% Introduction to Reverse Engineering % Stefan Friese % 02 November, 2023 --- # Topics * Effective Reverse Engineering * Reversing with Ghidra --- ## How Do You Reverse Reverse Engineering demands a lot of knowledge in multiple fields. **Some topics are** * Assembly Language * ANSI C * Other Languages * Syscalls * Cryptography --- How do you reverse engineer without knowing little about these topics? --- ## Reversing is Work Work is a product of power by time. `P` is your power to solve an issue. `W = P x t` The smarter you tackle work, the less time you need to solve an issue. --- ## Knowledge is a Map You conventiently drive around the city using the underground. That's how you get to know the main spots of the city. London Underground

--- ## Knowledge is a Map Invest some time and explore deeper on foot. That's how you get to know the back alleys. London by Foot

--- # Ghidra -- an Overview --- ![Main View of Ghidra](./images/Ghidra-Overview.png) --- ## Watch Out for Low Hanging Fruits --- * Data Segment * Names of Functions * Conditions & Comparisons * Strings: Usernames, Passwords * URLs, IP & Port Numbers **Do not try to understand the whole code at once, it will only drive you mad.** --- ### Data Segments

A look into the read only data segment --- ### Name of Functions ![Functions contained in the binary a.k.a. Symbol Tree](./images/symbol-tree.png) --- ### Conditions & Comparisions

Input is compared to a hard coded string --- ### Function Graph

Take a look at the flow graph of functions --- ### Strings

Strings can not only be located in data but also in other code segments, sometimes obfuscated --- ### Strings ![An old friend](./images/defined-strings.png) --- ### Binary Patching Bypass any undesireable condition via a `NOP` instruction.

NOP, export your patched binary --- ### Do It Yourselves! * [Download Ghidra](https://ghidra-sre.org/) * [Download binaries at crackmes.one](https://crackmes.one) * [Find more binaries on hackthebox](https://hackthebox.eu) * [Or Find even more on tryhackme](https://tryhackme.com) * Download firmware of your favorite IoT appliances --- ## A Word On Binary Obfuscation Software Obfuscation was born in 1984 at the [International Obfuscated C Code Contest](https://ioccc.org/) A donut as code compiles to a spinning donut by Jim Hague

A donut as code compiles to a spinning donut by Jim Hague

--- ### What Exactly might be Obfuscated in Your Code?

[Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)

* Code Element Layers * Layout * Controls * Data * Methods * Classes

* Component * Library Calls * Used Resources * Application Layer * DRM System * Neural Networks

--- ## Techniques of Obfuscation --- ### Splitting & Merging of Strings ```sh a = "BABE" b = "CAFFEE" f"{b}{a}" ``` [String Deobfuscation with FLOSS](https://github.com/mandiant/flare-floss/) --- ## Packing Compress binary data ```sh ooooo ooo ooooooooo. ooooooo ooooo `888' `8' `888 `Y88. `8888 d8' 888 8 888 .d88' Y888..8P 888 8 888ooo88P' `8888' 888 8 888 .8PY888. `88. .8' 888 d8' `888b `YbodP' o888o o888o o88888o ``` [UPX Packer/Unpacker](https://upx.github.io/) --- ## Mangling Library symbols in compiled code for data that have the same name


c++filt
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
std::__cxx11::collate_byname::collate_byname(std::__cxx11::basic_string, std::allocator > const&, unsigned long)

Online Demangler

--- ## Code Elements * Adding Unnecessary Instructions * Changing Control Flows * Protecting Data Convoluted Code

--- ### Deobfuscation Tools * DotNet * [de4dot Deobfuscator and Unpacker](https://github.com/de4dot/de4dot) * [dnSpy Debugger and Assembly Editor](https://github.com/dnSpy/dnSpy) * [ILSpy Decompiler instead of Ghidra](https://github.com/icsharpcode/ILSpy) --- # The End