init

README.md

@@ -0,0 +1,3 @@
+# Presentations
+
+This will be a collection of presentations.

introduction-to-reverse-engineering/build-presentation.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+pandoc -s --mathml -i -t revealjs  reverse_engineering.md -o presentation.html -V theme=dracula

introduction-to-reverse-engineering/presentation.html

@@ -0,0 +1,348 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="generator" content="pandoc">
+  <meta name="author" content="Stefan Friese">
+  <title>Introduction to Reverse Engineering</title>
+  <meta name="apple-mobile-web-app-capable" content="yes">
+  <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui">
+  <link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/reset.css">
+  <link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/reveal.css">
+  <style>
+    .reveal .sourceCode {  /* see #7635 */
+      overflow: visible;
+    }
+    code{white-space: pre-wrap;}
+    span.smallcaps{font-variant: small-caps;}
+    div.columns{display: flex; gap: min(4vw, 1.5em);}
+    div.column{flex: auto; overflow-x: auto;}
+    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
+    /* The extra [class] is a hack that increases specificity enough to
+       override a similar rule in reveal.js */
+    ul.task-list[class]{list-style: none;}
+    ul.task-list li input[type="checkbox"] {
+      font-size: inherit;
+      width: 0.8em;
+      margin: 0 0.8em 0.2em -1.6em;
+      vertical-align: middle;
+    }
+  </style>
+  <link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/theme/dracula.css" id="theme">
+</head>
+<body>
+  <div class="reveal">
+    <div class="slides">
+
+<section id="title-slide">
+  <h1 class="title">Introduction to Reverse Engineering</h1>
+  <p class="author">Stefan Friese</p>
+  <p class="date">02 November, 2023</p>
+</section>
+
+<section id="topics" class="slide level1">
+<h1>Topics</h1>
+<ul>
+<li class="fragment">Effective Reverse Engineering</li>
+<li class="fragment">Reversing with Ghidra</li>
+</ul>
+</section>
+<section class="slide level1">
+
+<h2 id="how-do-you-reverse">How Do You Reverse</h2>
+<p>Reverse Engineering demands a lot of knowledge in multiple
+fields.</p>
+<p><strong>Some topics are</strong></p>
+<ul>
+<li class="fragment">Assembly Language</li>
+<li class="fragment">ANSI C</li>
+<li class="fragment">Other Languages</li>
+<li class="fragment">Syscalls</li>
+<li class="fragment">Cryptography</li>
+</ul>
+</section>
+<section class="slide level1">
+
+<p>How do you reverse engineer without knowing little about these
+topics?</p>
+</section>
+<section class="slide level1">
+
+<h2 id="reversing-is-work">Reversing is Work</h2>
+<p>Work is a product of power by time.<br />
+<code>P</code> is your power to solve an issue.</p>
+<p><code>W = P x t</code></p>
+<p>The smarter you tackle work, the less time you need to solve an
+issue.</p>
+</section>
+<section class="slide level1">
+
+<h2 id="knowledge-is-a-map">Knowledge is a Map</h2>
+<p>You conventiently drive around the city using the underground. That’s
+how you get to know the main spots of the city.</p>
+<p><img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto"></p>
+</section>
+<section class="slide level1">
+
+<h2 id="knowledge-is-a-map-1">Knowledge is a Map</h2>
+<p>Invest some time and explore deeper on foot. That’s how you get to
+know the back alleys.</p>
+<p><img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto"></p>
+</section>
+<section id="ghidra-an-overview" class="slide level1">
+<h1>Ghidra – an Overview</h1>
+</section>
+<section class="slide level1">
+
+<figure>
+<img data-src="./images/Ghidra-Overview.png"
+alt="Main View of Ghidra" />
+<figcaption aria-hidden="true">Main View of Ghidra</figcaption>
+</figure>
+</section>
+<section class="slide level1">
+
+<h2 id="watch-out-for-low-hanging-fruits">Watch Out for Low Hanging
+Fruits</h2>
+</section>
+<section class="slide level1">
+
+<ul>
+<li class="fragment">Data Segment</li>
+<li class="fragment">Names of Functions</li>
+<li class="fragment">Conditions &amp; Comparisons</li>
+<li class="fragment">Strings: Usernames, Passwords</li>
+<li class="fragment">URLs, IP &amp; Port Numbers</li>
+</ul>
+<p><strong>Do not try to understand the whole code at once, it will only
+drive you mad.</strong></p>
+</section>
+<section class="slide level1">
+
+<h3 id="data-segments">Data Segments</h3>
+<figure>
+<img data-src="./images/data-segments.png"
+alt="A look into the read only data segment" />
+<figcaption aria-hidden="true">A look into the read only data
+segment</figcaption>
+</figure>
+</section>
+<section class="slide level1">
+
+<h3 id="name-of-functions">Name of Functions</h3>
+<figure>
+<img data-src="./images/symbol-tree.png"
+alt="Functions contained in the binary a.k.a. Symbol Tree" />
+<figcaption aria-hidden="true">Functions contained in the binary a.k.a.
+Symbol Tree</figcaption>
+</figure>
+</section>
+<section class="slide level1">
+
+<h3 id="conditions-comparisions">Conditions &amp; Comparisions</h3>
+<p><img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto"></p>
+<p>Input is compared to a hard coded string</p>
+</section>
+<section class="slide level1">
+
+<h3 id="function-graph">Function Graph</h3>
+<p><img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto"></p>
+<p>Take a look at the flow graph of functions</p>
+</section>
+<section class="slide level1">
+
+<h3 id="strings">Strings</h3>
+<p><img src="./defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto"></p>
+<p>Strings can not only be located in data but also in other code
+segments, sometimes obfuscated</p>
+</section>
+<section class="slide level1">
+
+<h3 id="strings-1">Strings</h3>
+<figure>
+<img data-src="./images/defined-strings.png" alt="An old friend" />
+<figcaption aria-hidden="true">An old friend</figcaption>
+</figure>
+</section>
+<section class="slide level1">
+
+<h3 id="do-it-yourselves">Do It Yourselves!</h3>
+<ul>
+<li class="fragment"><a href="https://ghidra-sre.org/">Download
+Ghidra</a></li>
+<li class="fragment"><a href="https://crackmes.one">Download binaries at
+crackmes.one</a></li>
+<li class="fragment"><a href="https://hackthebox.eu">Find more binaries
+on hackthebox</a></li>
+<li class="fragment"><a href="https://tryhackme.com">Or Find even more
+on tryhackme</a></li>
+<li class="fragment">Download firmware of your favorite IoT
+appliances</li>
+</ul>
+</section>
+    </div>
+  </div>
+
+  <script src="https://unpkg.com/reveal.js@^4//dist/reveal.js"></script>
+
+  <!-- reveal.js plugins -->
+  <script src="https://unpkg.com/reveal.js@^4//plugin/notes/notes.js"></script>
+  <script src="https://unpkg.com/reveal.js@^4//plugin/search/search.js"></script>
+  <script src="https://unpkg.com/reveal.js@^4//plugin/zoom/zoom.js"></script>
+
+  <script>
+
+      // Full list of configuration options available at:
+      // https://revealjs.com/config/
+      Reveal.initialize({
+        // Display controls in the bottom right corner
+        controls: true,
+
+        // Help the user learn the controls by providing hints, for example by
+        // bouncing the down arrow when they first encounter a vertical slide
+        controlsTutorial: true,
+
+        // Determines where controls appear, "edges" or "bottom-right"
+        controlsLayout: 'bottom-right',
+
+        // Visibility rule for backwards navigation arrows; "faded", "hidden"
+        // or "visible"
+        controlsBackArrows: 'faded',
+
+        // Display a presentation progress bar
+        progress: true,
+
+        // Display the page number of the current slide
+        slideNumber: false,
+
+        // 'all', 'print', or 'speaker'
+        showSlideNumber: 'all',
+
+        // Add the current slide number to the URL hash so that reloading the
+        // page/copying the URL will return you to the same slide
+        hash: true,
+
+        // Start with 1 for the hash rather than 0
+        hashOneBasedIndex: false,
+
+        // Flags if we should monitor the hash and change slides accordingly
+        respondToHashChanges: true,
+
+        // Push each slide change to the browser history
+        history: false,
+
+        // Enable keyboard shortcuts for navigation
+        keyboard: true,
+
+        // Enable the slide overview mode
+        overview: true,
+
+        // Disables the default reveal.js slide layout (scaling and centering)
+        // so that you can use custom CSS layout
+        disableLayout: false,
+
+        // Vertical centering of slides
+        center: true,
+
+        // Enables touch navigation on devices with touch input
+        touch: true,
+
+        // Loop the presentation
+        loop: false,
+
+        // Change the presentation direction to be RTL
+        rtl: false,
+
+        // see https://revealjs.com/vertical-slides/#navigation-mode
+        navigationMode: 'default',
+
+        // Randomizes the order of slides each time the presentation loads
+        shuffle: false,
+
+        // Turns fragments on and off globally
+        fragments: true,
+
+        // Flags whether to include the current fragment in the URL,
+        // so that reloading brings you to the same fragment position
+        fragmentInURL: true,
+
+        // Flags if the presentation is running in an embedded mode,
+        // i.e. contained within a limited portion of the screen
+        embedded: false,
+
+        // Flags if we should show a help overlay when the questionmark
+        // key is pressed
+        help: true,
+
+        // Flags if it should be possible to pause the presentation (blackout)
+        pause: true,
+
+        // Flags if speaker notes should be visible to all viewers
+        showNotes: false,
+
+        // Global override for autoplaying embedded media (null/true/false)
+        autoPlayMedia: null,
+
+        // Global override for preloading lazy-loaded iframes (null/true/false)
+        preloadIframes: null,
+
+        // Number of milliseconds between automatically proceeding to the
+        // next slide, disabled when set to 0, this value can be overwritten
+        // by using a data-autoslide attribute on your slides
+        autoSlide: 0,
+
+        // Stop auto-sliding after user input
+        autoSlideStoppable: true,
+
+        // Use this method for navigation when auto-sliding
+        autoSlideMethod: null,
+
+        // Specify the average time in seconds that you think you will spend
+        // presenting each slide. This is used to show a pacing timer in the
+        // speaker view
+        defaultTiming: null,
+
+        // Enable slide navigation via mouse wheel
+        mouseWheel: false,
+
+        // The display mode that will be used to show slides
+        display: 'block',
+
+        // Hide cursor if inactive
+        hideInactiveCursor: true,
+
+        // Time before the cursor is hidden (in ms)
+        hideCursorTime: 5000,
+
+        // Opens links in an iframe preview overlay
+        previewLinks: false,
+
+        // Transition style (none/fade/slide/convex/concave/zoom)
+        transition: 'slide',
+
+        // Transition speed (default/fast/slow)
+        transitionSpeed: 'default',
+
+        // Transition style for full page slide backgrounds
+        // (none/fade/slide/convex/concave/zoom)
+        backgroundTransition: 'fade',
+
+        // Number of slides away from the current that are visible
+        viewDistance: 3,
+
+        // Number of slides away from the current that are visible on mobile
+        // devices. It is advisable to set this to a lower number than
+        // viewDistance in order to save resources.
+        mobileViewDistance: 2,
+
+        // reveal.js plugins
+        plugins: [
+          RevealNotes,
+          RevealSearch,
+          RevealZoom
+        ]
+      });
+    </script>
+    </body>
+</html>

introduction-to-reverse-engineering/reverse_engineering.md

@@ -0,0 +1,131 @@
+% Introduction to Reverse Engineering
+% Stefan Friese
+% 02 November, 2023
+
+---
+
+# Topics
+
+* Effective Reverse Engineering
+* Reversing with Ghidra
+
+---
+
+## How Do You Reverse
+
+Reverse Engineering demands a lot of knowledge in multiple fields.  
+
+**Some topics are**
+
+* Assembly Language
+* ANSI C
+* Other Languages
+* Syscalls
+* Cryptography
+
+---
+
+How do you reverse engineer without knowing little about these topics?
+
+---
+
+## Reversing is Work
+
+Work is a product of power by time.  
+`P` is your power to solve an issue.
+
+`W = P x t`
+
+The smarter you tackle work, the less time you need to solve an issue.
+
+---
+
+## Knowledge is a Map
+
+You conventiently drive around the city using the underground.
+That's how you get to know the main spots of the city.
+
+<img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto">
+
+---
+
+## Knowledge is a Map
+
+Invest some time and explore deeper on foot.
+That's how you get to know the back alleys.
+
+<img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto">
+
+---
+
+# Ghidra -- an Overview
+
+---
+
+![Main View of Ghidra](./images/Ghidra-Overview.png)
+
+---
+
+## Watch Out for Low Hanging Fruits
+
+---
+
+* Data Segment
+* Names of Functions
+* Conditions & Comparisons
+* Strings: Usernames, Passwords
+* URLs, IP & Port Numbers
+
+**Do not try to understand the whole code at once, it will only drive you mad.**
+
+---
+
+### Data Segments
+
+![A look into the read only data segment](./images/data-segments.png)
+
+---
+
+### Name of Functions
+
+![Functions contained in the binary a.k.a. Symbol Tree](./images/symbol-tree.png)
+
+---
+
+### Conditions & Comparisions 
+
+<img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto">
+
+Input is compared to a hard coded string
+
+---
+
+### Function Graph
+
+<img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto">
+
+Take a look at the flow graph of functions
+
+---
+
+### Strings
+
+<img src="./images/defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto">
+
+Strings can not only be located in data but also in other code segments, sometimes obfuscated
+
+---
+
+### Strings
+
+![An old friend](./images/defined-strings.png)
+
+---
+
+### Do It Yourselves!
+
+* [Download Ghidra](https://ghidra-sre.org/)
+* [Download binaries at crackmes.one](https://crackmes.one)
+* [Find more binaries on hackthebox](https://hackthebox.eu)
+* [Or Find even more on tryhackme](https://tryhackme.com)
+* Download firmware of your favorite IoT appliances