presentations/introduction-to-reverse-eng.../reverse_engineering.md

255 lines
5.1 KiB
Markdown

% Introduction to Reverse Engineering
% Stefan Friese
% 02 November, 2023
---
# Topics
* Effective Reverse Engineering
* Reversing with Ghidra
---
## How Do You Reverse
Reverse Engineering demands a lot of knowledge in multiple fields.
**Some topics are**
* Assembly Language
* ANSI C
* Other Languages
* Syscalls
* Cryptography
---
How do you reverse engineer without knowing little about these topics?
---
## Reversing is Work
Work is a product of power by time.
`P` is your power to solve an issue.
`W = P x t`
The smarter you tackle work, the less time you need to solve an issue.
---
## Knowledge is a Map
You conventiently drive around the city using the underground.
That's how you get to know the main spots of the city.
<img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto">
---
## Knowledge is a Map
Invest some time and explore deeper on foot.
That's how you get to know the back alleys.
<img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto">
---
# Ghidra -- an Overview
---
![Main View of Ghidra](./images/Ghidra-Overview.png)
---
## Watch Out for Low Hanging Fruits
---
* Data Segment
* Names of Functions
* Conditions & Comparisons
* Strings: Usernames, Passwords
* URLs, IP & Port Numbers
**Do not try to understand the whole code at once, it will only drive you mad.**
---
### Data Segments
<img src="./images/data-segments.png" alt="A look into the read only data segment" width="70%" height="auto">
A look into the read only data segment
---
### Name of Functions
![Functions contained in the binary a.k.a. Symbol Tree](./images/symbol-tree.png)
---
### Conditions & Comparisions
<img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto">
Input is compared to a hard coded string
---
### Function Graph
<img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto">
Take a look at the flow graph of functions
---
### Strings
<img src="./images/defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto">
Strings can not only be located in data but also in other code segments, sometimes obfuscated
---
### Strings
![An old friend](./images/defined-strings.png)
---
### Binary Patching
Bypass any undesireable condition via a `NOP` instruction.
<img src="./images/nop.jpg" alt="NOP, export your patched binary" width="30%" height="auto">
NOP, export your patched binary
---
### Do It Yourselves!
* [Download Ghidra](https://ghidra-sre.org/)
* [Download binaries at crackmes.one](https://crackmes.one)
* [Find more binaries on hackthebox](https://hackthebox.eu)
* [Or Find even more on tryhackme](https://tryhackme.com)
* Download firmware of your favorite IoT appliances
---
## A Word On Binary Obfuscation
Software Obfuscation was born in 1984 at the [International Obfuscated C Code Contest](https://ioccc.org/)
<img src="./images/donut.gif" alt="A donut as code compiles to a spinning donut by Jim Hague" width="50%" height="auto">
---
### What Exactly might be Obfuscated in Your Code?
<section>
[Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)
</section>
<section>
* Code Element Layers
* Layout
* Controls
* Data
* Methods
* Classes
</section>
<section>
* Component
* Library Calls
* Used Resources
* Application Layer
* DRM System
* Neural Networks
</section>
---
## Techniques of Obfuscation
---
### Splitting & Merging of Strings
```sh
a = "BABE"
b = "CAFFEE"
f"{b}{a}"
```
[String Deobfuscation with FLOSS](https://github.com/mandiant/flare-floss/)
---
## Packing
Compress binary data
```sh
ooooo ooo ooooooooo. ooooooo ooooo
`888' `8' `888 `Y88. `8888 d8'
888 8 888 .d88' Y888..8P
888 8 888ooo88P' `8888'
888 8 888 .8PY888.
`88. .8' 888 d8' `888b
`YbodP' o888o o888o o88888o
```
[UPX Packer/Unpacker](https://upx.github.io/)
---
## Mangling
Library symbols in compiled code for data that have the same name
<section>
<pre><code data-trim data-noescape>
c++filt
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
std::__cxx11::collate_byname<char>::collate_byname(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, unsigned long)
</code></pre></section>
<section><a href="https://demangler.io/" alt="demangler">Online Demangler</a></section>
---
## Code Elements
* Adding Unnecessary Instructions
* Changing Control Flows
* Protecting Data
<img src="./images/spaghetti.jpg" alt="Convoluted Code" width="26%" height="auto%">
---
### Deobfuscation Tools
* DotNet
* [de4dot Deobfuscator and Unpacker](https://github.com/de4dot/de4dot)
* [dnSpy Debugger and Assembly Editor](https://github.com/dnSpy/dnSpy)
* [ILSpy Decompiler instead of Ghidra](https://github.com/icsharpcode/ILSpy)
---
# The End