The files in this archive give the code and tools that we developed as part of the honeynet reverse engineering challenge. The following is a brief description of these files: control.c This is the control program we wrote, which can fully control the challenge binary. It is invoked with the name of the host running the zombie (so for example if the zombie is installed on hackme.honeyp.edu, it could be invoked using "control hackme.honeyp.edu". The program is menu driven, so very easy to figure out. decode.c This is a packet decoder. It uses libpcap to read in packets from a captured session, decodes the packets, and then prints a human-readable description of what was going on. This is a very incomplete program, and only packet types seen in the honeynet-supplied snort log were implemented. The following programs are perl scripts we wrote to match up the statically linked library functions with their occurences in the challenge binary. These are in no way meant to be complete tools, but rather were little helpers, and a lot of the real functionality was done in shell commands that examined the ouptut of these commands in loops. Here are the files: t.pl Extracts function "signatures" from the objdump output of the files in the libc.a file (we used the slackware 3.1 libc.a for the challenge). A function signature starts whenever "push %ebp" is found, and ends whenever either "ret" or a relocatable label is found. These files actually have to be post-processed to remove the relocatable label -- this involves removing either two or three final lines from the signature. It's complicated to explain, but made perfect sense at the time! x.pl Extracts functions from the objdump output of the challenge binary. A function starts with a "push %ebp" line, and we stop dumping whenever either a "ret" operation is seen, or a reference to an absolute address is seen (we assume these are relocatable addresses, so wouldn't match any similar address in the standard library). r.pl Relabels the objdump output. Basically takes the information in the "symtab.txt" file and adds that information to the objdump output. For example, 80556cc was found to be the "sleep" call, and so wherever 80556cc was found in the objdump output, a comment was added at the end of the line saying "sleep". symtab.txt The symbols we discovered for the challenge binary. This file was actually generated using the output of the perl scripts and some creative shell-scripting (loops using diff mostly). Some of these labels were hand-added later as the binary was examined.