2023-11-15 19:52:07 +01:00
% Introduction to Reverse Engineering
% Stefan Friese
% 02 November, 2023
---
# Topics
* Effective Reverse Engineering
* Reversing with Ghidra
---
## How Do You Reverse
Reverse Engineering demands a lot of knowledge in multiple fields.
**Some topics are**
* Assembly Language
* ANSI C
* Other Languages
* Syscalls
* Cryptography
---
How do you reverse engineer without knowing little about these topics?
---
## Reversing is Work
Work is a product of power by time.
`P` is your power to solve an issue.
`W = P x t`
The smarter you tackle work, the less time you need to solve an issue.
---
## Knowledge is a Map
You conventiently drive around the city using the underground.
That's how you get to know the main spots of the city.
< img src = "./images/london_underground.jpg" alt = "London Underground" width = "50%" height = "auto" >
---
## Knowledge is a Map
Invest some time and explore deeper on foot.
That's how you get to know the back alleys.
< img src = "./images/london_by_foot.jpg" alt = "London by Foot" width = "50%" height = "auto" >
---
# Ghidra -- an Overview
---
![Main View of Ghidra ](./images/Ghidra-Overview.png )
---
## Watch Out for Low Hanging Fruits
---
* Data Segment
* Names of Functions
* Conditions & Comparisons
* Strings: Usernames, Passwords
* URLs, IP & Port Numbers
**Do not try to understand the whole code at once, it will only drive you mad.**
---
### Data Segments
2023-11-22 19:19:52 +01:00
< img src = "./images/data-segments.png" alt = "A look into the read only data segment" width = "70%" height = "auto" >
A look into the read only data segment
2023-11-15 19:52:07 +01:00
---
### Name of Functions
![Functions contained in the binary a.k.a. Symbol Tree ](./images/symbol-tree.png )
---
2023-11-19 19:56:21 +01:00
### Conditions & Comparisions
2023-11-15 19:52:07 +01:00
< img src = "./images/decompiled-code.png" alt = "Input is Compared to a Hard Coded String" width = "50%" height = "auto" >
Input is compared to a hard coded string
---
### Function Graph
< img src = "./images/function-graph.png" alt = "Take a Look at the Flow Graph of Functions" width = "50%" height = "auto" >
Take a look at the flow graph of functions
---
### Strings
< img src = "./images/defined-strings-menu.png" alt = "Open the Defined Strings Menu" width = "50%" height = "auto" >
Strings can not only be located in data but also in other code segments, sometimes obfuscated
---
### Strings
![An old friend ](./images/defined-strings.png )
---
2023-11-26 17:55:58 +01:00
### Binary Patching
Bypass any undesireable condition via a `NOP` instruction.
< img src = "./images/nop.jpg" alt = "NOP, export your patched binary" width = "30%" height = "auto" >
NOP, export your patched binary
---
2023-11-15 19:52:07 +01:00
### Do It Yourselves!
* [Download Ghidra ](https://ghidra-sre.org/ )
* [Download binaries at crackmes.one ](https://crackmes.one )
* [Find more binaries on hackthebox ](https://hackthebox.eu )
* [Or Find even more on tryhackme ](https://tryhackme.com )
* Download firmware of your favorite IoT appliances
2023-11-19 19:56:21 +01:00
---
## A Word On Binary Obfuscation
Software Obfuscation was born in 1984 at the [International Obfuscated C Code Contest ](https://ioccc.org/ )
< img src = "./images/donut.gif" alt = "A donut as code compiles to a spinning donut by Jim Hague" width = "50%" height = "auto" >
---
### What Exactly might be Obfuscated in Your Code?
< section >
[Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al ](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf )
< / section >
< section >
* Code Element Layers
* Layout
* Controls
* Data
* Methods
* Classes
< / section >
< section >
* Component
* Library Calls
* Used Resources
* Application Layer
* DRM System
* Neural Networks
< / section >
---
## Techniques of Obfuscation
---
### Splitting & Merging of Strings
```sh
a = "BABE"
b = "CAFFEE"
f"{b}{a}"
```
[String Deobfuscation with FLOSS ](https://github.com/mandiant/flare-floss/ )
---
## Packing
2023-11-19 20:20:11 +01:00
Compress binary data
2023-11-19 19:56:21 +01:00
```sh
ooooo ooo ooooooooo. ooooooo ooooo
`888' ` 8' `888 ` Y88. `8888 d8'
888 8 888 .d88' Y888..8P
888 8 888ooo88P' `8888'
888 8 888 .8PY888.
`88. .8' 888 d8' ` 888b
`YbodP' o888o o888o o88888o
```
[UPX Packer/Unpacker ](https://upx.github.io/ )
---
2023-11-19 20:20:11 +01:00
## Mangling
2023-11-19 19:56:21 +01:00
2023-11-19 20:20:11 +01:00
Library symbols in compiled code for data that have the same name
2023-11-19 19:56:21 +01:00
< section >
< pre > < code data-trim data-noescape >
c++filt
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
std::__cxx11::collate_byname< char > ::collate_byname(std::__cxx11::basic_string< char ,
std::char_traits< char > , std::allocator< char > > const& , unsigned long)
< / code > < / pre > < / section >
< section > < a href = "https://demangler.io/" alt = "demangler" > Online Demangler< / a > < / section >
---
2023-11-19 20:20:11 +01:00
## Code Elements
2023-11-19 19:56:21 +01:00
* Adding Unnecessary Instructions
* Changing Control Flows
* Protecting Data
2023-11-22 19:19:52 +01:00
< img src = "./images/spaghetti.jpg" alt = "Convoluted Code" width = "26%" height = "auto%" >
2023-11-19 19:56:21 +01:00
---
### Deobfuscation Tools
* DotNet
* [de4dot Deobfuscator and Unpacker ](https://github.com/de4dot/de4dot )
* [dnSpy Debugger and Assembly Editor ](https://github.com/dnSpy/dnSpy )
* [ILSpy Decompiler instead of Ghidra ](https://github.com/icsharpcode/ILSpy )
2023-11-22 19:19:52 +01:00
---
# The End