Introduction to Reverse Engineering
According to Wikipedia, Reverse Engineering is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accomplishes a task with very little (if any) insight into exactly how it does so. In many areas of IT security we are often tasked with analyzing third-party programs to which we do not possess the source code. Typical examples include malware analysis or audit of device drivers. Modern programs can be fairly complex and in some of these situations the authors might even take active measures to make such analysis more difficult through obfuscation. A skilled reverse engineer can tackle these problems and extract valuable information from a program such as specifications of protocols or whether it contains vulnerable components.
Learning Goals and Expected Outcomes
This two-day training aims to give the participant an introduction into the field of software reverse engineering. We will look at various types of programs including both machine code, Java and Javascript. They will be analyzed using a mix of static and dynamic analysis including using off-the-shelf tools and writing scripts of our own to help us in our effort. The goal of the training is to both give a general understanding of the different approaches that are available to us as a reverse engineer but also hands-on experience with applying some of these techniques.
After completing the training the student will have a solid foundation to continue their reverse engineering studies with as well as a basic toolbox to approach real-world problems with whether it’s analysis of simpler malware or debugging third-party software.
Course Contents
The course will cover the following topics. Topics marked with “*” will be covered as part of the introduction/background without accompanying exercises. Topics marked with “**” are advanced topics covered as part of an introduction into how to proceed after the training.
- Introduction
- Why reverse engineering?*
- Types of reverse engineering*
- Static analysis
- Disassembly
- Decompilation
- Identifying patterns
- Dynamic analysis
- Debugging
- Emulation
- Tracing
- Hooking
- Technologies
- Low-level: x86/ARM
- Mid-level: Java/.NET
- High-level: Javascript
- Methodology
- Automation
- Signatures and diffing**
- Symbolic execution**
Outline
Below is a rough outline of the planned schedule for the training. This is preliminary and
subject to change. A more definitive schedule will be posted prior to the training.
- Day 1
- Intro, agenda, background
- Basics
- Static analysis
- Dynamic analysis
- Day 2
- More exercises
- Emulation
- Tracing and hooking
- Automation
- Next steps
Tools Used
We will be using mostly free and open source tools throughout the training. This includes debuggers, tracers, emulators, disassembly tools and both some C and Python programs. The only commercial tool we will use is Binary Ninja which is a reverse engineering platform. A personal non-commercial license for Binary Ninja is included in the price of the training which you get to keep and can, if desired, be upgraded to a commercial license. All tools and exercises will be available as a pre-packaged VM/container. Instructions on how to obtain and get it set up on your computer will be provided to all participants ahead of the training.
Prerequisites
The student is expected to have a basic understanding of computers, programs and operating systems. Some basic programming skills are also required, particularly some basic Python knowledge is very helpful. Finally it is expected that the student can read simple C code and understand very basic concepts of assembler.
The instructor
Carl Svensson is a security professional and hobbyist currently working at Google as part of the internal red team. He is a veteran CTF player and an active member of the Swedish and international security community with a great fondness for a broad range of topics, reverse engineering being one of his favorites. If you have questions about the contents of this training, feel free to get in touch at [email protected].
Where
This is not the same address as the conference! Same building but different entrance.
Söder Mälarstrand 57
118 25 Stockholm
Day 1 (2023-09-12)
8.30 – 09.00 | Registration & breakfast |
9.00 – 12.00 | Training |
12.00 – 13.00 | Lunch |
13.00 – 15.00 | Training |
15.00 – 15.30 | Coffee break |
15.30 – 17.00 | Training |
Day 2 (2023-09-13)
8.30 – 09.00 | Registration & breakfast |
9.00 – 12.00 | Training |
12.00 – 13.00 | Lunch |
13.00 – 15.00 | Training |
15.00 – 15.30 | Coffee break |
15.30 – 17.00 | Training |