This exercise looks at reverse engineering and \cracking" applications. For this exercise you should log into the VM as user: dan, password: dan!dan. In Dan's home directory you will nd two jarles, two ELF executables, the tool JD-GUI and the evaluation version of IDA pro.
For this exercise you need to use JD-GUI and IDA to analyse the applications and gain a complete understanding of what they do.
Part 1: Java Byte Code
The jar les employ two of the most common methods of protecting code: encryption and obfus- cation. As you will see neither of these methods will stop a determined analyst.
The rst jar le encrypts some of its code, however, the decryption key must be embedded in the application, and so an analyst can read the code. This is an example of \packing" which is a protection method often use by malware. This is done mainly to avoid signature based detection from malware scanners; the malware will re-encrypt itself with a di erent key each time it infects a computer, so making it look di erent each time it spreads.
The second jar le has been obfuscated, i.e., made deliberately hard to understand. This method of protection is often used by drive-by-download attack code which has been injected into a website. The point of this is to make it di cult for a casual observer to tell what the code is doing and so delaying the time it takes for anyone to realise that the code is malicious.
Question 1: exercise1.jar
The rst Java application is a simple password check (you can run the password check jar le by typing java -jar exercise1.jar at the command line). Use JD-GUI to nd the password for this program, describe in detail how the jar le tries to protect the password and how you found the password, explain each of the steps you took. Another version of this application (with the same password) is also running on one of the ports of the VM. Use nmap to nd out which ports are open and netcat (nc) to connect to them and nd the application. The version of the application listening on the port will give you a token in response to the correct password.
Question 2: exercise2.jar
The second Java application opens a dialog box that asks for a registration key. Find a registration key that this application will accept. Describe in detail how the jar le tries to protect the password and how you found the password (there is no token for this application).
Part 2: ELF Binaries
Executable and Linkable Format (ELF) is the standard format for linux executables. The two ELF executables in Dan's home directory can be run from the command line by typing ./exercise-03 and ./exercise-04. The rst is a simple password check program and the second is a more complex application for viewing GPG keys.
Question 3: exercise-03
The application exercise-03 asks you to enter a password in order to be given a message. Open this application in IDA by typing ./idaq exercise-03, examine the assembly code and run it in the IDA debugger. Work out how the password is being checked and what the message is. Describe in detail how the application checks the password and how you discovered this. In particular, describe the steps you went through and why. Another version of this application (with the same password) is also running on one of the ports of the VM. Use nmap to nd out which ports are open and netcat (nc) to connect to them and nd the application. The version of the application listening on the port will give you a token in response to the correct password. Submit this token on the website.
Question 4: exercise-04
The application exercise-04 is a larger program to display information about public keys. This application contains a back door that can be used to get a shell. Open this application in IDA, examine it, and nd the back door. This application is also running and listening on one of the ports of the VM as root. Use nmap to nd out which port it is running on, connect to it using netcat and exploit the backdoor to get root access to the VM. Describe in detail how the backdoor works and how you discovered it. In particular, describe the steps you went through and why. Once you have root access to the VM you will nd a nal token in the Ex5rootToken le, submit this to the token submission website