presentations/introduction-to-reverse-eng.../reverse_engineering.md

% Introduction to Reverse Engineering
% Stefan Friese
% 02 November, 2023

---

# Topics

* Effective Reverse Engineering
* Reversing with Ghidra

---

## How Do You Reverse

Reverse Engineering demands a lot of knowledge in multiple fields.  

**Some topics are**

* Assembly Language
* ANSI C
* Other Languages
* Syscalls
* Cryptography

---

How do you reverse engineer without knowing little about these topics?

---

## Reversing is Work

Work is a product of power by time.  
`P` is your power to solve an issue.

`W = P x t`

The smarter you tackle work, the less time you need to solve an issue.

---

## Knowledge is a Map

You conventiently drive around the city using the underground.
That's how you get to know the main spots of the city.

<img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto">

---

## Knowledge is a Map

Invest some time and explore deeper on foot.
That's how you get to know the back alleys.

<img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto">

---

# Ghidra -- an Overview

---

![Main View of Ghidra](./images/Ghidra-Overview.png)

---

## Watch Out for Low Hanging Fruits

---

* Data Segment
* Names of Functions
* Conditions & Comparisons
* Strings: Usernames, Passwords
* URLs, IP & Port Numbers

**Do not try to understand the whole code at once, it will only drive you mad.**

---

### Data Segments

![A look into the read only data segment](./images/data-segments.png)

---

### Name of Functions

![Functions contained in the binary a.k.a. Symbol Tree](./images/symbol-tree.png)

---

### Conditions & Comparisions

<img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto">

Input is compared to a hard coded string

---

### Function Graph

<img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto">

Take a look at the flow graph of functions

---

### Strings

<img src="./images/defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto">

Strings can not only be located in data but also in other code segments, sometimes obfuscated

---

### Strings

![An old friend](./images/defined-strings.png)

---

### Do It Yourselves!

* [Download Ghidra](https://ghidra-sre.org/)
* [Download binaries at crackmes.one](https://crackmes.one)
* [Find more binaries on hackthebox](https://hackthebox.eu)
* [Or Find even more on tryhackme](https://tryhackme.com)
* Download firmware of your favorite IoT appliances

---

## A Word On Binary Obfuscation

Software Obfuscation was born in 1984 at the [International Obfuscated C Code Contest](https://ioccc.org/)

<img src="./images/donut.gif" alt="A donut as code compiles to a spinning donut by Jim Hague" width="50%" height="auto">

---

### What Exactly might be Obfuscated in Your Code?

<section>
[Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)
</section>

<section>

* Code Element Layers
    * Layout
    * Controls
    * Data
    * Methods
    * Classes

</section>

<section>
* Component
    * Library Calls
    * Used Resources

* Application Layer
    * DRM System
    * Neural Networks

</section>

---

## Techniques of Obfuscation

---

### Splitting & Merging of Strings

```sh
a = "BABE"
b = "CAFFEE"
f"{b}{a}"
```

[String Deobfuscation with FLOSS](https://github.com/mandiant/flare-floss/)

---

## Packing 

```sh
            ooooo     ooo  ooooooooo.  ooooooo  ooooo
            `888'     `8'  `888   `Y88. `8888    d8'
             888       8    888   .d88'   Y888..8P
             888       8    888ooo88P'     `8888'
             888       8    888           .8PY888.
             `88.    .8'    888          d8'  `888b
               `YbodP'     o888o       o888o  o88888o
```

[UPX Packer/Unpacker](https://upx.github.io/)

---

### Mangling

<section>
<pre><code data-trim data-noescape>
c++filt
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
std::__cxx11::collate_byname<char>::collate_byname(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, unsigned long)
</code></pre></section>

<section><a href="https://demangler.io/" alt="demangler">Online Demangler</a></section>

---

### Code Elements

* Adding Unnecessary Instructions
* Changing Control Flows
* Protecting Data

<img src="./images/spaghetti.jpg" alt="Convoluted Code" width="30%" height="30%">

---

### Deobfuscation Tools


* DotNet
    * [de4dot Deobfuscator and Unpacker](https://github.com/de4dot/de4dot)
    * [dnSpy Debugger and Assembly Editor](https://github.com/dnSpy/dnSpy)
    * [ILSpy Decompiler instead of Ghidra](https://github.com/icsharpcode/ILSpy)
init 2023-11-15 19:52:07 +01:00			`% Introduction to Reverse Engineering`
			`% Stefan Friese`
			`% 02 November, 2023`

			`---`

			`# Topics`

			`* Effective Reverse Engineering`
			`* Reversing with Ghidra`

			`---`

			`## How Do You Reverse`

			`Reverse Engineering demands a lot of knowledge in multiple fields.`

			`Some topics are`

			`* Assembly Language`
			`* ANSI C`
			`* Other Languages`
			`* Syscalls`
			`* Cryptography`

			`---`

			`How do you reverse engineer without knowing little about these topics?`

			`---`

			`## Reversing is Work`

			`Work is a product of power by time.`
			`P` is your power to solve an issue.

			`W = P x t`

			`The smarter you tackle work, the less time you need to solve an issue.`

			`---`

			`## Knowledge is a Map`

			`You conventiently drive around the city using the underground.`
			`That's how you get to know the main spots of the city.`

			`<img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto">`

			`---`

			`## Knowledge is a Map`

			`Invest some time and explore deeper on foot.`
			`That's how you get to know the back alleys.`

			`<img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto">`

			`---`

			`# Ghidra -- an Overview`

			`---`

			`![Main View of Ghidra](./images/Ghidra-Overview.png)`

			`---`

			`## Watch Out for Low Hanging Fruits`

			`---`

			`* Data Segment`
			`* Names of Functions`
			`* Conditions & Comparisons`
			`* Strings: Usernames, Passwords`
			`* URLs, IP & Port Numbers`

			`Do not try to understand the whole code at once, it will only drive you mad.`

			`---`

			`### Data Segments`

			`![A look into the read only data segment](./images/data-segments.png)`

			`---`

			`### Name of Functions`

			`![Functions contained in the binary a.k.a. Symbol Tree](./images/symbol-tree.png)`

			`---`

added deobfuscation overview as a wish from Sven 2023-11-19 19:56:21 +01:00			`### Conditions & Comparisions`
init 2023-11-15 19:52:07 +01:00
			`<img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto">`

			`Input is compared to a hard coded string`

			`---`

			`### Function Graph`

			`<img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto">`

			`Take a look at the flow graph of functions`

			`---`

			`### Strings`

			`<img src="./images/defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto">`

			`Strings can not only be located in data but also in other code segments, sometimes obfuscated`

			`---`

			`### Strings`

			`![An old friend](./images/defined-strings.png)`

			`---`

			`### Do It Yourselves!`

			`* [Download Ghidra](https://ghidra-sre.org/)`
			`* [Download binaries at crackmes.one](https://crackmes.one)`
			`* [Find more binaries on hackthebox](https://hackthebox.eu)`
			`* [Or Find even more on tryhackme](https://tryhackme.com)`
			`* Download firmware of your favorite IoT appliances`
added deobfuscation overview as a wish from Sven 2023-11-19 19:56:21 +01:00
			`---`

			`## A Word On Binary Obfuscation`

			`Software Obfuscation was born in 1984 at the [International Obfuscated C Code Contest](https://ioccc.org/)`

			`<img src="./images/donut.gif" alt="A donut as code compiles to a spinning donut by Jim Hague" width="50%" height="auto">`

			`---`

			`### What Exactly might be Obfuscated in Your Code?`

			`<section>`
			`[Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)`
			`</section>`

			`<section>`

			`* Code Element Layers`
			`* Layout`
			`* Controls`
			`* Data`
			`* Methods`
			`* Classes`

			`</section>`

			`<section>`
			`* Component`
			`* Library Calls`
			`* Used Resources`

			`* Application Layer`
			`* DRM System`
			`* Neural Networks`

			`</section>`

			`---`

			`## Techniques of Obfuscation`

			`---`

			`### Splitting & Merging of Strings`

			```sh
			`a = "BABE"`
			`b = "CAFFEE"`
			`f"{b}{a}"`
			```

			`[String Deobfuscation with FLOSS](https://github.com/mandiant/flare-floss/)`

			`---`

			`## Packing`

			```sh
			`ooooo ooo ooooooooo. ooooooo ooooo`
			`888' `8' `888 `Y88. `8888 d8'
			`888 8 888 .d88' Y888..8P`
			888 8 888ooo88P' `8888'
			`888 8 888 .8PY888.`
			`88. .8' 888 d8' `888b
			`YbodP' o888o o888o o88888o
			```

			`[UPX Packer/Unpacker](https://upx.github.io/)`

			`---`

			`### Mangling`

			`<section>`
			`<pre><code data-trim data-noescape>`
			`c++filt`
			`_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm`
			`std::__cxx11::collate_byname<char>::collate_byname(std::__cxx11::basic_string<char,`
			`std::char_traits<char>, std::allocator<char> > const&, unsigned long)`
			`</code></pre></section>`

			`<section><a href="https://demangler.io/" alt="demangler">Online Demangler</a></section>`

			`---`

			`### Code Elements`

			`* Adding Unnecessary Instructions`
			`* Changing Control Flows`
			`* Protecting Data`

			`<img src="./images/spaghetti.jpg" alt="Convoluted Code" width="30%" height="30%">`

			`---`

			`### Deobfuscation Tools`


			`* DotNet`
			`* [de4dot Deobfuscator and Unpacker](https://github.com/de4dot/de4dot)`
			`* [dnSpy Debugger and Assembly Editor](https://github.com/dnSpy/dnSpy)`
			`* [ILSpy Decompiler instead of Ghidra](https://github.com/icsharpcode/ILSpy)`