<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta name="generator" content="pandoc"> <meta name="author" content="Stefan Friese"> <title>Introduction to Reverse Engineering</title> <meta name="apple-mobile-web-app-capable" content="yes"> <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui"> <link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/reset.css"> <link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/reveal.css"> <style> .reveal .sourceCode { /* see #7635 */ overflow: visible; } code{white-space: pre-wrap;} span.smallcaps{font-variant: small-caps;} div.columns{display: flex; gap: min(4vw, 1.5em);} div.column{flex: auto; overflow-x: auto;} div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;} /* The extra [class] is a hack that increases specificity enough to override a similar rule in reveal.js */ ul.task-list[class]{list-style: none;} ul.task-list li input[type="checkbox"] { font-size: inherit; width: 0.8em; margin: 0 0.8em 0.2em -1.6em; vertical-align: middle; } </style> <link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/theme/dracula.css" id="theme"> </head> <body> <div class="reveal"> <div class="slides"> <section id="title-slide"> <h1 class="title">Introduction to Reverse Engineering</h1> <p class="author">Stefan Friese</p> <p class="date">02 November, 2023</p> </section> <section id="topics" class="slide level1"> <h1>Topics</h1> <ul> <li class="fragment">Effective Reverse Engineering</li> <li class="fragment">Reversing with Ghidra</li> </ul> </section> <section class="slide level1"> <h2 id="how-do-you-reverse">How Do You Reverse</h2> <p>Reverse Engineering demands a lot of knowledge in multiple fields.</p> <p><strong>Some topics are</strong></p> <ul> <li class="fragment">Assembly Language</li> <li class="fragment">ANSI C</li> <li class="fragment">Other Languages</li> <li class="fragment">Syscalls</li> <li class="fragment">Cryptography</li> </ul> </section> <section class="slide level1"> <p>How do you reverse engineer without knowing little about these topics?</p> </section> <section class="slide level1"> <h2 id="reversing-is-work">Reversing is Work</h2> <p>Work is a product of power by time.<br /> <code>P</code> is your power to solve an issue.</p> <p><code>W = P x t</code></p> <p>The smarter you tackle work, the less time you need to solve an issue.</p> </section> <section class="slide level1"> <h2 id="knowledge-is-a-map">Knowledge is a Map</h2> <p>You conventiently drive around the city using the underground. That’s how you get to know the main spots of the city.</p> <p><img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto"></p> </section> <section class="slide level1"> <h2 id="knowledge-is-a-map-1">Knowledge is a Map</h2> <p>Invest some time and explore deeper on foot. That’s how you get to know the back alleys.</p> <p><img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto"></p> </section> <section id="ghidra-an-overview" class="slide level1"> <h1>Ghidra – an Overview</h1> </section> <section class="slide level1"> <figure> <img data-src="./images/Ghidra-Overview.png" alt="Main View of Ghidra" /> <figcaption aria-hidden="true">Main View of Ghidra</figcaption> </figure> </section> <section class="slide level1"> <h2 id="watch-out-for-low-hanging-fruits">Watch Out for Low Hanging Fruits</h2> </section> <section class="slide level1"> <ul> <li class="fragment">Data Segment</li> <li class="fragment">Names of Functions</li> <li class="fragment">Conditions & Comparisons</li> <li class="fragment">Strings: Usernames, Passwords</li> <li class="fragment">URLs, IP & Port Numbers</li> </ul> <p><strong>Do not try to understand the whole code at once, it will only drive you mad.</strong></p> </section> <section class="slide level1"> <h3 id="data-segments">Data Segments</h3> <figure> <img data-src="./images/data-segments.png" alt="A look into the read only data segment" /> <figcaption aria-hidden="true">A look into the read only data segment</figcaption> </figure> </section> <section class="slide level1"> <h3 id="name-of-functions">Name of Functions</h3> <figure> <img data-src="./images/symbol-tree.png" alt="Functions contained in the binary a.k.a. Symbol Tree" /> <figcaption aria-hidden="true">Functions contained in the binary a.k.a. Symbol Tree</figcaption> </figure> </section> <section class="slide level1"> <h3 id="conditions-comparisions">Conditions & Comparisions</h3> <p><img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto"></p> <p>Input is compared to a hard coded string</p> </section> <section class="slide level1"> <h3 id="function-graph">Function Graph</h3> <p><img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto"></p> <p>Take a look at the flow graph of functions</p> </section> <section class="slide level1"> <h3 id="strings">Strings</h3> <p><img src="./defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto"></p> <p>Strings can not only be located in data but also in other code segments, sometimes obfuscated</p> </section> <section class="slide level1"> <h3 id="strings-1">Strings</h3> <figure> <img data-src="./images/defined-strings.png" alt="An old friend" /> <figcaption aria-hidden="true">An old friend</figcaption> </figure> </section> <section class="slide level1"> <h3 id="do-it-yourselves">Do It Yourselves!</h3> <ul> <li class="fragment"><a href="https://ghidra-sre.org/">Download Ghidra</a></li> <li class="fragment"><a href="https://crackmes.one">Download binaries at crackmes.one</a></li> <li class="fragment"><a href="https://hackthebox.eu">Find more binaries on hackthebox</a></li> <li class="fragment"><a href="https://tryhackme.com">Or Find even more on tryhackme</a></li> <li class="fragment">Download firmware of your favorite IoT appliances</li> </ul> </section> </div> </div> <script src="https://unpkg.com/reveal.js@^4//dist/reveal.js"></script> <!-- reveal.js plugins --> <script src="https://unpkg.com/reveal.js@^4//plugin/notes/notes.js"></script> <script src="https://unpkg.com/reveal.js@^4//plugin/search/search.js"></script> <script src="https://unpkg.com/reveal.js@^4//plugin/zoom/zoom.js"></script> <script> // Full list of configuration options available at: // https://revealjs.com/config/ Reveal.initialize({ // Display controls in the bottom right corner controls: true, // Help the user learn the controls by providing hints, for example by // bouncing the down arrow when they first encounter a vertical slide controlsTutorial: true, // Determines where controls appear, "edges" or "bottom-right" controlsLayout: 'bottom-right', // Visibility rule for backwards navigation arrows; "faded", "hidden" // or "visible" controlsBackArrows: 'faded', // Display a presentation progress bar progress: true, // Display the page number of the current slide slideNumber: false, // 'all', 'print', or 'speaker' showSlideNumber: 'all', // Add the current slide number to the URL hash so that reloading the // page/copying the URL will return you to the same slide hash: true, // Start with 1 for the hash rather than 0 hashOneBasedIndex: false, // Flags if we should monitor the hash and change slides accordingly respondToHashChanges: true, // Push each slide change to the browser history history: false, // Enable keyboard shortcuts for navigation keyboard: true, // Enable the slide overview mode overview: true, // Disables the default reveal.js slide layout (scaling and centering) // so that you can use custom CSS layout disableLayout: false, // Vertical centering of slides center: true, // Enables touch navigation on devices with touch input touch: true, // Loop the presentation loop: false, // Change the presentation direction to be RTL rtl: false, // see https://revealjs.com/vertical-slides/#navigation-mode navigationMode: 'default', // Randomizes the order of slides each time the presentation loads shuffle: false, // Turns fragments on and off globally fragments: true, // Flags whether to include the current fragment in the URL, // so that reloading brings you to the same fragment position fragmentInURL: true, // Flags if the presentation is running in an embedded mode, // i.e. contained within a limited portion of the screen embedded: false, // Flags if we should show a help overlay when the questionmark // key is pressed help: true, // Flags if it should be possible to pause the presentation (blackout) pause: true, // Flags if speaker notes should be visible to all viewers showNotes: false, // Global override for autoplaying embedded media (null/true/false) autoPlayMedia: null, // Global override for preloading lazy-loaded iframes (null/true/false) preloadIframes: null, // Number of milliseconds between automatically proceeding to the // next slide, disabled when set to 0, this value can be overwritten // by using a data-autoslide attribute on your slides autoSlide: 0, // Stop auto-sliding after user input autoSlideStoppable: true, // Use this method for navigation when auto-sliding autoSlideMethod: null, // Specify the average time in seconds that you think you will spend // presenting each slide. This is used to show a pacing timer in the // speaker view defaultTiming: null, // Enable slide navigation via mouse wheel mouseWheel: false, // The display mode that will be used to show slides display: 'block', // Hide cursor if inactive hideInactiveCursor: true, // Time before the cursor is hidden (in ms) hideCursorTime: 5000, // Opens links in an iframe preview overlay previewLinks: false, // Transition style (none/fade/slide/convex/concave/zoom) transition: 'slide', // Transition speed (default/fast/slow) transitionSpeed: 'default', // Transition style for full page slide backgrounds // (none/fade/slide/convex/concave/zoom) backgroundTransition: 'fade', // Number of slides away from the current that are visible viewDistance: 3, // Number of slides away from the current that are visible on mobile // devices. It is advisable to set this to a lower number than // viewDistance in order to save resources. mobileViewDistance: 2, // reveal.js plugins plugins: [ RevealNotes, RevealSearch, RevealZoom ] }); </script> </body> </html>