<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="generator" content="pandoc">
<meta name="author" content="Stefan Friese">
<title>Introduction to Reverse Engineering</title>
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui">
<link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/reset.css">
<link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/reveal.css">
<style>
.reveal .sourceCode { /* see #7635 */
overflow: visible;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
/* CSS for syntax highlighting */
pre > code.sourceCode { white-space: pre; position: relative; }
pre > code.sourceCode > span { line-height: 1.25; }
pre > code.sourceCode > span:empty { height: 1.2em; }
.sourceCode { overflow: visible; }
code.sourceCode > span { color: inherit; text-decoration: inherit; }
div.sourceCode { margin: 1em 0; }
pre.sourceCode { margin: 0; }
@media screen {
div.sourceCode { overflow: auto; }
}
@media print {
pre > code.sourceCode { white-space: pre-wrap; }
pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; }
}
pre.numberSource code
{ counter-reset: source-line 0; }
pre.numberSource code > span
{ position: relative; left: -4em; counter-increment: source-line; }
pre.numberSource code > span > a:first-child::before
{ content: counter(source-line);
position: relative; left: -1em; text-align: right; vertical-align: baseline;
border: none; display: inline-block;
-webkit-touch-callout: none; -webkit-user-select: none;
-khtml-user-select: none; -moz-user-select: none;
-ms-user-select: none; user-select: none;
padding: 0 4px; width: 4em;
color: #aaaaaa;
}
pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; }
div.sourceCode
{ }
@media screen {
pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
}
code span.al { color: #ff0000; font-weight: bold; } /* Alert */
code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
code span.at { color: #7d9029; } /* Attribute */
code span.bn { color: #40a070; } /* BaseN */
code span.bu { color: #008000; } /* BuiltIn */
code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
code span.ch { color: #4070a0; } /* Char */
code span.cn { color: #880000; } /* Constant */
code span.co { color: #60a0b0; font-style: italic; } /* Comment */
code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
code span.do { color: #ba2121; font-style: italic; } /* Documentation */
code span.dt { color: #902000; } /* DataType */
code span.dv { color: #40a070; } /* DecVal */
code span.er { color: #ff0000; font-weight: bold; } /* Error */
code span.ex { } /* Extension */
code span.fl { color: #40a070; } /* Float */
code span.fu { color: #06287e; } /* Function */
code span.im { color: #008000; font-weight: bold; } /* Import */
code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
code span.kw { color: #007020; font-weight: bold; } /* Keyword */
code span.op { color: #666666; } /* Operator */
code span.ot { color: #007020; } /* Other */
code span.pp { color: #bc7a00; } /* Preprocessor */
code span.sc { color: #4070a0; } /* SpecialChar */
code span.ss { color: #bb6688; } /* SpecialString */
code span.st { color: #4070a0; } /* String */
code span.va { color: #19177c; } /* Variable */
code span.vs { color: #4070a0; } /* VerbatimString */
code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
</style>
<link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/theme/dracula.css" id="theme">
</head>
<body>
<div class="reveal">
<div class="slides">
<section id="title-slide">
<h1 class="title">Introduction to Reverse Engineering</h1>
<p class="author">Stefan Friese</p>
<p class="date">02 November, 2023</p>
</section>
<section id="topics" class="slide level1">
<h1>Topics</h1>
<ul>
<li class="fragment">Effective Reverse Engineering</li>
<li class="fragment">Reversing with Ghidra</li>
</ul>
</section>
<section class="slide level1">
<h2 id="how-do-you-reverse">How Do You Reverse</h2>
<p>Reverse Engineering demands a lot of knowledge in multiple
fields.</p>
<p><strong>Some topics are</strong></p>
<ul>
<li class="fragment">Assembly Language</li>
<li class="fragment">ANSI C</li>
<li class="fragment">Other Languages</li>
<li class="fragment">Syscalls</li>
<li class="fragment">Cryptography</li>
</ul>
</section>
<section class="slide level1">
<p>How do you reverse engineer without knowing little about these
topics?</p>
</section>
<section class="slide level1">
<h2 id="reversing-is-work">Reversing is Work</h2>
<p>Work is a product of power by time.<br />
<code>P</code> is your power to solve an issue.</p>
<p><code>W = P x t</code></p>
<p>The smarter you tackle work, the less time you need to solve an
issue.</p>
</section>
<section class="slide level1">
<h2 id="knowledge-is-a-map">Knowledge is a Map</h2>
<p>You conventiently drive around the city using the underground. That’s
how you get to know the main spots of the city.</p>
<p><img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto"></p>
</section>
<section class="slide level1">
<h2 id="knowledge-is-a-map-1">Knowledge is a Map</h2>
<p>Invest some time and explore deeper on foot. That’s how you get to
know the back alleys.</p>
<p><img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto"></p>
</section>
<section id="ghidra-an-overview" class="slide level1">
<h1>Ghidra – an Overview</h1>
</section>
<section class="slide level1">
<figure>
<img data-src="./images/Ghidra-Overview.png"
alt="Main View of Ghidra" />
<figcaption aria-hidden="true">Main View of Ghidra</figcaption>
</figure>
</section>
<section class="slide level1">
<h2 id="watch-out-for-low-hanging-fruits">Watch Out for Low Hanging
Fruits</h2>
</section>
<section class="slide level1">
<ul>
<li class="fragment">Data Segment</li>
<li class="fragment">Names of Functions</li>
<li class="fragment">Conditions & Comparisons</li>
<li class="fragment">Strings: Usernames, Passwords</li>
<li class="fragment">URLs, IP & Port Numbers</li>
</ul>
<p><strong>Do not try to understand the whole code at once, it will only
drive you mad.</strong></p>
</section>
<section class="slide level1">
<h3 id="data-segments">Data Segments</h3>
<figure>
<img data-src="./images/data-segments.png"
alt="A look into the read only data segment" />
<figcaption aria-hidden="true">A look into the read only data
segment</figcaption>
</figure>
</section>
<section class="slide level1">
<h3 id="name-of-functions">Name of Functions</h3>
<figure>
<img data-src="./images/symbol-tree.png"
alt="Functions contained in the binary a.k.a. Symbol Tree" />
<figcaption aria-hidden="true">Functions contained in the binary a.k.a.
Symbol Tree</figcaption>
</figure>
</section>
<section class="slide level1">
<h3 id="conditions-comparisions">Conditions & Comparisions</h3>
<p><img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto"></p>
<p>Input is compared to a hard coded string</p>
</section>
<section class="slide level1">
<h3 id="function-graph">Function Graph</h3>
<p><img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto"></p>
<p>Take a look at the flow graph of functions</p>
</section>
<section class="slide level1">
<h3 id="strings">Strings</h3>
<p><img src="./images/defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto"></p>
<p>Strings can not only be located in data but also in other code
segments, sometimes obfuscated</p>
</section>
<section class="slide level1">
<h3 id="strings-1">Strings</h3>
<figure>
<img data-src="./images/defined-strings.png" alt="An old friend" />
<figcaption aria-hidden="true">An old friend</figcaption>
</figure>
</section>
<section class="slide level1">
<h3 id="do-it-yourselves">Do It Yourselves!</h3>
<ul>
<li class="fragment"><a href="https://ghidra-sre.org/">Download
Ghidra</a></li>
<li class="fragment"><a href="https://crackmes.one">Download binaries at
crackmes.one</a></li>
<li class="fragment"><a href="https://hackthebox.eu">Find more binaries
on hackthebox</a></li>
<li class="fragment"><a href="https://tryhackme.com">Or Find even more
on tryhackme</a></li>
<li class="fragment">Download firmware of your favorite IoT
appliances</li>
</ul>
</section>
<section class="slide level1">
<h2 id="a-word-on-binary-obfuscation">A Word On Binary Obfuscation</h2>
<p>Software Obfuscation was born in 1984 at the <a
href="https://ioccc.org/">International Obfuscated C Code
Contest</a></p>
<p><img src="./images/donut.gif" alt="A donut as code compiles to a spinning donut by Jim Hague" width="50%" height="auto"></p>
</section>
<section class="slide level1">
<h3 id="what-exactly-might-be-obfuscated-in-your-code">What Exactly
might be Obfuscated in Your Code?</h3>
<section>
<a
href="https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf">Layered
obfuscation: a taxonomy of software obfuscation techniques for layered
security by Hui Xu et. al</a>
</section>
<section>
<ul>
<li class="fragment">Code Element Layers
<ul>
<li class="fragment">Layout</li>
<li class="fragment">Controls</li>
<li class="fragment">Data</li>
<li class="fragment">Methods</li>
<li class="fragment">Classes</li>
</ul></li>
</ul>
</section>
<section>
<ul>
<li class="fragment">Component
<ul>
<li class="fragment">Library Calls</li>
<li class="fragment">Used Resources</li>
</ul></li>
<li class="fragment">Application Layer
<ul>
<li class="fragment">DRM System</li>
<li class="fragment">Neural Networks</li>
</ul></li>
</ul>
</section>
</section>
<section class="slide level1">
<h2 id="techniques-of-obfuscation">Techniques of Obfuscation</h2>
</section>
<section class="slide level1">
<h3 id="splitting-merging-of-strings">Splitting & Merging of
Strings</h3>
<div class="sourceCode" id="cb1"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="ex">a</span> = <span class="st">"BABE"</span></span>
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a><span class="ex">b</span> = <span class="st">"CAFFEE"</span></span>
<span id="cb1-3"><a href="#cb1-3" aria-hidden="true" tabindex="-1"></a><span class="ex">f</span><span class="st">"{b}{a}"</span></span></code></pre></div>
<p><a href="https://github.com/mandiant/flare-floss/">String
Deobfuscation with FLOSS</a></p>
</section>
<section class="slide level1">
<h2 id="packing">Packing</h2>
<div class="sourceCode" id="cb2"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a> <span class="ex">ooooo</span> ooo ooooooooo. ooooooo ooooo</span>
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">888</span><span class="st">' `8'</span> <span class="kw">`</span>888 <span class="kw">`</span><span class="ex">Y88.</span> <span class="kw">`</span>8888 d8<span class="st">'</span></span>
<span id="cb2-3"><a href="#cb2-3" aria-hidden="true" tabindex="-1"></a><span class="st"> 888 8 888 .d88'</span> Y888..8P</span>
<span id="cb2-4"><a href="#cb2-4" aria-hidden="true" tabindex="-1"></a> <span class="ex">888</span> 8 888ooo88P<span class="st">' `8888'</span></span>
<span id="cb2-5"><a href="#cb2-5" aria-hidden="true" tabindex="-1"></a> <span class="ex">888</span> 8 888 .8PY888.</span>
<span id="cb2-6"><a href="#cb2-6" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">88.</span> .8<span class="st">' 888 d8'</span> <span class="kw">`</span>888b</span>
<span id="cb2-7"><a href="#cb2-7" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">YbodP</span><span class="st">' o888o o888o o88888o</span></span></code></pre></div>
<p><a href="https://upx.github.io/">UPX Packer/Unpacker</a></p>
</section>
<section class="slide level1">
<h3 id="mangling">Mangling</h3>
<section>
<pre><code data-trim data-noescape>
c++filt
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
std::__cxx11::collate_byname<char>::collate_byname(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, unsigned long)
</code></pre>
</section>
<section>
<a href="https://demangler.io/" alt="demangler">Online Demangler</a>
</section>
</section>
<section class="slide level1">
<h3 id="code-elements">Code Elements</h3>
<ul>
<li class="fragment">Adding Unnecessary Instructions</li>
<li class="fragment">Changing Control Flows</li>
<li class="fragment">Protecting Data</li>
</ul>
<p><img src="./images/spaghetti.jpg" alt="Convoluted Code" width="30%" height="30%"></p>
</section>
<section class="slide level1">
<h3 id="deobfuscation-tools">Deobfuscation Tools</h3>
<ul>
<li class="fragment">DotNet
<ul>
<li class="fragment"><a href="https://github.com/de4dot/de4dot">de4dot
Deobfuscator and Unpacker</a></li>
<li class="fragment"><a href="https://github.com/dnSpy/dnSpy">dnSpy
Debugger and Assembly Editor</a></li>
<li class="fragment"><a
href="https://github.com/icsharpcode/ILSpy">ILSpy Decompiler instead of
Ghidra</a></li>
</ul></li>
</ul>
</section>
</div>
</div>
<script src="https://unpkg.com/reveal.js@^4//dist/reveal.js"></script>
<!-- reveal.js plugins -->
<script src="https://unpkg.com/reveal.js@^4//plugin/notes/notes.js"></script>
<script src="https://unpkg.com/reveal.js@^4//plugin/search/search.js"></script>
<script src="https://unpkg.com/reveal.js@^4//plugin/zoom/zoom.js"></script>
<script>
// Full list of configuration options available at:
// https://revealjs.com/config/
Reveal.initialize({
// Display controls in the bottom right corner
controls: true,
// Help the user learn the controls by providing hints, for example by
// bouncing the down arrow when they first encounter a vertical slide
controlsTutorial: true,
// Determines where controls appear, "edges" or "bottom-right"
controlsLayout: 'bottom-right',
// Visibility rule for backwards navigation arrows; "faded", "hidden"
// or "visible"
controlsBackArrows: 'faded',
// Display a presentation progress bar
progress: true,
// Display the page number of the current slide
slideNumber: false,
// 'all', 'print', or 'speaker'
showSlideNumber: 'all',
// Add the current slide number to the URL hash so that reloading the
// page/copying the URL will return you to the same slide
hash: true,
// Start with 1 for the hash rather than 0
hashOneBasedIndex: false,
// Flags if we should monitor the hash and change slides accordingly
respondToHashChanges: true,
// Push each slide change to the browser history
history: false,
// Enable keyboard shortcuts for navigation
keyboard: true,
// Enable the slide overview mode
overview: true,
// Disables the default reveal.js slide layout (scaling and centering)
// so that you can use custom CSS layout
disableLayout: false,
// Vertical centering of slides
center: true,
// Enables touch navigation on devices with touch input
touch: true,
// Loop the presentation
loop: false,
// Change the presentation direction to be RTL
rtl: false,
// see https://revealjs.com/vertical-slides/#navigation-mode
navigationMode: 'default',
// Randomizes the order of slides each time the presentation loads
shuffle: false,
// Turns fragments on and off globally
fragments: true,
// Flags whether to include the current fragment in the URL,
// so that reloading brings you to the same fragment position
fragmentInURL: true,
// Flags if the presentation is running in an embedded mode,
// i.e. contained within a limited portion of the screen
embedded: false,
// Flags if we should show a help overlay when the questionmark
// key is pressed
help: true,
// Flags if it should be possible to pause the presentation (blackout)
pause: true,
// Flags if speaker notes should be visible to all viewers
showNotes: false,
// Global override for autoplaying embedded media (null/true/false)
autoPlayMedia: null,
// Global override for preloading lazy-loaded iframes (null/true/false)
preloadIframes: null,
// Number of milliseconds between automatically proceeding to the
// next slide, disabled when set to 0, this value can be overwritten
// by using a data-autoslide attribute on your slides
autoSlide: 0,
// Stop auto-sliding after user input
autoSlideStoppable: true,
// Use this method for navigation when auto-sliding
autoSlideMethod: null,
// Specify the average time in seconds that you think you will spend
// presenting each slide. This is used to show a pacing timer in the
// speaker view
defaultTiming: null,
// Enable slide navigation via mouse wheel
mouseWheel: false,
// The display mode that will be used to show slides
display: 'block',
// Hide cursor if inactive
hideInactiveCursor: true,
// Time before the cursor is hidden (in ms)
hideCursorTime: 5000,
// Opens links in an iframe preview overlay
previewLinks: false,
// Transition style (none/fade/slide/convex/concave/zoom)
transition: 'slide',
// Transition speed (default/fast/slow)
transitionSpeed: 'default',
// Transition style for full page slide backgrounds
// (none/fade/slide/convex/concave/zoom)
backgroundTransition: 'fade',
// Number of slides away from the current that are visible
viewDistance: 3,
// Number of slides away from the current that are visible on mobile
// devices. It is advisable to set this to a lower number than
// viewDistance in order to save resources.
mobileViewDistance: 2,
// reveal.js plugins
plugins: [
RevealNotes,
RevealSearch,
RevealZoom
]
});
</script>
</body>
</html>