Reverse Engineering 101
0 likes99 views
The document provides an overview of reverse engineering, detailing its processes and tools such as Ghidra and IDA Pro for analyzing software internals. It explains the compilation process from high-level programming languages to machine code, including assembly language and executable file structures. The document also covers disassembly, decompilation, and practical applications like malware analysis and programming improvement.
Reverse Engineering 101
- 1. Reverse Engineering 101 Take a peek under the hood!
- 2. Introduction What is reversing? Compilers and Assembly The compilation process and machine code Reversing Basics Disassembling machine code, tools, and analysis Live Demo Reversing a compiled executable 01 02 03 04
- 3. INTRODUCTION What is reverse engineering?
- 4. Reverse Engineering ● The process of analyzing the internals of a piece of software, to figure out how it does what it does ● Various processes and tools for doing so ○ Ghidra, IDA Pro, Radare, etc. ● Static and Dynamic Analysis
- 5. Compilers & ASM How do processors execute code? How do programming languages compile to executable code?
- 6. Compiled Languages ● Some high level languages are compiled into machine code ○ C, C++, Go, Rust ● Machine code is directly interpreted by the processor ○ EXE, DLL, OSX, ELF files contain machine code ● Machine code is composed of instructions that the processor executes ○ mul (multiply), add (add), mov (move), jmp (jump) ● The format and set of instructions is defined by the ISA ○ Instruction Set Architecture
- 7. How Does Compilation Work? ● Preprocessing ○ Stripping comments, preprocessor directives ● Compilation ○ AST construction, intermediate representation (IR) ● Assembly ○ From IR, to assembly, to machine code (object files) ● Linking ○ Stitching object files together, adding dynamic library entries
- 8. Assembly ● Machine code consists of non-human readable instructions ● Assembly is essentially human-readable machine code ○ An architecture-specific programming language ● x86, ARM, MIPS, RISC-V, etc.
- 9. Reversing Basics How do we disassemble executables? Can we derive the original source code from a compiled executable?
- 10. A 30,000 foot view ● Static Analysis ○ Disassembly ○ Decompilation ● Dynamic Analysis ○ Debugging (GDB) ○ System call tracing ○ Network activity tracing
- 11. How to Read Assembly ● Registers ○ eax, ebx, ebp, esp (x86) ● Basic instructions and their operands ○ e.g. mul eax, ebx ● The C Calling Convention (cdecl) ○ How function calls are implemented in C ○ How accessing variables work ● Executable File Sections ○ What each section does and its properties ○ (for ELF) .text, .data, .bss, .rodata
- 12. 1 More Thing - The Stack ● Some memory space used primarily for: ○ Local variables ○ Passing function arguments ● Behaves like a stack ○ Push & Pop operations ● Grows into lower address space ○ RBP is higher than RSP Memory layout of a program
- 13. Reading ASM
- 16. xchng rax, rax
- 17. Translating C to ASM https://godbolt.org/ ● While loops, For loops ● Conditions ● Function Calls
- 18. Decompilation ● Inverse operation of compilation - generating high level source code from a compiled binary ● Tools: ○ IDA Hex Rays ○ Ghidra ● Translation to high level pseudocode may not be 1-to-1 ○ We’ll be taking a look at this
- 19. ctf101.org
- 20. What’s The Point? ● Malware analysis ● Become a better developer ○ Understanding how programs may be vulnerable ● Embedded programming ● CTFs! ○ https://ctf.gdscutm.com/
- 22. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik THANKS! @gdscutm