filmov
tv
Introduction to Reverse Engineering
Показать описание
📘 Descriptions
In this workshop, we look at some commonly seen patterns in decompiler-generated C pseudocode. By being familiar with these patterns, we can very quickly predict what a piece of code does when we see something similar the next time.
📝 Setup
Please download Ghidra (needs Java to run). If you wish to use other decompilers (e.g. IDA), feel free to do so. However, there might be slight differences in the decompiler output.
This workshop focuses on static analysis, i.e. code reading. So, any OS (Windows/MacOS/Linux) and architecture (Intel/ARM) are fine, as long as you can run Ghidra.
📜 Timestamps
0:00 Introduction
3:26 Ghidra basic usage
5:45 Finding the main function
8:40 Exploring and trying to understand the functionality of the given program
17:03 Breaking down how the program works step by step
20:10 Analyzing common C functions scanf, strlen, strcmp, memset, fgets
24:58 Analyzing the program part by part
28:10 C function memcmp and differences with strcmp and strncmp
29:28 Highlight on compiler optimizations, and retype variables
31:20 Recognizing ASCII values with the hex representation
33:40 Changing data types inferred by the decompiler
35:20 Exploring nested functions (reserve for later)
36:14 Differences between statically and dynamically linked programs
39:23 Useful patterns to analyze statically linked programs
48:30 Exploring static version of printf, and associated patterns
51:43 Reason to study statically linked programs
52:09 Exploring static version of memcmp
52:57 How can we guess what the function does, without seeing the function implementation?
53:52 Guessing scanf
54:25 Guessing strlen
55:19 Guessing strcmp
55:58 Guessing puts
56:40 Recognizing irrelevant functions
57:12 Guessing fgets
58:22 Exploring statically linked programs, with optimizations
1:01:44 Fix for Ghidra not recognizing the main function of optimized statically linked programs
1:02:58 Exploring hello Rust program
1:05:15 Exploring the structure of functions probably not written by the programmer
1:06:10 Exploring the structure of functions probably written by the programmer
1:06:46 Applying the previous strategies to guess out the functions
1:07:00 Dissecting Rust print function
1:08:10 Rust error checking
1:09:32 syscall semantics and relation to I/O functionalities
1:13:43 Comparisons with the unstripped version
1:17:15 Reading inputs in Rust
1:18:17 Exploring constructor-like functions in statically linked programs
1:19:04 Guessing stdin from the strategies
1:19:33 Guessing functions that reads from user input
1:21:30 Cleanup functions and the associated pattern
1:25:42 Clues to recognize useful functions (e.g. toupper)
1:26:41 Using program behavior and existing knowledge to determine unknown functions
1:29:30 Going back to unstripped version to verify reversing result
1:30:27 Summing up the strategies
1:33:17 Reversing ransomware/crypto-related programs
1:35:00 Exploring a sample ransomware program
1:38:20 Renaming, retyping variables
1:40:20 Common program behaviors when reading files
1:41:40 Reversing encryption functions, reviewing previous concepts
1:48:24 RC4 encryption algorithm and pattern to recognize during reversing
1:51:00 Techniques to recognize other crypto functions: base64, hex encoding, MD5, SHA1, RSA
In this workshop, we look at some commonly seen patterns in decompiler-generated C pseudocode. By being familiar with these patterns, we can very quickly predict what a piece of code does when we see something similar the next time.
📝 Setup
Please download Ghidra (needs Java to run). If you wish to use other decompilers (e.g. IDA), feel free to do so. However, there might be slight differences in the decompiler output.
This workshop focuses on static analysis, i.e. code reading. So, any OS (Windows/MacOS/Linux) and architecture (Intel/ARM) are fine, as long as you can run Ghidra.
📜 Timestamps
0:00 Introduction
3:26 Ghidra basic usage
5:45 Finding the main function
8:40 Exploring and trying to understand the functionality of the given program
17:03 Breaking down how the program works step by step
20:10 Analyzing common C functions scanf, strlen, strcmp, memset, fgets
24:58 Analyzing the program part by part
28:10 C function memcmp and differences with strcmp and strncmp
29:28 Highlight on compiler optimizations, and retype variables
31:20 Recognizing ASCII values with the hex representation
33:40 Changing data types inferred by the decompiler
35:20 Exploring nested functions (reserve for later)
36:14 Differences between statically and dynamically linked programs
39:23 Useful patterns to analyze statically linked programs
48:30 Exploring static version of printf, and associated patterns
51:43 Reason to study statically linked programs
52:09 Exploring static version of memcmp
52:57 How can we guess what the function does, without seeing the function implementation?
53:52 Guessing scanf
54:25 Guessing strlen
55:19 Guessing strcmp
55:58 Guessing puts
56:40 Recognizing irrelevant functions
57:12 Guessing fgets
58:22 Exploring statically linked programs, with optimizations
1:01:44 Fix for Ghidra not recognizing the main function of optimized statically linked programs
1:02:58 Exploring hello Rust program
1:05:15 Exploring the structure of functions probably not written by the programmer
1:06:10 Exploring the structure of functions probably written by the programmer
1:06:46 Applying the previous strategies to guess out the functions
1:07:00 Dissecting Rust print function
1:08:10 Rust error checking
1:09:32 syscall semantics and relation to I/O functionalities
1:13:43 Comparisons with the unstripped version
1:17:15 Reading inputs in Rust
1:18:17 Exploring constructor-like functions in statically linked programs
1:19:04 Guessing stdin from the strategies
1:19:33 Guessing functions that reads from user input
1:21:30 Cleanup functions and the associated pattern
1:25:42 Clues to recognize useful functions (e.g. toupper)
1:26:41 Using program behavior and existing knowledge to determine unknown functions
1:29:30 Going back to unstripped version to verify reversing result
1:30:27 Summing up the strategies
1:33:17 Reversing ransomware/crypto-related programs
1:35:00 Exploring a sample ransomware program
1:38:20 Renaming, retyping variables
1:40:20 Common program behaviors when reading files
1:41:40 Reversing encryption functions, reviewing previous concepts
1:48:24 RC4 encryption algorithm and pattern to recognize during reversing
1:51:00 Techniques to recognize other crypto functions: base64, hex encoding, MD5, SHA1, RSA
0:02:44
0:11:48
0:13:56
0:03:26
0:02:51
0:02:25
0:01:42
0:09:09
0:56:28
0:04:58
0:04:58
0:26:51
1:46:23
0:27:10
0:06:30
0:07:07
0:06:53
0:11:32
1:56:57
1:06:38
0:32:50
0:19:49
0:07:26
1:18:48