diff --git a/introduction-to-reverse-engineering/images/donut.gif b/introduction-to-reverse-engineering/images/donut.gif
new file mode 100644
index 0000000..8631be7
Binary files /dev/null and b/introduction-to-reverse-engineering/images/donut.gif differ
diff --git a/introduction-to-reverse-engineering/images/spaghetti.jpg b/introduction-to-reverse-engineering/images/spaghetti.jpg
new file mode 100644
index 0000000..2078deb
Binary files /dev/null and b/introduction-to-reverse-engineering/images/spaghetti.jpg differ
diff --git a/introduction-to-reverse-engineering/presentation.html b/introduction-to-reverse-engineering/presentation.html
index fe8f27c..96be65c 100644
--- a/introduction-to-reverse-engineering/presentation.html
+++ b/introduction-to-reverse-engineering/presentation.html
@@ -28,6 +28,70 @@
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
+ /* CSS for syntax highlighting */
+ pre > code.sourceCode { white-space: pre; position: relative; }
+ pre > code.sourceCode > span { line-height: 1.25; }
+ pre > code.sourceCode > span:empty { height: 1.2em; }
+ .sourceCode { overflow: visible; }
+ code.sourceCode > span { color: inherit; text-decoration: inherit; }
+ div.sourceCode { margin: 1em 0; }
+ pre.sourceCode { margin: 0; }
+ @media screen {
+ div.sourceCode { overflow: auto; }
+ }
+ @media print {
+ pre > code.sourceCode { white-space: pre-wrap; }
+ pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; }
+ }
+ pre.numberSource code
+ { counter-reset: source-line 0; }
+ pre.numberSource code > span
+ { position: relative; left: -4em; counter-increment: source-line; }
+ pre.numberSource code > span > a:first-child::before
+ { content: counter(source-line);
+ position: relative; left: -1em; text-align: right; vertical-align: baseline;
+ border: none; display: inline-block;
+ -webkit-touch-callout: none; -webkit-user-select: none;
+ -khtml-user-select: none; -moz-user-select: none;
+ -ms-user-select: none; user-select: none;
+ padding: 0 4px; width: 4em;
+ color: #aaaaaa;
+ }
+ pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; }
+ div.sourceCode
+ { }
+ @media screen {
+ pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
+ }
+ code span.al { color: #ff0000; font-weight: bold; } /* Alert */
+ code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
+ code span.at { color: #7d9029; } /* Attribute */
+ code span.bn { color: #40a070; } /* BaseN */
+ code span.bu { color: #008000; } /* BuiltIn */
+ code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
+ code span.ch { color: #4070a0; } /* Char */
+ code span.cn { color: #880000; } /* Constant */
+ code span.co { color: #60a0b0; font-style: italic; } /* Comment */
+ code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
+ code span.do { color: #ba2121; font-style: italic; } /* Documentation */
+ code span.dt { color: #902000; } /* DataType */
+ code span.dv { color: #40a070; } /* DecVal */
+ code span.er { color: #ff0000; font-weight: bold; } /* Error */
+ code span.ex { } /* Extension */
+ code span.fl { color: #40a070; } /* Float */
+ code span.fu { color: #06287e; } /* Function */
+ code span.im { color: #008000; font-weight: bold; } /* Import */
+ code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
+ code span.kw { color: #007020; font-weight: bold; } /* Keyword */
+ code span.op { color: #666666; } /* Operator */
+ code span.ot { color: #007020; } /* Other */
+ code span.pp { color: #bc7a00; } /* Preprocessor */
+ code span.sc { color: #4070a0; } /* SpecialChar */
+ code span.ss { color: #bb6688; } /* SpecialString */
+ code span.st { color: #4070a0; } /* String */
+ code span.va { color: #19177c; } /* Variable */
+ code span.vs { color: #4070a0; } /* VerbatimString */
+ code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
@@ -153,7 +217,7 @@ Symbol Tree
Strings
-
+
Strings can not only be located in data but also in other code
segments, sometimes obfuscated
@@ -180,6 +244,118 @@ on tryhackme
Download firmware of your favorite IoT
appliances
+
+
+
+
+What Exactly
+might be Obfuscated in Your Code?
+
+
+
+- Code Element Layers
+
+- Layout
+- Controls
+- Data
+- Methods
+- Classes
+
+
+
+
+
+- Component
+
+- Library Calls
+- Used Resources
+
+- Application Layer
+
+- DRM System
+- Neural Networks
+
+
+
+
+
+
+Techniques of Obfuscation
+
+
+
+
+Packing
+ ooooo ooo ooooooooo. ooooooo ooooo
+ `888' `8' `888 `Y88. `8888 d8'
+ 888 8 888 .d88' Y888..8P
+ 888 8 888ooo88P' `8888'
+ 888 8 888 .8PY888.
+ `88. .8' 888 d8' `888b
+ `YbodP' o888o o888o o88888o
UPX Packer/Unpacker
+
+
+
+Mangling
+
+
+c++filt
+_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
+std::__cxx11::collate_byname::collate_byname(std::__cxx11::basic_string, std::allocator > const&, unsigned long)
+
+
+
+
+
+
+Code Elements
+
+- Adding Unnecessary Instructions
+- Changing Control Flows
+- Protecting Data
+
+
+
+
diff --git a/introduction-to-reverse-engineering/reverse_engineering.md b/introduction-to-reverse-engineering/reverse_engineering.md
index 9d1d60d..3e68586 100644
--- a/introduction-to-reverse-engineering/reverse_engineering.md
+++ b/introduction-to-reverse-engineering/reverse_engineering.md
@@ -92,7 +92,7 @@ That's how you get to know the back alleys.
---
-### Conditions & Comparisions
+### Conditions & Comparisions
@@ -129,3 +129,107 @@ Strings can not only be located in data but also in other code segments, sometim
* [Find more binaries on hackthebox](https://hackthebox.eu)
* [Or Find even more on tryhackme](https://tryhackme.com)
* Download firmware of your favorite IoT appliances
+
+---
+
+## A Word On Binary Obfuscation
+
+Software Obfuscation was born in 1984 at the [International Obfuscated C Code Contest](https://ioccc.org/)
+
+
+
+---
+
+### What Exactly might be Obfuscated in Your Code?
+
+
+[Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)
+
+
+
+
+* Code Element Layers
+ * Layout
+ * Controls
+ * Data
+ * Methods
+ * Classes
+
+
+
+
+* Component
+ * Library Calls
+ * Used Resources
+
+* Application Layer
+ * DRM System
+ * Neural Networks
+
+
+
+---
+
+## Techniques of Obfuscation
+
+---
+
+### Splitting & Merging of Strings
+
+```sh
+a = "BABE"
+b = "CAFFEE"
+f"{b}{a}"
+```
+
+[String Deobfuscation with FLOSS](https://github.com/mandiant/flare-floss/)
+
+---
+
+## Packing
+
+```sh
+ ooooo ooo ooooooooo. ooooooo ooooo
+ `888' `8' `888 `Y88. `8888 d8'
+ 888 8 888 .d88' Y888..8P
+ 888 8 888ooo88P' `8888'
+ 888 8 888 .8PY888.
+ `88. .8' 888 d8' `888b
+ `YbodP' o888o o888o o88888o
+```
+
+[UPX Packer/Unpacker](https://upx.github.io/)
+
+---
+
+### Mangling
+
+
+
+c++filt
+_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
+std::__cxx11::collate_byname::collate_byname(std::__cxx11::basic_string, std::allocator > const&, unsigned long)
+
+
+
+
+---
+
+### Code Elements
+
+* Adding Unnecessary Instructions
+* Changing Control Flows
+* Protecting Data
+
+
+
+---
+
+### Deobfuscation Tools
+
+
+* DotNet
+ * [de4dot Deobfuscator and Unpacker](https://github.com/de4dot/de4dot)
+ * [dnSpy Debugger and Assembly Editor](https://github.com/dnSpy/dnSpy)
+ * [ILSpy Decompiler instead of Ghidra](https://github.com/icsharpcode/ILSpy)