In this blog post, we will take a close look at a Linux binary loaded with various anti-reverse-engineering techniques. The binary is the final boss from the book Programming Linux Anti-Reversing Techniques by Jacob Baines. I will also take this opportunity to show off some Binary Ninja tricks that can speed up your daily analysis!
In this walkthrough, you will learn how to:
- Handle malformed ELF headers and segment tricks
- Work with encrypted and obfuscated code (XOR and RC4)
- Navigate Binary Ninja’s segment and section editing capabilities
- Use powerful selection and transformation features
- Understand the design decisions behind Binary Ninja’s analysis heuristics
- Apply practical workflows for analyzing real-world malware and CTF challenges
Let’s Get Into “Trouble”
The Linux anti-RE book “teaches the reader how to code and analyze well known anti-reversing techniques for Linux”. I particularly like the coding part because it gives the reader hands-on experience with the techniques discussed in the book. It is a classic read but still relevant today. It covers many interesting techniques and is definitely worth checking out.
As a Binary Ninja developer, I can’t wait to see how our tool reacts to these tricks! Conveniently, at the end of the book, the author created a binary that combines the techniques discussed throughout the book. It is called trouble and can be found on VirusTotal, MalShare, or GitHub.
The author also shared the source code of the binary and the build script. As the README says, it is a password-protected bind shell. The task is to analyze the binary and find out the password, which would grant you access to the shell.
(The code was written in 2016 – if you wish to build it yourself, be prepared for some rough edges!)
Let us see how much trouble it causes!
The binary is an ELF and only 27KB in size, but it immediately looks unusual after we open it. We can see two entries in the Log window:
[BinaryView.ElfView] ELF endianness automatically overridden to little-endian for x86/x86_64 (header specified big-endian)
[BinaryView.ElfView] Section 2 has a size (0xfffffffffffffff6) larger than file size (0x68eb), skipping creation