Hecaton

Reverse Engineering, Cyber Forensics & Nerd Stuff

Inside the Binary - 2

February 13, 2025
Course Reverse Engineering Beginner
Image

Overview

This is the second part of my Reverse Engineering course for complete beginners. I willteach you how to analyze strings in a binary and track where they are used. This is an important skill in reverse engineering because many programs store useful information like passwords, debug messages or encryption keys as strings inside the binary.

We will also introduce cross-referencing (XREFs) to find out which functions use specific strings, helping us navigate the binary efficiently, so sit tight and enjoy the course.

Step 1: Importing & Analyzing the Binary

Just like in lesson 1, we will use Ghidra to analyze a new binary (day2.exe)

  • Open Ghidra and create a new project
  • Import day2.exe into the project
  • Double-click the file to open it in CodeBrowser and click Yes to start the analysis.

Step 2: Extracting Strings from the Binary

Why are strings important?

Strings in a binary often contain:

  • Error messages
  • Debug logs
  • Secret keys
  • Function names
  • Passwords

How to find strings in Ghidra

  • Open Window -> Defined Strings
  • This will display a list of all strings found in the binary
  • Look for anything suspicious or interesting(e.g "Access Denied" or "Enter Password")
Tip: You can filter the strings by typing keywords like "password" or "secret" in the search bar.

Step 3:Finding where a string is used(Cross-Referencing)

Once we find an interesting string, we need to figure out where in the code it is being used.

  • Right-click on the string and select "Show References"(XREFs)
  • This will display a list of locations in the binary where this string is used
  • Double-click on one of the references to jump to the function that accesses the string

Example: Finding a Password Check

If we find a string like "Enter Password:", we can check which function uses it. Usually the same function will contain password comparison logic like strcmp

Step 4: Understanding the Code Flow

Affter finding the function that uses our target string, we can use:

  • Decompiled View (Right Panel) to see a C-like representation of the function
  • Disassembly View (Listing Panel) to see the raw assembly code

Step 5: Bypassing a Password Check (Patching)

If the program checks a hardcoded password, we can bypass the check by modifying the binary.

  • Locate the strcmp function in the disassembly
  • Change the comparison instruction to always return 0 (meaning the password is always correct)
  • Right-click the instruction and select Path Instruction

Conclusion

  • Strings are the easiest way to find useful data in a binary
  • Cross-referencing (XREFs) helps us track where important data is used
  • Patching allows us to modify a binary to bypass restrictions
View Course on GitHub