stefan
/
presentations
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
presentations/introduction-to-reverse-eng.../presentation.html

525 lines
20 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="generator" content="pandoc">
<meta name="author" content="Stefan Friese">
<title>Introduction to Reverse Engineering</title>
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui">
<link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/reset.css">
<link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/reveal.css">
<style>
.reveal .sourceCode { /* see #7635 */
overflow: visible;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
/* CSS for syntax highlighting */
pre > code.sourceCode { white-space: pre; position: relative; }
pre > code.sourceCode > span { line-height: 1.25; }
pre > code.sourceCode > span:empty { height: 1.2em; }
.sourceCode { overflow: visible; }
code.sourceCode > span { color: inherit; text-decoration: inherit; }
div.sourceCode { margin: 1em 0; }
pre.sourceCode { margin: 0; }
@media screen {
div.sourceCode { overflow: auto; }
}
@media print {
pre > code.sourceCode { white-space: pre-wrap; }
pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; }
}
pre.numberSource code
{ counter-reset: source-line 0; }
pre.numberSource code > span
{ position: relative; left: -4em; counter-increment: source-line; }
pre.numberSource code > span > a:first-child::before
{ content: counter(source-line);
position: relative; left: -1em; text-align: right; vertical-align: baseline;
border: none; display: inline-block;
-webkit-touch-callout: none; -webkit-user-select: none;
-khtml-user-select: none; -moz-user-select: none;
-ms-user-select: none; user-select: none;
padding: 0 4px; width: 4em;
color: #aaaaaa;
}
pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; }
div.sourceCode
{ }
@media screen {
pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
}
code span.al { color: #ff0000; font-weight: bold; } /* Alert */
code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
code span.at { color: #7d9029; } /* Attribute */
code span.bn { color: #40a070; } /* BaseN */
code span.bu { color: #008000; } /* BuiltIn */
code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
code span.ch { color: #4070a0; } /* Char */
code span.cn { color: #880000; } /* Constant */
code span.co { color: #60a0b0; font-style: italic; } /* Comment */
code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
code span.do { color: #ba2121; font-style: italic; } /* Documentation */
code span.dt { color: #902000; } /* DataType */
code span.dv { color: #40a070; } /* DecVal */
code span.er { color: #ff0000; font-weight: bold; } /* Error */
code span.ex { } /* Extension */
code span.fl { color: #40a070; } /* Float */
code span.fu { color: #06287e; } /* Function */
code span.im { color: #008000; font-weight: bold; } /* Import */
code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
code span.kw { color: #007020; font-weight: bold; } /* Keyword */
code span.op { color: #666666; } /* Operator */
code span.ot { color: #007020; } /* Other */
code span.pp { color: #bc7a00; } /* Preprocessor */
code span.sc { color: #4070a0; } /* SpecialChar */
code span.ss { color: #bb6688; } /* SpecialString */
code span.st { color: #4070a0; } /* String */
code span.va { color: #19177c; } /* Variable */
code span.vs { color: #4070a0; } /* VerbatimString */
code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
</style>
<link rel="stylesheet" href="https://unpkg.com/reveal.js@^4//dist/theme/dracula.css" id="theme">
</head>
<body>
<div class="reveal">
<div class="slides">
<section id="title-slide">
<h1 class="title">Introduction to Reverse Engineering</h1>
<p class="author">Stefan Friese</p>
<p class="date">02 November, 2023</p>
</section>
<section id="topics" class="slide level1">
<h1>Topics</h1>
<ul>
<li class="fragment">Effective Reverse Engineering</li>
<li class="fragment">Reversing with Ghidra</li>
</ul>
</section>
<section class="slide level1">
<h2 id="how-do-you-reverse">How Do You Reverse</h2>
<p>Reverse Engineering demands a lot of knowledge in multiple
fields.</p>
<p><strong>Some topics are</strong></p>
<ul>
<li class="fragment">Assembly Language</li>
<li class="fragment">ANSI C</li>
<li class="fragment">Other Languages</li>
<li class="fragment">Syscalls</li>
<li class="fragment">Cryptography</li>
</ul>
</section>
<section class="slide level1">
<p>How do you reverse engineer without knowing little about these
topics?</p>
</section>
<section class="slide level1">
<h2 id="reversing-is-work">Reversing is Work</h2>
<p>Work is a product of power by time.<br />
<code>P</code> is your power to solve an issue.</p>
<p><code>W = P x t</code></p>
<p>The smarter you tackle work, the less time you need to solve an
issue.</p>
</section>
<section class="slide level1">
<h2 id="knowledge-is-a-map">Knowledge is a Map</h2>
<p>You conventiently drive around the city using the underground. Thats
how you get to know the main spots of the city.</p>
<p><img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto"></p>
</section>
<section class="slide level1">
<h2 id="knowledge-is-a-map-1">Knowledge is a Map</h2>
<p>Invest some time and explore deeper on foot. Thats how you get to
know the back alleys.</p>
<p><img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto"></p>
</section>
<section id="ghidra-an-overview" class="slide level1">
<h1>Ghidra an Overview</h1>
</section>
<section class="slide level1">
<figure>
<img data-src="./images/Ghidra-Overview.png"
alt="Main View of Ghidra" />
<figcaption aria-hidden="true">Main View of Ghidra</figcaption>
</figure>
</section>
<section class="slide level1">
<h2 id="watch-out-for-low-hanging-fruits">Watch Out for Low Hanging
Fruits</h2>
</section>
<section class="slide level1">
<ul>
<li class="fragment">Data Segment</li>
<li class="fragment">Names of Functions</li>
<li class="fragment">Conditions &amp; Comparisons</li>
<li class="fragment">Strings: Usernames, Passwords</li>
<li class="fragment">URLs, IP &amp; Port Numbers</li>
</ul>
<p><strong>Do not try to understand the whole code at once, it will only
drive you mad.</strong></p>
</section>
<section class="slide level1">
<h3 id="data-segments">Data Segments</h3>
<figure>
<img data-src="./images/data-segments.png"
alt="A look into the read only data segment" />
<figcaption aria-hidden="true">A look into the read only data
segment</figcaption>
</figure>
</section>
<section class="slide level1">
<h3 id="name-of-functions">Name of Functions</h3>
<figure>
<img data-src="./images/symbol-tree.png"
alt="Functions contained in the binary a.k.a. Symbol Tree" />
<figcaption aria-hidden="true">Functions contained in the binary a.k.a.
Symbol Tree</figcaption>
</figure>
</section>
<section class="slide level1">
<h3 id="conditions-comparisions">Conditions &amp; Comparisions</h3>
<p><img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto"></p>
<p>Input is compared to a hard coded string</p>
</section>
<section class="slide level1">
<h3 id="function-graph">Function Graph</h3>
<p><img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto"></p>
<p>Take a look at the flow graph of functions</p>
</section>
<section class="slide level1">
<h3 id="strings">Strings</h3>
<p><img src="./images/defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto"></p>
<p>Strings can not only be located in data but also in other code
segments, sometimes obfuscated</p>
</section>
<section class="slide level1">
<h3 id="strings-1">Strings</h3>
<figure>
<img data-src="./images/defined-strings.png" alt="An old friend" />
<figcaption aria-hidden="true">An old friend</figcaption>
</figure>
</section>
<section class="slide level1">
<h3 id="do-it-yourselves">Do It Yourselves!</h3>
<ul>
<li class="fragment"><a href="https://ghidra-sre.org/">Download
Ghidra</a></li>
<li class="fragment"><a href="https://crackmes.one">Download binaries at
crackmes.one</a></li>
<li class="fragment"><a href="https://hackthebox.eu">Find more binaries
on hackthebox</a></li>
<li class="fragment"><a href="https://tryhackme.com">Or Find even more
on tryhackme</a></li>
<li class="fragment">Download firmware of your favorite IoT
appliances</li>
</ul>
</section>
<section class="slide level1">
<h2 id="a-word-on-binary-obfuscation">A Word On Binary Obfuscation</h2>
<p>Software Obfuscation was born in 1984 at the <a
href="https://ioccc.org/">International Obfuscated C Code
Contest</a></p>
<p><img src="./images/donut.gif" alt="A donut as code compiles to a spinning donut by Jim Hague" width="50%" height="auto"></p>
</section>
<section class="slide level1">
<h3 id="what-exactly-might-be-obfuscated-in-your-code">What Exactly
might be Obfuscated in Your Code?</h3>
<section>
<a
href="https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf">Layered
obfuscation: a taxonomy of software obfuscation techniques for layered
security by Hui Xu et. al</a>
</section>
<section>
<ul>
<li class="fragment">Code Element Layers
<ul>
<li class="fragment">Layout</li>
<li class="fragment">Controls</li>
<li class="fragment">Data</li>
<li class="fragment">Methods</li>
<li class="fragment">Classes</li>
</ul></li>
</ul>
</section>
<section>
<ul>
<li class="fragment">Component
<ul>
<li class="fragment">Library Calls</li>
<li class="fragment">Used Resources</li>
</ul></li>
<li class="fragment">Application Layer
<ul>
<li class="fragment">DRM System</li>
<li class="fragment">Neural Networks</li>
</ul></li>
</ul>
</section>
</section>
<section class="slide level1">
<h2 id="techniques-of-obfuscation">Techniques of Obfuscation</h2>
</section>
<section class="slide level1">
<h3 id="splitting-merging-of-strings">Splitting &amp; Merging of
Strings</h3>
<div class="sourceCode" id="cb1"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="ex">a</span> = <span class="st">&quot;BABE&quot;</span></span>
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a><span class="ex">b</span> = <span class="st">&quot;CAFFEE&quot;</span></span>
<span id="cb1-3"><a href="#cb1-3" aria-hidden="true" tabindex="-1"></a><span class="ex">f</span><span class="st">&quot;{b}{a}&quot;</span></span></code></pre></div>
<p><a href="https://github.com/mandiant/flare-floss/">String
Deobfuscation with FLOSS</a></p>
</section>
<section class="slide level1">
<h2 id="packing">Packing</h2>
<div class="sourceCode" id="cb2"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a> <span class="ex">ooooo</span> ooo ooooooooo. ooooooo ooooo</span>
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">888</span><span class="st">&#39; `8&#39;</span> <span class="kw">`</span>888 <span class="kw">`</span><span class="ex">Y88.</span> <span class="kw">`</span>8888 d8<span class="st">&#39;</span></span>
<span id="cb2-3"><a href="#cb2-3" aria-hidden="true" tabindex="-1"></a><span class="st"> 888 8 888 .d88&#39;</span> Y888..8P</span>
<span id="cb2-4"><a href="#cb2-4" aria-hidden="true" tabindex="-1"></a> <span class="ex">888</span> 8 888ooo88P<span class="st">&#39; `8888&#39;</span></span>
<span id="cb2-5"><a href="#cb2-5" aria-hidden="true" tabindex="-1"></a> <span class="ex">888</span> 8 888 .8PY888.</span>
<span id="cb2-6"><a href="#cb2-6" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">88.</span> .8<span class="st">&#39; 888 d8&#39;</span> <span class="kw">`</span>888b</span>
<span id="cb2-7"><a href="#cb2-7" aria-hidden="true" tabindex="-1"></a> <span class="kw">`</span><span class="ex">YbodP</span><span class="st">&#39; o888o o888o o88888o</span></span></code></pre></div>
<p><a href="https://upx.github.io/">UPX Packer/Unpacker</a></p>
</section>
<section class="slide level1">
<h3 id="mangling">Mangling</h3>
<section>
<pre><code data-trim data-noescape>
c++filt
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
std::__cxx11::collate_byname<char>::collate_byname(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, unsigned long)
</code></pre>
</section>
<section>
<a href="https://demangler.io/" alt="demangler">Online Demangler</a>
</section>
</section>
<section class="slide level1">
<h3 id="code-elements">Code Elements</h3>
<ul>
<li class="fragment">Adding Unnecessary Instructions</li>
<li class="fragment">Changing Control Flows</li>
<li class="fragment">Protecting Data</li>
</ul>
<p><img src="./images/spaghetti.jpg" alt="Convoluted Code" width="30%" height="30%"></p>
</section>
<section class="slide level1">
<h3 id="deobfuscation-tools">Deobfuscation Tools</h3>
<ul>
<li class="fragment">DotNet
<ul>
<li class="fragment"><a href="https://github.com/de4dot/de4dot">de4dot
Deobfuscator and Unpacker</a></li>
<li class="fragment"><a href="https://github.com/dnSpy/dnSpy">dnSpy
Debugger and Assembly Editor</a></li>
<li class="fragment"><a
href="https://github.com/icsharpcode/ILSpy">ILSpy Decompiler instead of
Ghidra</a></li>
</ul></li>
</ul>
</section>
</div>
</div>
<script src="https://unpkg.com/reveal.js@^4//dist/reveal.js"></script>
<!-- reveal.js plugins -->
<script src="https://unpkg.com/reveal.js@^4//plugin/notes/notes.js"></script>
<script src="https://unpkg.com/reveal.js@^4//plugin/search/search.js"></script>
<script src="https://unpkg.com/reveal.js@^4//plugin/zoom/zoom.js"></script>
<script>
// Full list of configuration options available at:
// https://revealjs.com/config/
Reveal.initialize({
// Display controls in the bottom right corner
controls: true,
// Help the user learn the controls by providing hints, for example by
// bouncing the down arrow when they first encounter a vertical slide
controlsTutorial: true,
// Determines where controls appear, "edges" or "bottom-right"
controlsLayout: 'bottom-right',
// Visibility rule for backwards navigation arrows; "faded", "hidden"
// or "visible"
controlsBackArrows: 'faded',
// Display a presentation progress bar
progress: true,
// Display the page number of the current slide
slideNumber: false,
// 'all', 'print', or 'speaker'
showSlideNumber: 'all',
// Add the current slide number to the URL hash so that reloading the
// page/copying the URL will return you to the same slide
hash: true,
// Start with 1 for the hash rather than 0
hashOneBasedIndex: false,
// Flags if we should monitor the hash and change slides accordingly
respondToHashChanges: true,
// Push each slide change to the browser history
history: false,
// Enable keyboard shortcuts for navigation
keyboard: true,
// Enable the slide overview mode
overview: true,
// Disables the default reveal.js slide layout (scaling and centering)
// so that you can use custom CSS layout
disableLayout: false,
// Vertical centering of slides
center: true,
// Enables touch navigation on devices with touch input
touch: true,
// Loop the presentation
loop: false,
// Change the presentation direction to be RTL
rtl: false,
// see https://revealjs.com/vertical-slides/#navigation-mode
navigationMode: 'default',
// Randomizes the order of slides each time the presentation loads
shuffle: false,
// Turns fragments on and off globally
fragments: true,
// Flags whether to include the current fragment in the URL,
// so that reloading brings you to the same fragment position
fragmentInURL: true,
// Flags if the presentation is running in an embedded mode,
// i.e. contained within a limited portion of the screen
embedded: false,
// Flags if we should show a help overlay when the questionmark
// key is pressed
help: true,
// Flags if it should be possible to pause the presentation (blackout)
pause: true,
// Flags if speaker notes should be visible to all viewers
showNotes: false,
// Global override for autoplaying embedded media (null/true/false)
autoPlayMedia: null,
// Global override for preloading lazy-loaded iframes (null/true/false)
preloadIframes: null,
// Number of milliseconds between automatically proceeding to the
// next slide, disabled when set to 0, this value can be overwritten
// by using a data-autoslide attribute on your slides
autoSlide: 0,
// Stop auto-sliding after user input
autoSlideStoppable: true,
// Use this method for navigation when auto-sliding
autoSlideMethod: null,
// Specify the average time in seconds that you think you will spend
// presenting each slide. This is used to show a pacing timer in the
// speaker view
defaultTiming: null,
// Enable slide navigation via mouse wheel
mouseWheel: false,
// The display mode that will be used to show slides
display: 'block',
// Hide cursor if inactive
hideInactiveCursor: true,
// Time before the cursor is hidden (in ms)
hideCursorTime: 5000,
// Opens links in an iframe preview overlay
previewLinks: false,
// Transition style (none/fade/slide/convex/concave/zoom)
transition: 'slide',
// Transition speed (default/fast/slow)
transitionSpeed: 'default',
// Transition style for full page slide backgrounds
// (none/fade/slide/convex/concave/zoom)
backgroundTransition: 'fade',
// Number of slides away from the current that are visible
viewDistance: 3,
// Number of slides away from the current that are visible on mobile
// devices. It is advisable to set this to a lower number than
// viewDistance in order to save resources.
mobileViewDistance: 2,
// reveal.js plugins
plugins: [
RevealNotes,
RevealSearch,
RevealZoom
]
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink