Quick and Dirty Reverse Engineering

Posted on 15 November 2019

A while ago I had to work with a particularly frustrating application that was required to connect to a hardware appliance. Both of which will remain unnamed in this post.

This application generates it own self signed certificate which it uses to connect to the appliance. The issue was that application generates sha1 certs but the appliance only supports sha2. No problem just use the private key from the application to create a sha2 cert.

But! The application encrypts the private key with a password. Bugga. Furthermore the application utilizes a obfuscated password generator which makes it hard to debug.

The Process:

1. When the application creates the key it prints out “Private Key created and written to”:

   [tom@tomandtim reverse_engineering]$ ./program cert add 192.168.0.16 2048
   Key size set: 2048
   Private Key created and written to: /home/tom/reverse_engineering/cert/client/192.168.0.16Key.pem
   Certificate created and written to: /home/tom/reverse_engineering/cert/client/192.168.0.16.pem
   [tom@tomandtim reverse_engineering]$
   

2. Using Ghidra (the NSA software reverse engineering suite) we can open up the program and find where in the code it uses that string.

3. Looking at the code we can see it uses the PEM_write_bio_PrivateKey function of openssl to encrypt and save the private key. So that means at the time of execution the password must be held in memory. So if we pause the application and then dump it’s memory we can find the password!

4. Using gdb we can set a breakpoint, run it and then dump the memory using a little memory dumper I wrote

   1. Start gdb, set the breakpoint and run the program:

      [tom@tomandtim reverse_engineering]$ gdb --args ./program cert add 192.168.0.16 2048
      (gdb) break PEM_write_bio_PrivateKey
      Breakpoint 1 at 0x58f260
      (gdb) run
      Starting program: /home/tom/reverse_engineering/./program cert add 192.168.0.16 2048
      [Thread debugging using libthread_db enabled]
      Using host libthread_db library "/lib64/libthread_db.so.1".
      Key size set: 2048
      Breakpoint 1, 0x000000000058f260 in PEM_write_bio_PrivateKey ()

   2. In a new shell locate the pid using ps and run the ./mem_dump.sh script. Pay close attention to the script arguments, because we are already debugging the script we use the “dryrun” function to give us the gdb commands we need for the debugging session we already have open. You can disable the dryrun to allow the script todo the dump for you if required.

      [tom@tomandtim reverse_engineering]$ ./mem_dump.sh
      ./mem_dump.sh pid dryrun
      
      PID = PID you want do dump
      dryrun = "yes" to just print the GDB commands or "no" to dump the memory
      
      Example:
      
      ./mem_dump.sh 1234 no
      
      [tom@tomandtim reverse_engineering]$
      [tom@tomandtim reverse_engineering]$ ps -ef|grep program
      tom      10850  8534  0 17:12 pts/4    00:00:00 gdb -q --args ./program cert add 192.168.0.16 2048
      tom      2037  10850  0 17:12 pts/4    00:00:00 /home/tom/reverse_engineering/./program cert add 192.168.0.16 2048
      tom      10890 15995  0 17:12 pts/7    00:00:00 grep --color=auto program
      [tom@tomandtim reverse_engineering]$ ./mem_dump.sh 2037 yes
      Dumping Stack...
      dump memory /tmp/mem_dump_pid_2037_7ffffffde000-7ffffffff000.mem 0x7ffffffde000 0x7ffffffff000
      Dumping Heap...
      dump memory /tmp/mem_dump_pid_2037_007db000-0081f000.mem 0x007db000 0x0081f000
      Dumping Program...
      dump memory /tmp/mem_dump_pid_2037_00400000-00696000.mem 0x00400000 0x00696000
      dump memory /tmp/mem_dump_pid_2037_00796000-007db000.mem 0x00796000 0x007db000
      Done
      [tom@tomandtim reverse_engineering]$

   3. Type those commands into gdb and allow the program to continue

      (gdb) dump memory /tmp/mem_dump_pid_2037_7ffffffde000-7ffffffff000.mem 0x7ffffffde000 0x7ffffffff000
      (gdb) dump memory /tmp/mem_dump_pid_2037_007db000-0081f000.mem 0x007db000 0x0081f000
      (gdb) dump memory /tmp/mem_dump_pid_2037_00400000-00696000.mem 0x00400000 0x00696000
      (gdb) dump memory /tmp/mem_dump_pid_2037_00796000-007db000.mem 0x00796000 0x007db000
      (gdb) c
      Continuing.
      Private Key created and written to: /home/tom/reverse_engineering/cert/client/192.168.0.16Key.pem
      Certificate created and written to: /home/tom/reverse_engineering/cert/client/192.168.0.16.pem
      [Inferior 1 (process 2037) exited normally]
      (gdb) q
      [tom@tomandtim reverse_engineering]$

5. Now we can look through the dump files for a password

   [tom@tomandtim reverse_engineering]$ strings /tmp/mem_dump_pid_2037_007db000-0081f000.mem
   &=Un
   9J\o
   6Me~
   )IZl
   ;Wt
   0F]u
   
   bla bla bla 
   
   authorityKeyIdentifier
   keyid:always,issuer:always
   basicConstraints
   CA:true
   4%::<'}z4k$y    <------- That looks like a password!
   authorityKeyIdentifier
   keyid:always,issuer:always
   
   'A\x
   <Nau
   ":Sm
   /ATh}
   2Jc}
   .?Qdx
   <Yw

6. And try it out:

   [tom@tomandtim reverse_engineering]$ echo "4%::<'}z4k\$y" |openssl rsa -in /home/tom/reverse_engineering/cert/client/192.168.0.16Key.pem -check -noout -passin stdin
   RSA key ok
   [tom@tomandtim reverse_engineering]$

7. Done!