Challenge 19 ☆☆☆☆

Welcome to challenge Challenge 19.

Hiding in binaries part 1: the C binary

We need to put a secret in a mobile app! Nobody will notice the secret in our compiled code! This is a misbelief we have often encountered when presenting on mobile security topics.

Let’s debunk this myth for C: can you find the secret in wrongsecrets-c (or wrongsecrets-c-arm, wrongsecrets-c-linux)?

Try downloading the binary and run it locally (e.g. ./wrongsecrets-c<theversion you need> <your answer>).

💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

Why Using binaries to hide a secret will only delay an attacker.

With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.

Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.

Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.


⬅️ Previous
🏠 Main Page
Next ➡️
0