<div class="reveal">
<div class="slides">
<section id="title-slide">
<h1 class="title">Introduction to Reverse Engineering</h1>
<p class="author">Stefan Friese</p>
<p class="date">02 November, 2023</p>
<section id="topics" class="slide level1">
<li class="fragment">Effective Reverse Engineering</li>
<li class="fragment">Reversing with Ghidra</li>
<section class="slide level1">
<h2 id="how-do-you-reverse">How Do You Reverse</h2>
<p>Reverse Engineering demands a lot of knowledge in multiple
<p><strong>Some topics are</strong></p>
<li class="fragment">Assembly Language</li>
<li class="fragment">ANSI C</li>
<li class="fragment">Other Languages</li>
<li class="fragment">Syscalls</li>
<li class="fragment">Cryptography</li>
<section class="slide level1">
<p>How do you reverse engineer without knowing little about these
<section class="slide level1">
<h2 id="reversing-is-work">Reversing is Work</h2>
<p>Work is a product of power by time.<br />
<code>P</code> is your power to solve an issue.</p>
<p><code>W = P x t</code></p>
<p>The smarter you tackle work, the less time you need to solve an
<section class="slide level1">
<h2 id="knowledge-is-a-map">Knowledge is a Map</h2>
<p>You conventiently drive around the city using the underground. Thats
how you get to know the main spots of the city.</p>
<p><img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto"></p>
<section class="slide level1">
<h2 id="knowledge-is-a-map-1">Knowledge is a Map</h2>
<p>Invest some time and explore deeper on foot. Thats how you get to
know the back alleys.</p>
<p><img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto"></p>
<section id="ghidra-an-overview" class="slide level1">
<h1>Ghidra an Overview</h1>
<section class="slide level1">
<img data-src="./images/Ghidra-Overview.png"
alt="Main View of Ghidra" />
<figcaption aria-hidden="true">Main View of Ghidra</figcaption>
<section class="slide level1">
<h2 id="watch-out-for-low-hanging-fruits">Watch Out for Low Hanging
<section class="slide level1">
<li class="fragment">Data Segment</li>
<li class="fragment">Names of Functions</li>
<li class="fragment">Conditions &amp; Comparisons</li>
<li class="fragment">Strings: Usernames, Passwords</li>
<li class="fragment">URLs, IP &amp; Port Numbers</li>
<p><strong>Do not try to understand the whole code at once, it will only
drive you mad.</strong></p>
<section class="slide level1">
<h3 id="data-segments">Data Segments</h3>
<p><img src="./images/data-segments.png" alt="A look into the read only data segment" width="70%" height="auto"></p>
<p>A look into the read only data segment</p>
<section class="slide level1">
<h3 id="name-of-functions">Name of Functions</h3>
<img data-src="./images/symbol-tree.png"
alt="Functions contained in the binary a.k.a. Symbol Tree" />
<figcaption aria-hidden="true">Functions contained in the binary a.k.a.
Symbol Tree</figcaption>
<section class="slide level1">
<h3 id="conditions-comparisions">Conditions &amp; Comparisions</h3>
<p><img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto"></p>
<p>Input is compared to a hard coded string</p>
<section class="slide level1">
<h3 id="function-graph">Function Graph</h3>
<p><img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto"></p>
<p>Take a look at the flow graph of functions</p>
<section class="slide level1">
<h3 id="strings">Strings</h3>
<p><img src="./images/defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto"></p>
<p>Strings can not only be located in data but also in other code
segments, sometimes obfuscated</p>
<section class="slide level1">
<h3 id="strings-1">Strings</h3>
<img data-src="./images/defined-strings.png" alt="An old friend" />
<figcaption aria-hidden="true">An old friend</figcaption>
<section class="slide level1">
<h3 id="binary-patching">Binary Patching</h3>
<p>Bypass any undesireable condition via a <code>NOP</code>
<p><img src="./images/nop.jpg" alt="NOP, export your patched binary" width="30%" height="auto"></p>
<p>NOP, export your patched binary</p>
<section class="slide level1">
<h3 id="do-it-yourselves">Do It Yourselves!</h3>
<li class="fragment"><a href="">Download
<li class="fragment"><a href="">Download binaries at</a></li>
<li class="fragment"><a href="">Find more binaries
on hackthebox</a></li>
<li class="fragment"><a href="">Or Find even more
on tryhackme</a></li>
<li class="fragment">Download firmware of your favorite IoT
<section class="slide level1">
<h2 id="a-word-on-binary-obfuscation">A Word On Binary Obfuscation</h2>
<p>Software Obfuscation was born in 1984 at the <a
href="">International Obfuscated C Code
<p><img src="./images/donut.gif" alt="A donut as code compiles to a spinning donut by Jim Hague" width="50%" height="auto"></p>
<section class="slide level1">
<h3 id="what-exactly-might-be-obfuscated-in-your-code">What Exactly
might be Obfuscated in Your Code?</h3>
obfuscation: a taxonomy of software obfuscation techniques for layered
security by Hui Xu et. al</a>
<li class="fragment">Code Element Layers
<li class="fragment">Layout</li>
<li class="fragment">Controls</li>
<li class="fragment">Data</li>
<li class="fragment">Methods</li>
<li class="fragment">Classes</li>
<li class="fragment">Component
<li class="fragment">Library Calls</li>
<li class="fragment">Used Resources</li>
<li class="fragment">Application Layer
<li class="fragment">DRM System</li>
<li class="fragment">Neural Networks</li>
<section class="slide level1">
<h2 id="techniques-of-obfuscation">Techniques of Obfuscation</h2>
<section class="slide level1">
<h3 id="splitting-merging-of-strings">Splitting &amp; Merging of
<div class="sourceCode" id="cb1"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="ex">a</span> = <span class="st">&quot;BABE&quot;</span></span>
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a><span class="ex">b</span> = <span class="st">&quot;CAFFEE&quot;</span></span>
<span id="cb1-3"><a href="#cb1-3" aria-hidden="true" tabindex="-1"></a><span class="ex">f</span><span class="st">&quot;{b}{a}&quot;</span></span></code></pre></div>
<p><a href="">String
Deobfuscation with FLOSS</a></p>
<section class="slide level1">
<h2 id="packing">Packing</h2>
<p>Compress binary data</p>
<div class="sourceCode" id="cb2"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a> <span class="ex">ooooo</span> ooo ooooooooo. ooooooo ooooo</span>
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">888</span><span class="st">&#39; `8&#39;</span> <span class="kw">`</span>888 <span class="kw">`</span><span class="ex">Y88.</span> <span class="kw">`</span>8888 d8<span class="st">&#39;</span></span>
<span id="cb2-3"><a href="#cb2-3" aria-hidden="true" tabindex="-1"></a><span class="st"> 888 8 888 .d88&#39;</span> Y888..8P</span>
<span id="cb2-4"><a href="#cb2-4" aria-hidden="true" tabindex="-1"></a> <span class="ex">888</span> 8 888ooo88P<span class="st">&#39; `8888&#39;</span></span>
<span id="cb2-5"><a href="#cb2-5" aria-hidden="true" tabindex="-1"></a> <span class="ex">888</span> 8 888 .8PY888.</span>
<span id="cb2-6"><a href="#cb2-6" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">88.</span> .8<span class="st">&#39; 888 d8&#39;</span> <span class="kw">`</span>888b</span>
<span id="cb2-7"><a href="#cb2-7" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">YbodP</span><span class="st">&#39; o888o o888o o88888o</span></span></code></pre></div>
<p><a href="">UPX Packer/Unpacker</a></p>
<section class="slide level1">
<h2 id="mangling">Mangling</h2>
Library symbols in compiled code for data that have the same name
<pre><code data-trim data-noescape>
std::char_traits<char>, std::allocator<char> > const&, unsigned long)
<a href="" alt="demangler">Online Demangler</a>
<section class="slide level1">
<h2 id="code-elements">Code Elements</h2>
<li class="fragment">Adding Unnecessary Instructions</li>
<li class="fragment">Changing Control Flows</li>
<li class="fragment">Protecting Data</li>
<p><img src="./images/spaghetti.jpg" alt="Convoluted Code" width="26%" height="auto%"></p>
<section class="slide level1">
<h3 id="deobfuscation-tools">Deobfuscation Tools</h3>
<li class="fragment">DotNet
<li class="fragment"><a href="">de4dot
Deobfuscator and Unpacker</a></li>
<li class="fragment"><a href="">dnSpy
Debugger and Assembly Editor</a></li>
<li class="fragment"><a
href="">ILSpy Decompiler instead of
<section id="the-end" class="slide level1">
<h1>The End</h1>
