Introduction to Reverse Engineering

Date: 2022-02-02

Difficulty: Intermediate to Advanced

Delivered By: Joshua Wardle

Overview

Reverse engineering is the art of "breaking down" program code, normally without access to the original source code. Typically, this involves finding out how various functions in the code are built, what they do, and how each relates to and interacts with other code functions. In the context of cyber security, this often involves deconstructing malicious code (e.g., ransomware) to develop patches/tools to counteract it, or analysing commercial software to identify any vulnerabilities that might be present.

Challenges

This session has two main parts:

ZombieLand CTF

The main task is to tackle a modified ZombieLand CTF, which introduces basic concepts in reverse engineering such as function dependencies, tracing variables, decoding values, interacting with the stack, and so forth. This will introduce you to Ghidra. Can you get through ZombieLand without dying? Or will you turn into a human happy meal? Only time will tell...

A guide will be provided so you can follow along and gain experience without getting stuck.

image

Introduction to Anti-Debugging

For those who already know how to reverse-engineer binaries, there is the opportunity to explore a more advanced topic: anti-debugging. This refers to techniques are meant to ensure that a program is not running under a debugger, and in the case that it is, to change its behavior correspondingly. After being introduced to basic techniques, you will be able to try your hand at a small binary which has a few of these techniques inside it; can you get the flag?

Prerequesites

To tackle this session, you will need awareness of programming principles, the C language, and assembly. A quick recap will be given on the relevant concepts needed for the challenges, but you'll find the session easier if you come at least slightly prepared:

You will also need to download and install Ghidra. We're aware that some may prefer IDA, and you're welcome to use it; but for beginners, we recommend sticking with Ghidra. If you wish to tackle the anti-debugging challenge, you'll need a Windows debugger such as OllyDbg or x64dbg. The former is known to work on Kali Linux.

For those on Linux, you will need to do one of the following in order to run either executable, as they were written for Windows:

  • You could install Wine, which lets you run Windows executables on Unix-based systems.
  • You could use the Southampton Virtual Environment and run the executables on a university PC. Note that using the VMWare Horizon Client appears to be more reliable than the browser-based interface.

Doing either of the above isn't strictly necessary, but it may help you to do so. Alternatively, you may wish to use a VM dedicated to reverse engineering, such as FlareVM, but this would take some time to set up.

Session Link

You can find all the resources needed for this session, including the guides and both binaries, at https://reversing.sucss.org!

Please note, like usual, that uninformed brute forcing of the answers using tools like Hydra is not allowed.