Introduction to Reverse Engineering

Stefan Friese

02 November, 2023

Topics

  • Effective Reverse Engineering
  • Reversing with Ghidra

How Do You Reverse

Reverse Engineering demands a lot of knowledge in multiple fields.

Some topics are

  • Assembly Language
  • ANSI C
  • Other Languages
  • Syscalls
  • Cryptography

How do you reverse engineer without knowing little about these topics?

Reversing is Work

Work is a product of power by time.
P is your power to solve an issue.

W = P x t

The smarter you tackle work, the less time you need to solve an issue.

Knowledge is a Map

You conventiently drive around the city using the underground. That’s how you get to know the main spots of the city.

London Underground

Knowledge is a Map

Invest some time and explore deeper on foot. That’s how you get to know the back alleys.

London by Foot

Ghidra – an Overview

Main View of Ghidra

Watch Out for Low Hanging Fruits

  • Data Segment
  • Names of Functions
  • Conditions & Comparisons
  • Strings: Usernames, Passwords
  • URLs, IP & Port Numbers

Do not try to understand the whole code at once, it will only drive you mad.

Data Segments

A look into the read only data segment

Name of Functions

Functions contained in the binary a.k.a. Symbol Tree

Conditions & Comparisions

Input is Compared to a Hard Coded String

Input is compared to a hard coded string

Function Graph

Take a Look at the Flow Graph of Functions

Take a look at the flow graph of functions

Strings

Open the Defined Strings Menu

Strings can not only be located in data but also in other code segments, sometimes obfuscated

Strings

An old friend

Do It Yourselves!

A Word On Binary Obfuscation

Software Obfuscation was born in 1984 at the International Obfuscated C Code Contest

A donut as code compiles to a spinning donut by Jim Hague

What Exactly might be Obfuscated in Your Code?

Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al
  • Code Element Layers
    • Layout
    • Controls
    • Data
    • Methods
    • Classes
  • Component
    • Library Calls
    • Used Resources
  • Application Layer
    • DRM System
    • Neural Networks

Techniques of Obfuscation

Splitting & Merging of Strings

a = "BABE"
b = "CAFFEE"
f"{b}{a}"

String Deobfuscation with FLOSS

Packing

Compress binary data

            ooooo     ooo  ooooooooo.  ooooooo  ooooo
            `888'     `8'  `888   `Y88. `8888    d8'
             888       8    888   .d88'   Y888..8P
             888       8    888ooo88P'     `8888'
             888       8    888           .8PY888.
             `88.    .8'    888          d8'  `888b
               `YbodP'     o888o       o888o  o88888o

UPX Packer/Unpacker

Mangling

Library symbols in compiled code for data that have the same name

c++filt
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
std::__cxx11::collate_byname::collate_byname(std::__cxx11::basic_string, std::allocator > const&, unsigned long)
Online Demangler

Code Elements

  • Adding Unnecessary Instructions
  • Changing Control Flows
  • Protecting Data

Convoluted Code

Deobfuscation Tools