Introduction to Linux Reverse Engineering – The tools showcase

Written by : Levis Nickaster ([Link]

Introduction

Hello all mates,

By the time writing this papers, I'm still a newbie in Reverse Engineering. However, I always want to
share my knowledge and my passionate to all people, this work makes me happy. That's all. Maybe
someone would find it interesting, and some are not. But, feel free to read my tutorials. Once you
read it, that's enough for me. Thanks for reading :).
The idea to make this article is came from some of my friends. They asked me about things in Linux
which helps to do Reverse Engineering in this platform. I assume that you guy have read some of my
Linux Reversing Tutorials somewhere (my blogs, some well-known forums,... I posted there). I moved
to Linux in at least, couple of years, and started Reversing in Linux, in … oh, I don't remember, haha,
but not so long. The first time is a bit of hard, because of 2 reasons:
1. Tutorials are hard to find. I can't find tutorials as easy as I've got with Windows. Most of
Reversing forums I have joined, they have dedicated section for Linux Reversing, but only a bit of
tutorials are available. OK, that's not a big deal, I started to learn from scratch. A hard way, but
somehow, I like the hard thing. Or if I scared, I would never learn about Reversing, and you too, right?
2. Tools and utilities are strange and very hard to use: Not like in Windows, I have some perfect
concepts, and extremely useful (not yet powerless) stuffs. OllyDbg, LordPE, ImpREC,... more and more,
tons of tools and they're GUI-based (that means user-friendly). And when I changed to Linux, I have
spend a lot of time to deal with CLI-based tools and Bash shell script. A whole new system, a whole
new set of tools, a whole new way to RE. Sound hard, right? But when you get familiar with these
things, you will know that they're very fun and powerful, sometimes, more comfortable than Win's
stuffs (CLI rocked!). But remember, for FUN. Yeah, you should look at them with funny eyes, and then
you rock, too :).
So, I made this tutorials, as a brief description about things you needs to start Reversing in Linux. I will
show you some useful commands, and utilities that you win find them available in most popular Linux
distro out there. Just grab them and start learning using them. When you solved the (2), you will easily
solve the (1) (issues I told before).
Now, let's get started to dive in to Linux's world!

CATEGORY #1> EXAMINING TOOLS

Well, I would like to explain a bit. “EXAMINING TOOLS”, In my words, are tools which help you do
some quick analysis, and get information about a program. These information, are very important and
they determine which step we we have to do next. In Windows, we have a lot of tools: Scanner,
detectors (PeiD, ExeinfoPE, DiE....) and they're very easy to use. So, what do we have in Linux?

1. Detect it Easy(DiE): Yeah, an excellent one out there. Strongly development, multiplatform, fast and
flexible, GUI-based, open source, highly detection ratio (based on large number of signatures), has a
lot of features. So what do you want more? This is very very awesome tool (bot for Windows, and
Linux, or even Mac OS). That's why I listed it at the first place of this category. Because it has a GUI,
and also some languages are available, so just grab it and start discovering.
 Detect It Easy running in Linux

2. Grep
Grep is short form of “Global Regular Expression Print”, a command-line utility in Linux system, It
comes with every Linux distro, so you don't need to install it. This one is very useful, flexible and easy
to use to search, query things you need, The only thing you need is determine what you need to find,
and provide it the correct regex, and the goal is for you. More information about grep, you can use
“man grep ” command to read manual, or Google “grep in Linux”.

Grep in Linux
3. File Command
Like grep , file is an built-in command-line utility in Linux. This tool is pretty simple, it shows the type
of file you are examining, and if lucky you could get some more information. In Linux, everything is
file, so in one day, you got a strange file, and you don't know about it before. In this time, you can use
file command, and it will tell you what type of that file. Simple, but not useless, right? Maybe when
you're reading this tutotiral, you may not think it's a good tool, but believe me, some days you will
need it.

File command in Linux

4. binutils Toolkit
binutil (BINARY UTILitieS) is a name of package which contains tools for creating, managing binay
programs, object files, libraries, profile data, assembly source code. For more information, read here:
[Link] or Google “binutils in Linux”. I described some commands
which I think they're necessary when examining files below, and if you want more information about
them, simply use “man” command witch each:

strings : When you use it, it will scan whole the file and print out all the printable strings, characters
in that file. It works the same like you Right Click in Olly and choose Search for → All referenced Text
Strings. So you could have a first clearly look of the file you're dealing with. This is a very handy tool
and you MUST know how to use it to fit your needs.

Some strings after running command: strings /usr/bin/ls

readelf : will bring you all information about ELF (Executable and Linkable Format) file, I.e: Magic
Number, OS Target, version, entrypoint adress, and all information about header and sections.
 A part of result displayed when using readelf

objdump :
if readelf is only available with ELF file, then with objdump you can use with some other kinds of
binary files, and it has ability to provide opcode + disassembly code of file.
 Part of result displayed when using objdump -d /usr/bin/ls to display disassembly code.

nm: This tool will display all the debug symbols (if available) in file. Not so useful, when most files are
always stripped (removed debug symbol). But, sometimes, you may need it.
 Using nm with an unstripped program

OK, so they're all the tools which I frequently used. They're separated tools but they can combined to
work together, so it will be very effective. You can take a look at my Linux Patching Helper, this is a
wrapper of file, strings, and objdump with GUI interface. Using it, I could be able to patch some
sharewares, and use them for free without restrictions, haha.

If you have any other utilities, please share with me too. And now we will move to the next category

CATEGORY #2> MANIPULATION TOOLS

“Manipulation tools” means the tools used for decompile, disassemble and edit ELF files. They are:

1. IDA: Well, I think I will not tell so much about this one. It's too famous and well-known that I
needn't to re-introduce it. The most powerful disassembler in the world, and it's available for Linux
User. To use IDA in Linux, you have 2 options: run it via Wine or use a native Copy of IDA (built for
Linux). Both work flawlessly, the only issue remain is money to buy it, lol
 Native IDA running in Linux

2. RecStudio ([Link]
REC Studio is Reverse Engineering Compiler Studio. It reads a Windows, Linux, Mac OS X or raw
executable file, and attempts to produce a C-like representation of the code and data used to build the
executable file. It has been designed to read files produced for many different targets, and it has been
compiled on several host systems.
REC Studio 4 is a complete rewrite of the original REC decompiler. It uses more powerful analysis
techniques such as partial Single Static Assignment (SSA), allows loading Mac OS X files and supports
32 and 64 bit binaries.

The reasion I choose this one because it's lightweight (if compare to IDA), and has some good feature
(the most interesting is it able to decomplie code to pseudo C code). Although it still hash some bugs,
but for me it's enough to play with, in Linux.
 Main window

Decompile to C P-code

3. HT Editor ([Link]

Well, what can I say about this tool? Generally it's a combination of Hex Editor/ Disassembler/
Analyzer for ELF file. As a hex editor, it can views content ofr any file, in both, hex or text mode, and
edit them. As a Disassembler, it can decode and transform from opcode to Assembly code, so we able
to view it. As a ELF analyzer, it can shows the information of ELF file (like what we got with
objdump/readelf). So it's a multi-purpose tool for analysis. Maybe, you guy have used HIEW in
Windows, so you will be familiar with this one soon, because, somewhat they're look like the same.
And the reason I like it, over other hex editor is it's CLI-based, depending on ncurses makes it become
lightweight and stable, not need to install tons of additional packages to be able to run. Just go
straight forward.h

HT in disassembly mode

and if you would like to use other GUI-based Hex Editor, I have some names for you: Okteta (part of
KDE, uses Qt), Ghex(mostly found in Gnome Desktop, uses GTK+), wxHexEditor (this one is cool, but
requires wxWidgets to be installed, and on my Arch Machine, it crashes serveral times, you should
give it a try), 101 Editor(this has a lot of features, but not free), or even Vim (xxd mode). So, for me,
HT is perfect when I want both things: performance and features.

OK, now move to the next Category, and this is the last category that I think you have to know.

CATEGORY #3> DEBUGGING TOOLS

In this section, IDA can also perfome debugging (via remote debugging or native debuging with IDA for
Linux). I want to show you some more debuggers.

1. gdb

GDB (GNU Debugger). This one is the official debugger for *nix, and also the most powerful debugger.
It has been ported to other platforms. If you want a GUI like Olly, so gdb is not for you because it
entirely CLI. There is no windows to play with. So the first time, it will be very hard to use. When you
are familiar with it, it's time to rock. This tool is the tool that you MUST learn how to use.

Debugging with gdb

Plus, there are some front-end debugging program for gdb with GUI and visual interface, but, I don't
care about them much. Command line still rocks, haha.

2. edb ([Link]

Edb (Evan's Debugger) is a newcomer. Evan Teran (a kindy guy) has brought this Olly-like debugger to
Linux. This debugger is based on Qt, and if you're familiar with Olly, you will familiar with edb too. By
this time, edb is still on development, so the current release is very stable and ready to use.
 Edb running

3. ltrace and strace

ltrace and strace is 2 debugging utilities for Linux. Their main purpose is logging all the call to libraries
linked to the application, display the parameters, and return value of these calls. If ltrace handles all
the call to user-mode libraries, so the strace attends to monitor all the call and signal delivers to Linux
kernel, also the state of process. They provide a lot of information, and should be filtered first before
reading and analysing.
Ltrace showing result

strace showing result

CATEGORY #4> BOOKS AND STUFFS (Whatever, this is an additional section)
OK, Here are some list of books and guides that I think they're important to learning Reversing in
Linux. All books related to Reversing can be used to learn, you know, just different OS, and the
archilecture still the same (IA-32 and IA-64 are popular this time). So when you move to Linux, you
should know these things:

ELF File format: [Link] . ELF are the main

executable format in Linux (like .exe/PE file in Windows). So you should have knowledge about its
structure, so you would be able to analyze. The more you know, the easier you do.

Quick guide to use gdb: [Link] . This

guide is very basic guide to gdb. You can find more with Google “gdb tutorial”, then you will find many
useful links, if you can, just read them all, haha.

And one thing you need to know, most linux systems prefer to use a different assembly syntax, it's
AT&T Syntax (the syntax you see in Windows is called as “Intel Syntax”). So, while playing there, you
have to know this kind of syntax. So, why not start learning it? [Link]
cdrom/gnutools/doc/[Link]

BASH shell programming guide: [Link]

[Link] . Bash is a part of *nix system. And it's powerful. Simply learn it. You aren't using bash,
mean you aren't using Linux

Python Programming language: Python is a high-level programming language and very popular in
Linux. As a researcher, you should learn it. There are many tutorials and book about Python, you can
find it on the internet, or if you are too lazy, click this link and download, then read and pratice:
[Link]

And many other guides available on the internet. Google is friend, you know.
CONCLUSION
Thanks for wasting you time with me in this tutorial, haha. I hope that the information provided in this
tutorial will help you a bit. Keep in mind that, moving to Linux is for Fun and free (I mean freedom, not
freeware). There is nothing special, if you try to learng and don't scare anything. There are some
benefits of Linux Reversing:

- Look into system in a different way: You will have more knowledge about x86/x86 archilecture, not
only stand on Windows System anymore.

- Some specialized commercial which are only available in Linux to deploy on server-side. If you can
use you brain correctly, plus some lucky, there are many sweet candies waiting for you to take, haha.

- Malware Analysis: Yeah, malwares and rootkits, trojan, now not only on Windows, but also Mac and
Linux, android,.... Reversing Linux will help you detect and clean infected malware to you system. This
is serious case, and you must know. Malware is raising on Linux, be aware and get ready for the
upcoming battle.

Thanks to all my friends, also my family (if you want to know who are they, let's read some of my
tutorials i've posted at my blogs, I listed them there, because i'm feeling lazy after I wrote all 13 papers
above).

Enjoys and best regards,

Wed, Dec 17 2014

Levis Nickaster