Behind the Scenes — HackTheBox

Description

"After struggling to secure our secret strings for a long time, we finally figured out the solution to our problem: Make decompilation harder. It should now be impossible to figure out how our programs work!"

The behindthescenes binary is an ELF 64-bit file that uses an anti-decompilation technique to protect the password verification logic.

Analysis

Initial Analysis

$ file behindthescenes
behindthescenes: ELF 64-bit LSB pie executable, x86-64, dynamically linked, not stripped

$ strings behindthescenes
./challenge <password>
> HTB{%s}

The binary takes a password as an argument and outputs the flag in the format HTB{password}.

Anti-Decompilation: ud2 + SIGILL

The key protection mechanism uses the ud2 instruction (undefined instruction, opcode 0f 0b):

1. Handler registration: At the start of main, a signal handler for SIGILL is registered (segill_sigaction)
2. Scattered ud2: The code contains scattered ud2 instructions that trigger an "illegal instruction" exception
3. Handler skips: The signal handler intercepts SIGILL and increments the instruction pointer by 2 bytes (the size of ud2)
4. Decompiler breaks: Static analyzers (IDA, Ghidra) don't understand that ud2 will be skipped and incorrectly build the CFG

; Typical pattern in the code:
mov    rdi, [rbp-0x10]
ud2                      ; <- decompiler thinks this crashes
add    rdi, 0x3          ; <- this code is not analyzed

Password Verification Logic

The logic extracted from the disassembler (objdump -d):

1. Check argc == 2 (argument required)
2. Check password length == 12 characters
3. Compare password in chunks using strncmp:

Offset	Length	String address	Value
0	3	0x201b	"Itz"
3	3	0x201f	"_0n"
6	3	0x2023	"Ly_"
9	3	0x2027	"UD2"

Extracting Strings from .rodata

$ objdump -s -j .rodata behindthescenes

2010 3c706173 73776f72 643e0049 747a005f  <password>.Itz._
2020 306e004c 795f0055 4432003e 20485442  0n.Ly_.UD2.> HTB

Strings confirmed:

• Itz @ 0x201b
• _0n @ 0x201f (displayed as 0n due to null-terminator)
• Ly_ @ 0x2023
• UD2 @ 0x2027

Solution

Concatenating the password parts:

Itz + _0n + Ly_ + UD2 = Itz_0nLy_UD2

Verification:

$ ./behindthescenes Itz_0nLy_UD2
> HTB{Itz_0nLy_UD2}

Key Indicators

Use this technique (ud2 anti-decompilation) when:

• Decompiler shows strange/incomplete CFG
• Disassembler shows ud2 instructions (opcode 0f 0b)
• SIGILL signal handler is registered at the start of the program
• Program runs normally but decompiler "breaks"
• Strings exist in the binary but the logic using them is not visible

Bypassing the Technique

1. Static analysis: Ignore ud2, read the disassembler as if they don't exist
2. Patching: Replace ud2 with nop nop (90 90) and re-run analysis
3. Dynamic analysis: Use a debugger (gdb) that correctly handles signals
4. Emulation: Unicorn/Qiling with proper signal handler emulation

Tools

• file — file type identification
• strings — string search
• objdump -d — disassembly
• objdump -s -j .rodata — data section dump
• xxd — hex dump for verification