hello and welcome everybody to the brandnew linux RCE forum!

this forum was created to have a better structured approach for
talking about linux related RCE topics.

woodmann thankfully provided us with this forum, so i will try to
find some introductional words

i will be your moderator for this forum. the idea is to have a
platform to invite you (linux) reverse engineers to discuss here.
and i think it is just the right time.

why linux rce? well, many people might think that linux is open
source and therefore RCE is a little bit useless. now this is
not completely right. the kernel and gnu environment are providing
the sourcecode, yes.
but there are many programs out for linux (ported or not)
which use protection systems: anti disassembling, anti debugging,
anti tracing, encryption, time trials, serial number checks, ...
all those things you have in linux, too of course.
and the source code of the kernel does not really tell you why you
can not debug this file you just downloaded. and it also does not
tell you of course how you get to debug it and which tools you
have available and so on ...

so this is exactly what this forum is about:
to discuss about analyzing unknown binaries, parts or whole
protection schemes, where you have no source code available, talk about
the tools you have available and how to use them, extend them, ...

well on the other side there are things which should be avoided:
flamewars linux<->windows are so boring that they need not be discussed
here. also typical system administration topics (installation of OS,
increasing filesystem, ...) are not really what this forum is about.
also i think there is no need to duplicate typical security boards,
and announce each new found exploit. well, of course the techniques
used in an exploit are worth a topic to discuss.

a final thought: here are many very experienced windows reverse
engineers. parts of protection systems (encryption algorythms,...)
are independent from the OS, so i think in one or the other way
the windows RCengineers could help in this forum as well! and
vice versa of course

so, without loosing too many words ....

welcome to the linux RCE forum!

0xf001

Hi. 0xF001

Thank you for sharing your experience and knowledge with us.
I am going to dust my Linux CDs and give it a try. . .
Is it possible for you to PM or point me to some fresh Linux targets?
(Without bringing on us JMI's wrath of course )

Hi naides,



wow, this is what I call engagement!


well, as you say
you can try it

a good start is to check the crackmes on ptth://www.crackmes.de, there
are some for linux as well. or search the web for other crackmes. of course
you will not find there "commercial" protections, but allready something to work on

please PM me for any question! I will try my best to support you!

thank you,

0xf001

in rea board there is a link to one crackme called dcrkme by discord
or if you are interested in exploit type games
you can look into
vortex.labs.catalyst.pulltheplug.org <--- level based
catalyst.labs.pulltheplug.org <--- free style no levels
iirc 0xf001 quoted a link to felinemenace.org
the above links are a part of felinemenace.org
they also host some more namely jessica,blackhole,semtex,etc etc
which i havent explored personnally

have fun

Hello,

Since I'm involved with pulltheplug and felinemenace I thought I'd post to provide more information for people since people seem to be interested.

As 0xf001 posted on his website, there is a paper I'm in the process of writing. It can be found at http://felinemenace.org/papers/Binary_protection_schemes-1.00-prerelease.tar.gz. This is about various techniques (with included source code) that can be used to help protect binaries under linux against various things. While people may say that its just a collection of stuff already out there, there are some various things that I haven't seen out there, and some tricks I discovered against various tools.

Any feedback on that document is greatly appreciated as well.

Now for the various games:

vortex:

Vortex is a level based exploitation game, which grows in difficultly. Some of the levels include maths problems, heap corruption, stack overflows, integer overflows, etc. Its a decent challenge even for the most dedicated people. Vortex can be found at http://vortex.labs.pulltheplug.org

Catalyst:

Catalyst is a free-style (ie, there is no fixed direction you must follow) binary analysis game. I'm using this to "support" my paper above for the most part, and has various challenges. Currently catalyst doesn't have many things available, so feel free to send me levels to put up . catalyst is at http://catalyst.labs.pulltheplug.org

Blackhole:

Blackhole is a FreeBSD remote exploitation game, and focuses on various tricks people can use when writing remote exploits. The box is currently down at the moment, due to a failed software upgrade I believe.

Semtex:

Semtex is a network based challenge. The idea behind semtex is that you have to do various network based challenges, such as using proxies, writing a icmp tunneling client, and so on. Semtex is due to come live in the short future.

Obelix:

Obelix is an "evade the ids" type game, where the goal is to use various techniques (new and old) to evade ids detection. The timeline for obelix is undetermined at the moment, but should be done in the next couple of weeks.

Jessica:

Jessica isn't a game box, its a linux shell box for various trusted people.

So, this may beg the question, what is pulltheplug? is a community of like minded people, mainly relating to computer security stuff, but there are various people interested in reversing etc there. The website can be found at www.pulltheplug.org

(Since I admin, or at least am strongly involved with the various things, I presume it would be safe to provide complete links for people.)

thanks for the explanations andrewg, and welcome to the board

i tried catalysts level0 today, interesting "game" for reversing

cheers, 0xf001

Thanks for the greeting

Euhm really?! Apart from crackme's, I can't think of any..

well, I do not want to explicitly name targets here, but I do give you one example I am SURE you know, and I think nearly every linux / windows user has come across :

just try ...ware workstation, the popular "virtual PC"

cheers, 0xf001

PS: "quote":
Evaluate .... Workstation

You may evaluate ...... Workstation for a 30-day period. To evaluate ????? Workstation (for Windows or Linux operating systems), please do the following:

Click here to register for a license key that is valid for 30 days only.
...
...
After your 30-day evaluation license has expired, go to ...ware Web Store to purchase your copy of ...ware Workstation.

PPS: I do not really like to write the real name, as it could be misunderstood to encourage people reversing a commercial product

There's also a well known, commercial IDE suite that one might believe was Delphi until one looked closer and realised it was a Linux version that does C++. There's a free version of that, but it comes with a nag screen inserted into every app you build.

I've done a little Linux coding but never looked at rce. Will be reading with interest

Yes I know there are commercial apps.. but I was more refering to "protection systems: anti disassembling, anti debugging,
anti tracing"

Not that I have really looked at any of those targets hinted at.

hi SiNTAX!

i see, i got you wrong then

without giving the names of the applications I could tell everything of course,
well the strangest thing I have encountered is a commercial product, which ships on a CD containing a fully armored linux, using 2.0.x kernel and of course very old libc. the CD also contains the encrypted installation files.

the installer boots off the cd into this linux, displays a hardware key and asks for a installation key (which of course must match the hardware key and the encryption key of the installation files). this is level 1

the binary asking you for the key is also using nice anti* stuff. for example it communicates with a kernel module, which is part of the encryption.

so first you boot into a strange environment. you have no shell. you can not
debug. you have no tools. tools you have in your own distro do not work with the old binaries anymore. and you do not know upfront what all was modified, what is hidden. so you need to find a way to boot this thing into a shell. then you will not like what you see, because you can use no debugger
i found nowhere a recently old gdb binary. compiling it from source is a good idea, but the recent (and even older) gcc compilers refuse to compile this code correctly. ok, so you need to compile a very old gcc. this you also can not do without lots of efforts. i must admit I failed to compile any useful
tool trying it indepth and using friends which are experts in those topics.
so other approach ....

i managed to get this "semi debugged" on a 2.6 kernel by copying the process loader from the CD to my distro, but for full
study one would need to build up a linux based on the 2.0 kernel and the related gnu libs, tools. as you can not load this §"$%&/ kernel module into a 2.4 / 2.6 kernel.
...
patching the installer to accept any serial is of course possible. but it does not help since the application can not be decrypted this way. and the only way to get this "vendor key" is to calculate it from your hardware key and the unknown installation key. to be potentially able calculate them, you need the kernel module working... aargh!

well, once you got your installation key generated , the app installs as again an armored linux environment. the probably best "trick" is to use this kernel module. it is very hard to debug this. for luck you can disassemble it

now the installed app turns out to be protected in a similar way like the installation, but now needs for each functional part an own installation key.
the installation key must match the now displayed new hardware key2 (it is longer, ...), and must match additionally

vendor key
include information like installation date, expiry date, ...
type of license
AND product key.

this product key you also do not know. it is to be obtained from the vendor, like the installation key.

I could probably write a whole book about this protection, as each part of protection contains so many details. this indeed is the best solution I ever saw. but limited to the fact that the app comes with the OS together.

I will grab some code parts and post them here for discussion.

and ... the app finally runs fine in my vmware

cheers, 0xf001

About the strange linux environment... just write them and have them release their sources.. afterall the kernel/libc are GPL... so they are in violation of a license if they don't release their modifications.
The kernel module is another matter.. depends on which exported kernel functions they used.. some of them are GPL only.

Anyway... sounds like a nice target indeed... didn't know there were that 'advanced' things out there..
Am I right into thinking this is a hardware based product?!

BTW: have you tried to run the CD with QEMU or BOCHS yet? If it runs with those, you will have the same power as SoftICE on windows. (and since you have the source for bochs/qemu, the sky is the limit!)

SiNTAX,



no it is an industrial product, but of course not running on "all PCs". They just have support for a limited set of network cards, graphic cards and such.



no, never I booted it in vmware, or used mount -o loop /path/to/image.iso, to access the files from the CD when inspecting the binaries being able to use some tools against it.

well at the point of time i did not know about bochs, qemu...

and i do not need it anymore, as i said it is allready up and running and fully functional

but thank you for the tip, i see bochs does emulation this is actually very good indeed! must check if it provides some debugging facilities ....

thanks, 0xf001