255 lines
5.1 KiB
Markdown
255 lines
5.1 KiB
Markdown
% Introduction to Reverse Engineering
|
|
% Stefan Friese
|
|
% 02 November, 2023
|
|
|
|
---
|
|
|
|
# Topics
|
|
|
|
* Effective Reverse Engineering
|
|
* Reversing with Ghidra
|
|
|
|
---
|
|
|
|
## How Do You Reverse
|
|
|
|
Reverse Engineering demands a lot of knowledge in multiple fields.
|
|
|
|
**Some topics are**
|
|
|
|
* Assembly Language
|
|
* ANSI C
|
|
* Other Languages
|
|
* Syscalls
|
|
* Cryptography
|
|
|
|
---
|
|
|
|
How do you reverse engineer without knowing little about these topics?
|
|
|
|
---
|
|
|
|
## Reversing is Work
|
|
|
|
Work is a product of power by time.
|
|
`P` is your power to solve an issue.
|
|
|
|
`W = P x t`
|
|
|
|
The smarter you tackle work, the less time you need to solve an issue.
|
|
|
|
---
|
|
|
|
## Knowledge is a Map
|
|
|
|
You conventiently drive around the city using the underground.
|
|
That's how you get to know the main spots of the city.
|
|
|
|
<img src="./images/london_underground.jpg" alt="London Underground" width="50%" height="auto">
|
|
|
|
---
|
|
|
|
## Knowledge is a Map
|
|
|
|
Invest some time and explore deeper on foot.
|
|
That's how you get to know the back alleys.
|
|
|
|
<img src="./images/london_by_foot.jpg" alt="London by Foot" width="50%" height="auto">
|
|
|
|
---
|
|
|
|
# Ghidra -- an Overview
|
|
|
|
---
|
|
|
|
|
|
|
|
---
|
|
|
|
## Watch Out for Low Hanging Fruits
|
|
|
|
---
|
|
|
|
* Data Segment
|
|
* Names of Functions
|
|
* Conditions & Comparisons
|
|
* Strings: Usernames, Passwords
|
|
* URLs, IP & Port Numbers
|
|
|
|
**Do not try to understand the whole code at once, it will only drive you mad.**
|
|
|
|
---
|
|
|
|
### Data Segments
|
|
|
|
<img src="./images/data-segments.png" alt="A look into the read only data segment" width="70%" height="auto">
|
|
|
|
A look into the read only data segment
|
|
|
|
---
|
|
|
|
### Name of Functions
|
|
|
|
|
|
|
|
---
|
|
|
|
### Conditions & Comparisions
|
|
|
|
<img src="./images/decompiled-code.png" alt="Input is Compared to a Hard Coded String" width="50%" height="auto">
|
|
|
|
Input is compared to a hard coded string
|
|
|
|
---
|
|
|
|
### Function Graph
|
|
|
|
<img src="./images/function-graph.png" alt="Take a Look at the Flow Graph of Functions" width="50%" height="auto">
|
|
|
|
Take a look at the flow graph of functions
|
|
|
|
---
|
|
|
|
### Strings
|
|
|
|
<img src="./images/defined-strings-menu.png" alt="Open the Defined Strings Menu" width="50%" height="auto">
|
|
|
|
Strings can not only be located in data but also in other code segments, sometimes obfuscated
|
|
|
|
---
|
|
|
|
### Strings
|
|
|
|
|
|
|
|
---
|
|
|
|
### Binary Patching
|
|
|
|
Bypass any undesireable condition via a `NOP` instruction.
|
|
|
|
<img src="./images/nop.jpg" alt="NOP, export your patched binary" width="30%" height="auto">
|
|
|
|
NOP, export your patched binary
|
|
|
|
---
|
|
|
|
### Do It Yourselves!
|
|
|
|
* [Download Ghidra](https://ghidra-sre.org/)
|
|
* [Download binaries at crackmes.one](https://crackmes.one)
|
|
* [Find more binaries on hackthebox](https://hackthebox.eu)
|
|
* [Or Find even more on tryhackme](https://tryhackme.com)
|
|
* Download firmware of your favorite IoT appliances
|
|
|
|
---
|
|
|
|
## A Word On Binary Obfuscation
|
|
|
|
Software Obfuscation was born in 1984 at the [International Obfuscated C Code Contest](https://ioccc.org/)
|
|
|
|
<img src="./images/donut.gif" alt="A donut as code compiles to a spinning donut by Jim Hague" width="50%" height="auto">
|
|
|
|
---
|
|
|
|
### What Exactly might be Obfuscated in Your Code?
|
|
|
|
<section>
|
|
[Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)
|
|
</section>
|
|
|
|
<section>
|
|
|
|
* Code Element Layers
|
|
* Layout
|
|
* Controls
|
|
* Data
|
|
* Methods
|
|
* Classes
|
|
|
|
</section>
|
|
|
|
<section>
|
|
* Component
|
|
* Library Calls
|
|
* Used Resources
|
|
|
|
* Application Layer
|
|
* DRM System
|
|
* Neural Networks
|
|
|
|
</section>
|
|
|
|
---
|
|
|
|
## Techniques of Obfuscation
|
|
|
|
---
|
|
|
|
### Splitting & Merging of Strings
|
|
|
|
```sh
|
|
a = "BABE"
|
|
b = "CAFFEE"
|
|
f"{b}{a}"
|
|
```
|
|
|
|
[String Deobfuscation with FLOSS](https://github.com/mandiant/flare-floss/)
|
|
|
|
---
|
|
|
|
## Packing
|
|
|
|
Compress binary data
|
|
|
|
```sh
|
|
ooooo ooo ooooooooo. ooooooo ooooo
|
|
`888' `8' `888 `Y88. `8888 d8'
|
|
888 8 888 .d88' Y888..8P
|
|
888 8 888ooo88P' `8888'
|
|
888 8 888 .8PY888.
|
|
`88. .8' 888 d8' `888b
|
|
`YbodP' o888o o888o o88888o
|
|
```
|
|
|
|
[UPX Packer/Unpacker](https://upx.github.io/)
|
|
|
|
---
|
|
|
|
## Mangling
|
|
|
|
Library symbols in compiled code for data that have the same name
|
|
<section>
|
|
<pre><code data-trim data-noescape>
|
|
c++filt
|
|
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
|
|
std::__cxx11::collate_byname<char>::collate_byname(std::__cxx11::basic_string<char,
|
|
std::char_traits<char>, std::allocator<char> > const&, unsigned long)
|
|
</code></pre></section>
|
|
|
|
<section><a href="https://demangler.io/" alt="demangler">Online Demangler</a></section>
|
|
|
|
---
|
|
|
|
## Code Elements
|
|
|
|
* Adding Unnecessary Instructions
|
|
* Changing Control Flows
|
|
* Protecting Data
|
|
|
|
<img src="./images/spaghetti.jpg" alt="Convoluted Code" width="26%" height="auto%">
|
|
|
|
---
|
|
|
|
### Deobfuscation Tools
|
|
|
|
|
|
* DotNet
|
|
* [de4dot Deobfuscator and Unpacker](https://github.com/de4dot/de4dot)
|
|
* [dnSpy Debugger and Assembly Editor](https://github.com/dnSpy/dnSpy)
|
|
* [ILSpy Decompiler instead of Ghidra](https://github.com/icsharpcode/ILSpy)
|
|
|
|
---
|
|
|
|
# The End
|