Reverse Engineer a stripped binary with lscan and IDApro

Hello,

In this post I will introduce you a tool I developed during my semester project at EURECOM.

The tool is named lscan. The tool identifies libraries in statically linked/stripped binaries. lscan is useful for  reverse engineering and computer forensics also. It helps recognizing common functions in compiled binaries and determining libraries they are using. lscan uses FLIRT (Fast Library Identification and Recognition Technology) signatures to perform library identification. 

To better show you the capabilities of the tool I will try to work on a stripped binary grabbed from PwnerRank platform. 

Binary link:

# wget http://static.pwnerrank.com/repo/stripped_4b76616b6e0bbf7885e18562c9ce12f4e92dc50e.zip
# unzip stripped_4b76616b6e0bbf7885e18562c9ce12f4e92dc50e.zip
# file stripped
stripped: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=adbd10ce72c6f96ed8a77c2a666abbf4a0ffa56f, stripped

The first step as usal is importing the binary to IDApro.



As you can see none of the functions was recognized. When debugging information are stripped from the executable, reversing the code become an analysis challenges. To seperate the library code form the user code, libraries inside the binary should be identified. Time to  shouw you the power of lscan. 

If you want to use lscan, you have to install pyelftools and pefile first.


# pip install pyelftools pefile

After you successfully install the dependencies 
Then, preferably, you can download lscan by cloning the Git repository:

git clone https://github.com/maroueneboubakri/lscan.git


Now let's scan the binary against all the signature database:


# python lscan.py -S amd64/sig -f stripped
No symbol table found bin binary
amd64/sig/libm-2.13.sig 6/445 (1.35%)
amd64/sig/libpthread-2.13.sig 18/319 (5.64%)
amd64/sig/libc-2.23.sig 447/2869 (15.58%)
amd64/sig/libc-2.22.sig 420/2859 (14.69%)
amd64/sig/libssl-1.0.2h.sig 0/665 (0.00%)
amd64/sig/libm-2.23.sig 5/600 (0.83%)
amd64/sig/libc-2.13.sig 133/3369 (3.95%)
amd64/sig/libm-2.22.sig 5/582 (0.86%)
amd64/sig/libpthread-2.22.sig 18/262 (6.87%)
amd64/sig/libcrypto-1.0.2h.sig 3375/5057 (66.74%)
amd64/sig/libpcre-8.38.sig 1/150 (0.67%)
amd64/sig/libpthread-2.23.sig 19/258 (7.36%)

From the above result you can conclude that libcrypto-1.0.2h is the most probable library statically linked to the binary.
Once the libraries are identified you should import the appropriate signature files to IDA sig folder.

# cp i386/sig/libcrypto-1.0.2h.sig ../ida66/sig


Finally apply the signatures:
Shift + F5 or from the menu go to View > Open subviews > Signatures
In the "List of applied library modules" press "Insert" button  

Now locate libcrypto-1.0.2h and click Ok. You can redo the same action for libc2-23 signature.



After clicking Ok you will see the number of recognized functions. (3076 functions from libcrypto and 246 functions from libc).

Going back to IDA View tab you sill see the surprise ;) In Functions window the recognized functions are highlighted in Cyan. Now you can easily analyze the binary and get the Flag ;)



I hope this has been informative for you, and I would like to thank you for reading ;)