ## Contributing 28 | 29 | Did I miss something or make a mistake (almost certainly!) - let me know and submit a PR! 30 | -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | # Grab our dependencies, there aren't many for this 3 | RUN DEBIAN_FRONTEND="noninteractive" apt-get update 4 | RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install build-essential binwalk git vim tmux elfutils emacs make python python3 5 | # Install 32bit libraries 6 | RUN DEBIAN_FRONTEND="noninteractive" dpkg --add-architecture i386 7 | RUN DEBIAN_FRONTEND="noninteractive" apt-get update && apt-get -y install libc6:i386 libncurses5:i386 libstdc++6:i386 multiarch-support 8 | 9 | RUN mkdir /home/hackaday/ 10 | WORKDIR /home/hackaday 11 | RUN git clone https://github.com/wrongbaud/hackaday-u.git 12 | -------------------------------------------------------------------------------- /docker/README.md: -------------------------------------------------------------------------------- 1 | # Dockerfile Instructions 2 | 3 | This Docker container can be used to run all of the exercises included in the hackaday-u course. 4 | 5 | * [Install Docker](https://docs.docker.com/get-docker/) 6 | 7 | * Build the container: 8 | * ```build . -t hackaday-u``` 9 | 10 | * Run the container: 11 | * ```docker run --rm -it hackaday-u /bin/bash``` 12 | -------------------------------------------------------------------------------- /session-four/README.md: -------------------------------------------------------------------------------- 1 | # Session Four Exercises 2 | 3 | These exercises are designed to illusrate the principals that are covered in the course materials, for session four we have the following exercises: 4 | 5 | * ```crackmes.one``` - This folder contains 4 additional challenges for you to solve, in ascending difficulty 6 | * ```script-exercises``` - This contains 3 different programs, with script exercises for you to perform and run on the various binaries -------------------------------------------------------------------------------- /session-four/exercises/crackmes.one/README.md: -------------------------------------------------------------------------------- 1 | # CrackMes 2 | 3 | Within this folder you will find four crackmes all sources from crackmes.one, the original authors will be credited below 4 | 5 | 1. kellek's noprelo: https://crackmes.one/crackme/5b9d312233c5d45fc286ae03 6 | 2. m3hd1's half-twins: https://crackmes.one/crackme/5dce805c33c5d419aa0131ae 7 | 3. crackmes.de's moreboredthanyou by stefanie: https://crackmes.one/crackme/5ab77f5a33c5d40ad448c504 8 | 4. BitFriends's auth: https://crackmes.one/crackme/5e8349b033c5d4439bb2e040 9 | 10 | -------------------------------------------------------------------------------- /session-four/exercises/crackmes.one/auth: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-four/exercises/crackmes.one/auth -------------------------------------------------------------------------------- /session-four/exercises/crackmes.one/half-twins: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-four/exercises/crackmes.one/half-twins -------------------------------------------------------------------------------- /session-four/exercises/crackmes.one/mbtu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-four/exercises/crackmes.one/mbtu -------------------------------------------------------------------------------- /session-four/exercises/crackmes.one/noprelo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-four/exercises/crackmes.one/noprelo -------------------------------------------------------------------------------- /session-four/exercises/script-exercises/README.md: -------------------------------------------------------------------------------- 1 | # Scripting / API Review 2 | 3 | In this folder you will find three examples of the same code compiled for different architectures. For each of these, see if you can do the following: 4 | 5 | 1. Write a Java script that calculates instruction frequency for all of the instructions used in the main function 6 | 2. Write a Python script to examine and write the PCode out to a file using the API calls covered in class 7 | 3. Write a Java or Python script that counts the amount of branches taken during the main function -------------------------------------------------------------------------------- /session-four/exercises/script-exercises/pcode-ex-arm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-four/exercises/script-exercises/pcode-ex-arm -------------------------------------------------------------------------------- /session-four/exercises/script-exercises/pcode-ex-ppc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-four/exercises/script-exercises/pcode-ex-ppc -------------------------------------------------------------------------------- /session-four/exercises/script-exercises/pcode-ex-x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-four/exercises/script-exercises/pcode-ex-x86_64 -------------------------------------------------------------------------------- /session-four/exercises/source/pcode.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-four/exercises/source/pcode.c -------------------------------------------------------------------------------- /session-four/slides/session-4.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-four/slides/session-4.pdf -------------------------------------------------------------------------------- /session-one/assembly/c1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/assembly/c1 -------------------------------------------------------------------------------- /session-one/assembly/c1.0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/assembly/c1.0 -------------------------------------------------------------------------------- /session-one/assembly/c1.s: -------------------------------------------------------------------------------- 1 | section .rodata 2 | msg: db 'hackaday-u',10; 3 | 4 | 5 | section .text 6 | global _start 7 | _start: 8 | mov rdi, 1 9 | mov rsi, msg 10 | mov rdx, 10 11 | mov rax, 1 12 | syscall 13 | mov rdi, 0 14 | mov rax, 60 15 | syscall 16 | -------------------------------------------------------------------------------- /session-one/assembly/x86-ex.S: -------------------------------------------------------------------------------- 1 | section .text 2 | global _start 3 | _start: 4 | mov rax, 0x2FFF 5 | mov rbx, 0x3000 6 | or rax,rbx 7 | mov rcx, 0x10000 8 | sub rcx, rax 9 | add rcx, rbx 10 | cmp rax,rbx 11 | jg _greater 12 | mov rax, 0x2 13 | _greater: 14 | mov rax, 0x1 15 | ret 16 | -------------------------------------------------------------------------------- /session-one/elf-exercises/README.md: -------------------------------------------------------------------------------- 1 | # Elf Exercises 2 | 3 | In this folder we have two ELF files, can you tell the differences between them? 4 | 5 | 1. What are the main differences between these two files? 6 | 2. How are these two files related? 7 | 3. Can they both be executed in the docker container? Why or why not? 8 | -------------------------------------------------------------------------------- /session-one/elf-exercises/dobby: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/elf-exercises/dobby -------------------------------------------------------------------------------- /session-one/elf-exercises/legolas: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/elf-exercises/legolas -------------------------------------------------------------------------------- /session-one/exercises/SimpleKeyGen: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/exercises/SimpleKeyGen -------------------------------------------------------------------------------- /session-one/exercises/c1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/exercises/c1 -------------------------------------------------------------------------------- /session-one/exercises/c2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/exercises/c2 -------------------------------------------------------------------------------- /session-one/exercises/c3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/exercises/c3 -------------------------------------------------------------------------------- /session-one/exercises/c4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/exercises/c4 -------------------------------------------------------------------------------- /session-one/exercises/nasm_crack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/exercises/nasm_crack -------------------------------------------------------------------------------- /session-one/exercises/skele: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/exercises/skele -------------------------------------------------------------------------------- /session-one/exercises/source/Makefile: -------------------------------------------------------------------------------- 1 | SRCS=$(wildcard *.c) 2 | 3 | OBJS=$(SRCS:.c=) 4 | 5 | ASM=$(SRCS:.c=.S) 6 | 7 | bins: $(OBJS) 8 | 9 | asm: 10 | $(foreach var,$(OBJS),objdump -d -M intel $(var) > $(var).S;) 11 | -------------------------------------------------------------------------------- /session-one/exercises/source/c1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char** argv) 4 | { 5 | if(argc !=2) { 6 | printf("Please supply the password!\r\n"); 7 | return -1; 8 | } 9 | 10 | char* pword = "hackadayu"; 11 | if(strncmp(argv[1],pword,strlen(pword))){ 12 | printf("Wrong answer, we'd never use %s as the password!\r\n",argv[1]); 13 | return -1; 14 | }else { 15 | printf("Correct! The password was %s this whole time!\r\n",argv[1]); 16 | return 0; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /session-one/exercises/source/c2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char** argv) 4 | { 5 | if(argc !=2) { 6 | printf("Please supply the password!\r\n"); 7 | return -1; 8 | } 9 | 10 | if(strlen(argv[1]) < 5){ 11 | printf("We'd never use a password that short!\n"); 12 | return -1; 13 | } 14 | if(argv[1][0] == 'h' && argv[1][4] == 'u'){ 15 | printf("Correct -- maybe we should pay attention to more characters...\n"); 16 | return 0; 17 | }else{ 18 | printf("Wrong answer! Try again\n"); 19 | return -1; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /session-one/exercises/source/c3.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char* argv[]) 4 | { 5 | if(argc != 2 ){ 6 | printf("Please provide the secret pasSword!\n"); 7 | return -1; 8 | } 9 | 10 | if(strlen(argv[1]) < 5){ 11 | printf("Come on now ... you should expect betTer from us!\n"); 12 | return -1; 13 | } 14 | 15 | unsigned char target_val = 97-65; 16 | unsigned char first = argv[1][2]; 17 | unsigned char second = argv[1][3]; 18 | if((first - second) == target_val){ 19 | printf("Correct! You figured it out ... looks like we have to upgrade our security...\n"); 20 | return 0; 21 | }else { 22 | printf("IncorRect pasSword!\n"); 23 | return -1; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /session-one/exercises/source/c4.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char* argv[]) 4 | { 5 | char * pword = "hackaday-u"; 6 | if(argc != 2 ){ 7 | printf("Please provide the secret password!\n"); 8 | return -1; 9 | } 10 | 11 | if(strlen(argv[1]) < 10){ 12 | printf("Come on now ... you should expect better from us!\n"); 13 | return -1; 14 | } 15 | 16 | 17 | int x = 0; 18 | int len = strlen(argv[1]); 19 | for(x = 0; x < len; x++){ 20 | if((pword[x] + 2) != argv[1][x]){ 21 | printf("Wrong Password!\n"); 22 | return -1; 23 | } 24 | } 25 | printf("Correct! You've entered the right password ... you're getting better at this!\n"); 26 | return 0; 27 | 28 | } 29 | -------------------------------------------------------------------------------- /session-one/exercises/source/skelexor.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char **argv) 5 | { 6 | const char * skelekey = "skeletor"; 7 | char key[8]= {8,9,10,11,12,13,14,15}; 8 | int x = 0; 9 | 10 | if(argc != 2){ 11 | printf("Please provide the password to enter castle greyskull!\r\n"); 12 | return 0; 13 | } 14 | 15 | if(strlen(argv[1]) < strlen(skelekey)){ 16 | printf("Wrong length, better luck next time!\r\n"); 17 | return -1; 18 | } 19 | 20 | for(x=0;x<8; x++){ 21 | if((skelekey[x] ^ key[x]) != argv[1][x]){ 22 | printf("Wrong answer\r\n"); 23 | return -1; 24 | } 25 | } 26 | printf("Correct! You have the power!\r\n"); 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /session-one/slides/session-1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/slides/session-1.pdf -------------------------------------------------------------------------------- /session-one/test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-one/test -------------------------------------------------------------------------------- /session-three/README.md: -------------------------------------------------------------------------------- 1 | # Session Three Exercises 2 | 3 | These exercises are designed to illusrate the principals that are covered in the course materials, for session three we have the following exercises: 4 | 5 | * structs 6 | * pointers 7 | * syscall 8 | * files 9 | 10 | **Note** You will need to mark these binaries as executable before trying to run them, ex: ```chmod u+x structs``` 11 | 12 | Each of these exercises are designed to accept user input from the command line - when the proper input is provided you will get a Success or Congratulatory message. 13 | 14 | **Remember** you can provide non ascii input as follows: 15 | 16 | ```./pointers `python -c 'print "\xDE\xAD\xBE\xEF"'` ``` 17 | 18 | This example will provide the value 0xDEADBEEF into argv[1] 19 | 20 | **Hint**: For the files exercise, you may need to edit binary files, to do this you can use any standard hex editor, below are some reccomendations: 21 | * 010Editor 22 | * HxD 23 | * xxd 24 | 25 | It is up to you to determine the format and number of these arguments for each exercise by reverse engineering them - if you get stuck please feel free to reach out on the [hackaday.io](https://hackaday.io/project/172292-introduction-to-reverse-engineering-with-ghidra) page, or reach out to me on [twitter](https://twitter.com/wrongbaud/). 26 | 27 | -------------------------------------------------------------------------------- /session-three/exercises/files: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-three/exercises/files -------------------------------------------------------------------------------- /session-three/exercises/pointers: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-three/exercises/pointers -------------------------------------------------------------------------------- /session-three/exercises/source/Makefile: -------------------------------------------------------------------------------- 1 | SRCS=$(wildcard *.c) 2 | 3 | OBJS=$(SRCS:.c=) 4 | 5 | ASM=$(SRCS:.c=.S) 6 | 7 | bins: $(OBJS) 8 | 9 | asm: 10 | $(foreach var,$(OBJS),objdump -d -M intel $(var) > $(var).S;) 11 | -------------------------------------------------------------------------------- /session-three/exercises/source/enums.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | enum months{jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,dec}; 6 | 7 | struct userinfo { 8 | int key; 9 | char dontUse; 10 | char *username; 11 | char *password; 12 | int realKey; 13 | int (*calc)(int a, int b); 14 | }; 15 | 16 | void swapNames(char **a, char **b){ 17 | char *tmp; 18 | tmp = *a; 19 | *a = *b; 20 | *b = tmp; 21 | } 22 | int keyCalc(int a, int b){ 23 | return ((a+b) << 3); 24 | } 25 | 26 | int gen_password(struct userinfo* info){ 27 | int count = strlen(info->username); 28 | int x = 0; 29 | char * pass = malloc(count); 30 | for(x = 0; x < count; x++){ 31 | pass[x] = ((char)info->username[x] + (char)info->key)^ (char)info->realKey; 32 | pass[x] = pass[x] - 0x13; 33 | } 34 | info->password = pass; 35 | return 0; 36 | } 37 | 38 | int main(int argc, char * argv[]) 39 | { 40 | struct userinfo info; 41 | int key = 0; 42 | char *username; 43 | char *password; 44 | 45 | if(argc != 4){ 46 | printf("Please provide your key, username and password!\r\nExample: 12738 wrongbaud P@55W0rd1\r\n"); 47 | return -1; 48 | } 49 | 50 | key = atoi(argv[1]); 51 | if(!key){ 52 | printf("Improper key provided, please provide and integer key!\r\n"); 53 | return -1; 54 | } 55 | username = argv[2]; 56 | if((strlen(username) > 0x255) || (strlen(username) < 8)){ 57 | printf("Improper username provided, please check the length!\r\n"); 58 | return -1; 59 | } 60 | password = argv[3]; 61 | if((strlen(password) > 0x255) || (strlen(password) < 8)){ 62 | printf("Improper password provided, please check the length!\r\n"); 63 | return -1; 64 | } 65 | 66 | info.key = key; 67 | info.calc = &keyCalc; 68 | info.realKey = info.calc(info.key,info.key + 0xBEEF); 69 | info.username = username; 70 | info.password = password; 71 | swapNames(&info.username,&info.password); 72 | printf("Username: %s, Password: %s\r\n",info.username,info.password); 73 | gen_password(&info); 74 | if(strcmp(password,info.password)!=0){ 75 | printf("Invalid password provided, try again!\r\n"); 76 | free(info.password); 77 | return -1; 78 | } 79 | printf("Correct! Access granted!\r\n"); 80 | free(info.password); 81 | return 0; 82 | } 83 | -------------------------------------------------------------------------------- /session-three/exercises/source/file.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | struct userinfo { 8 | int key; 9 | char dontUse; 10 | char *username; 11 | int nameLen; 12 | char *password; 13 | int realKey; 14 | int (*calc)(int a, int b); 15 | }; 16 | 17 | int keyCalc(int a, int b){ 18 | return ((a+b) << 3); 19 | } 20 | 21 | int gen_password(struct userinfo* info){ 22 | int x = 0; 23 | char * pass = malloc(info->nameLen); 24 | for(x = 0; x < info->nameLen; x++){ 25 | pass[x] = ((char)info->username[x] + (char)info->key)^ (char)info->realKey; 26 | pass[x] = pass[x] - 0x13; 27 | } 28 | info->password = pass; 29 | return 0; 30 | } 31 | char * unameFile = "uname.x"; 32 | char * keyFile = "key.y"; 33 | char * pwordFile = "pword.z"; 34 | 35 | int main(int argc, char * argv[]) 36 | { 37 | struct userinfo info; 38 | int key = 0; 39 | char *username; 40 | char *password; 41 | int bytesRead; 42 | int nameLen = 0; 43 | 44 | int keyFd = open(keyFile,O_RDONLY); 45 | if(keyFd == -1){ 46 | printf("Could not find key file, please try again!\r\n"); 47 | return -1; 48 | }else{ 49 | bytesRead = read(keyFd,&key,4); 50 | if(bytesRead < 4){ 51 | printf("Not enough values in keyfile, please try again!\r\n"); 52 | return -1; 53 | } 54 | } 55 | info.key = key; 56 | 57 | 58 | int unameFd = open(unameFile,O_RDONLY); 59 | if(unameFd == -1){ 60 | printf("Could not find username file, please try again!\r\n"); 61 | return -1; 62 | }else{ 63 | username = malloc(0x255); 64 | bytesRead = read(unameFd,username,0x255); 65 | if(bytesRead < 8){ 66 | printf("Not enough values in username file, please try again!\r\n"); 67 | return -1; 68 | } 69 | nameLen = bytesRead-1; 70 | } 71 | info.nameLen = nameLen; 72 | 73 | int pwordFd = open(pwordFile,O_RDONLY); 74 | if(pwordFd == -1){ 75 | printf("Could not find password file, please try again!\r\n"); 76 | return -1; 77 | }else{ 78 | password = malloc(0x255); 79 | bytesRead = read(pwordFd,password,0x255); 80 | if(bytesRead < 8){ 81 | printf("Not enough values in password file, please try again!\r\n"); 82 | return -1; 83 | } 84 | } 85 | 86 | 87 | info.calc = &keyCalc; 88 | info.realKey = info.calc(info.key,info.key + 0xBEEF); 89 | info.username = username; 90 | info.password = password; 91 | gen_password(&info); 92 | int pwordLen = 0; 93 | for(pwordLen = 0; pwordLen < info.nameLen;pwordLen++ ){ 94 | if(password[pwordLen] != info.password[pwordLen]){ 95 | printf("Invalid character in password detected, exiting now!\r\n"); 96 | return -1; 97 | } 98 | } 99 | printf("Correct! Access granted!\r\n"); 100 | free(info.password); 101 | return 0; 102 | } 103 | -------------------------------------------------------------------------------- /session-three/exercises/source/pointer-struct.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | struct userinfo { 6 | int key; 7 | char dontUse; 8 | char *username; 9 | char *password; 10 | int realKey; 11 | int (*calc)(int a, int b); 12 | }; 13 | 14 | void swapNames(char **a, char**b){ 15 | char *tmp; 16 | tmp = *a; 17 | *a = *b; 18 | *b = tmp; 19 | } 20 | int keyCalc(int a, int b){ 21 | return ((a+b) << 3); 22 | } 23 | 24 | int gen_password(struct userinfo* info){ 25 | int count = strlen(info->username); 26 | int x = 0; 27 | char * pass = malloc(count); 28 | for(x = 0; x < count; x++){ 29 | pass[x] = ((char)info->username[x] + (char)info->key)^ (char)info->realKey; 30 | pass[x] = pass[x] - 0x13; 31 | } 32 | info->password = pass; 33 | return 0; 34 | } 35 | 36 | int main(int argc, char * argv[]) 37 | { 38 | struct userinfo info; 39 | int key = 0; 40 | char *username; 41 | char *password; 42 | 43 | if(argc != 4){ 44 | printf("Please provide your key, username and password!\r\nExample: 12738 wrongbaud P@55W0rd1\r\n"); 45 | return -1; 46 | } 47 | 48 | key = atoi(argv[1]); 49 | if(!key){ 50 | printf("Improper key provided, please provide and integer key!\r\n"); 51 | return -1; 52 | } 53 | username = argv[2]; 54 | if((strlen(username) > 0x255) || (strlen(username) < 8)){ 55 | printf("Improper username provided, please check the length!\r\n"); 56 | return -1; 57 | } 58 | password = argv[3]; 59 | if((strlen(password) > 0x255) || (strlen(password) < 8)){ 60 | printf("Improper password provided, please check the length!\r\n"); 61 | return -1; 62 | } 63 | 64 | info.key = key; 65 | info.calc = &keyCalc; 66 | info.realKey = info.calc(info.key,info.key + 0xBEEF); 67 | info.username = username; 68 | info.password = password; 69 | swapNames(&info.username,&info.password); 70 | gen_password(&info); 71 | int pwordLen = 0; 72 | for(pwordLen = 0; pwordLen < strlen(info.password);pwordLen++ ){ 73 | if(username[pwordLen] != info.password[pwordLen]){ 74 | printf("Invalid character in password detected, exiting now!\r\n"); 75 | free(info.password); 76 | return -1; 77 | } 78 | } 79 | 80 | printf("Correct! Access granted!\r\n"); 81 | free(info.password); 82 | return 0; 83 | } 84 | -------------------------------------------------------------------------------- /session-three/exercises/source/structs.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | 7 | struct userinfo { 8 | int key; 9 | char dontUse; 10 | char* username; 11 | char *password; 12 | int realKey; 13 | }; 14 | 15 | int add(int a, int b){ 16 | return a+b; 17 | } 18 | 19 | int gen_password(struct userinfo* info){ 20 | int count = strlen(info->username); 21 | int x = 0; 22 | char * pass = malloc(count); 23 | for(x = 0; x < count; x++){ 24 | pass[x] = (char)info->username[x] ^ (char)info->key; 25 | pass[x] = pass[x] - 0x13; 26 | } 27 | info->password = pass; 28 | return 0; 29 | } 30 | 31 | int main(int argc, char * argv[]) 32 | { 33 | struct userinfo info; 34 | int key = 0; 35 | char *username; 36 | char *password; 37 | 38 | if(argc != 4){ 39 | printf("Please provide your key, username and password!\r\nExample: 12738 wrongbaud P@55W0rd1\r\n"); 40 | return -1; 41 | } 42 | 43 | key = atoi(argv[1]); 44 | if(!key){ 45 | printf("Improper key provided, please provide and integer key!\r\n"); 46 | return -1; 47 | } 48 | username = argv[2]; 49 | if((strlen(username) > 0x255) || (strlen(username) < 8)){ 50 | printf("Improper username provided, please check the length!\r\n"); 51 | return -1; 52 | } 53 | password = argv[3]; 54 | if((strlen(password) > 0x255) || (strlen(password) < 8)){ 55 | printf("Improper password provided, please check the length!\r\n"); 56 | return -1; 57 | } 58 | info.key = key; 59 | info.realKey = add(info.key,info.key); 60 | info.username = username; 61 | gen_password(&info); 62 | int pwordLen = 0; 63 | for(pwordLen = 0; pwordLen < strlen(info.password);pwordLen++ ){ 64 | if(password[pwordLen] != info.password[pwordLen]){ 65 | printf("Invalid character in password detected, exiting now!\r\n"); 66 | return -1; 67 | } 68 | } 69 | printf("Correct! Access granted!\r\n"); 70 | free(info.password); 71 | return 0; 72 | } 73 | -------------------------------------------------------------------------------- /session-three/exercises/structs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-three/exercises/structs -------------------------------------------------------------------------------- /session-three/exercises/syscall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-three/exercises/syscall -------------------------------------------------------------------------------- /session-three/slides/session-3.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-three/slides/session-3.pdf -------------------------------------------------------------------------------- /session-two/README.md: -------------------------------------------------------------------------------- 1 | # Session Two Exercises 2 | 3 | These exercises are designed to illusrate the principals that are covered in the course materials, for session two we have the following exercises: 4 | 5 | * control-flow-1 6 | * loop-example-1 7 | * variables-example 8 | * func-example-1 9 | * array-example 10 | 11 | **Note** You will need to mark these binaries as executable before trying to run them, ex: ```chmod u+x control-flow-1``` 12 | 13 | Each of these exercises are designed to accept user input from the command line - when the proper input is provided you will get a Success or Congratulatory message. 14 | 15 | For example, ```control-flow-1``` takes two values as an input, so you would run it as: ```./control-flow-1 value1 value2``` 16 | 17 | It is up to you to determine the format and number of these arguments for each exercise by reverse engineering them - if you get stuck please feel free to reach out on the [hackaday.io](https://hackaday.io/project/172292-introduction-to-reverse-engineering-with-ghidra) page, or reach out to me on [twitter](https://twitter.com/wrongbaud/). 18 | 19 | -------------------------------------------------------------------------------- /session-two/exercises/array-example: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-two/exercises/array-example -------------------------------------------------------------------------------- /session-two/exercises/control-flow-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-two/exercises/control-flow-1 -------------------------------------------------------------------------------- /session-two/exercises/func-example-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-two/exercises/func-example-1 -------------------------------------------------------------------------------- /session-two/exercises/heap-example-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-two/exercises/heap-example-1 -------------------------------------------------------------------------------- /session-two/exercises/loop-example-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-two/exercises/loop-example-1 -------------------------------------------------------------------------------- /session-two/exercises/source/Makefile: -------------------------------------------------------------------------------- 1 | SRCS=$(wildcard *.c) 2 | 3 | OBJS=$(SRCS:.c=) 4 | 5 | ASM=$(SRCS:.c=.S) 6 | 7 | bins: $(OBJS) 8 | 9 | asm: 10 | $(foreach var,$(OBJS),objdump -d -M intel $(var) > $(var).S;) 11 | -------------------------------------------------------------------------------- /session-two/exercises/source/array-example.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char * keywords[] = {"hackadayu","software","reverse","engineering","ghidra"}; 6 | unsigned char bytecodes[] = {0xC6,0x44,0xC5,0xe3,0xe6}; 7 | 8 | int main(int argc, char *argv[]){ 9 | 10 | if(argc != 3){ 11 | printf("Please provide a password index and keycode, ex: 1 p@55w0rd!\r\n"); 12 | return -1; 13 | } 14 | int index = atoi(argv[1])+1; 15 | if(!index || index > 5){ 16 | printf("Improper index provided, try again!\r\n"); 17 | return -1; 18 | } 19 | unsigned char keycode = bytecodes[index-1]; 20 | int pwdLen = strlen(keywords[index-1]); 21 | int count = 0; 22 | for(count;count nxtChar){ 32 | targetVal = ((curChar - nxtChar) + 0x60); 33 | }else{ 34 | targetVal = ((nxtChar-curChar) +0x60); 35 | } 36 | if((char)targetVal != (char)(argv[2][count])){ 37 | printf("Wrong value detected at character %x!\r\n",count); 38 | return -1; 39 | } 40 | } 41 | printf("Congratulations, you've unlocked the code for value %x, can you get them all?\r\n",index); 42 | } 43 | -------------------------------------------------------------------------------- /session-two/exercises/source/control-flow-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | int main(int argc, char *argv[]){ 7 | 8 | if(argc != 3){ 9 | printf("Please provide two values to generate a code!\r\nExample: ./control-flow-1 100 4300\r\n"); 10 | return -1; 11 | } 12 | int a = atoi(argv[1]); 13 | int b = atoi(argv[2]); 14 | int c = a+b; 15 | if(!(a > b)){ 16 | printf("First check failed, try again!\r\n"); 17 | return -1; 18 | } 19 | b += b; 20 | if( b < a){ 21 | printf("Second check failed, try again!\r\n"); 22 | return -1; 23 | } 24 | if((c-a) < 100){ 25 | printf("Third check failed, try again!\r\n"); 26 | return -1; 27 | } 28 | printf("Proper values provided! Great work!\r\n"); 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /session-two/exercises/source/func-example-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define ASCII_CAP_START 0x41 6 | #define ASCII_CAP_END 0x5A 7 | 8 | #define ASCII_LOW_START 0x61 9 | #define ASCII_LOW_END 0x7A 10 | 11 | char* getUpperCase(char *argString,char* uppercase){ 12 | int argLength = strlen(argString); 13 | uppercase = calloc(argLength,sizeof(char)); 14 | int counter = 0; 15 | int capIndex = 0; 16 | for(counter=0; counter < argLength; counter++){ 17 | if((argString[counter] >= ASCII_CAP_START) && (argString[counter] <= ASCII_CAP_END)){ 18 | uppercase[capIndex] = argString[counter]; 19 | capIndex += 1; 20 | } 21 | } 22 | return uppercase; 23 | } 24 | 25 | char* getLowerCase(char *argString,char* uppercase){ 26 | int argLength = strlen(argString); 27 | uppercase = calloc(argLength,sizeof(char)); 28 | int counter = 0; 29 | int capIndex = 0; 30 | for(counter=0; counter < argLength; counter++){ 31 | if((argString[counter] >= ASCII_LOW_START) && (argString[counter] <= ASCII_LOW_END)){ 32 | uppercase[capIndex] = argString[counter]; 33 | capIndex += 1; 34 | } 35 | } 36 | return uppercase; 37 | } 38 | 39 | 40 | int main(int argc, char *argv[]){ 41 | 42 | if(argc != 2){ 43 | printf("Please generate a passcode for system usage!\r\n"); 44 | return -1; 45 | } 46 | char *uppercase; 47 | char *lowercase; 48 | uppercase = getUpperCase(argv[1],uppercase); 49 | lowercase = getLowerCase(argv[1],uppercase); 50 | if(strlen(uppercase) != strlen(lowercase)){ 51 | printf("Passcode doesn't have enough variety! Please try again\r\n"); 52 | free(uppercase); 53 | free(lowercase); 54 | return -1; 55 | }else{ 56 | printf("Passcode generator passed, good job!\r\n"); 57 | free(uppercase); 58 | free(lowercase); 59 | } 60 | return 0; 61 | } 62 | -------------------------------------------------------------------------------- /session-two/exercises/source/loop-example-for.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define ASCII_CAP_START 0x41 6 | #define ASCII_CAP_END 0x5A 7 | 8 | int main(int argc, char *argv[]){ 9 | 10 | if(argc != 2){ 11 | printf("Please provide a string!\r\n"); 12 | return -1; 13 | } 14 | int argLength = strlen(argv[1]); 15 | if(argLength != 15){ 16 | printf("Wrong length! Try again!\r\n"); 17 | return -1; 18 | } 19 | int counter = 0; 20 | int capIndex = 0; 21 | for(counter=0; counter < argLength; counter++){ 22 | if((argv[1][counter] >= ASCII_CAP_START) && (argv[1][counter] <= ASCII_CAP_END)){ 23 | capIndex += 1; 24 | } 25 | } 26 | if(capIndex != 8){ 27 | printf("Not quite what we're looking for ... maybe try again?\r\n"); 28 | }else{ 29 | printf("Congratulations, access granted!\r\n"); 30 | } 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /session-two/exercises/source/variables-example.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | char *globalVar = "KeYpress"; 7 | int64_t XorMe = 0xDEADBEEFFACECAFE; 8 | 9 | 10 | int main(int argc, char *argv[]){ 11 | if(argc != 2){ 12 | printf("Please prvide the 8 character keycode"); 13 | return -1; 14 | } 15 | if(strlen(argv[1])<8){ 16 | printf("Too short, try again!\r\n"); 17 | } 18 | char *pass = argv[1]; 19 | int index = 0; 20 | for(index = 0;index<8;index++){ 21 | unsigned char cmpByte = (XorMe >> (index*8)) & (int64_t)0xFF; 22 | unsigned char targetVal = cmpByte - (~globalVar[index]); 23 | if((unsigned char)pass[index] != targetVal){ 24 | printf("Improper character in keycode detected, try again!\r\n"); 25 | return -1; 26 | } 27 | } 28 | printf("Proper keycode supplied, well done!\r\n"); 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /session-two/exercises/variables-example: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-two/exercises/variables-example -------------------------------------------------------------------------------- /session-two/slides/session-2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wrongbaud/hackaday-u/64c5549c5006f1b1525c4101c025091558ab78d6/session-two/slides/session-2.pdf --------------------------------------------------------------------------------