112-CCTC30
Action:
| Learning Domains/Level of Learning:
|
Army General Learning Outcomes:
| Safety Requirements:
|
Reverse engineering is a fundamental skill at the base of all exploitation and defense. It is a term that is often misunderstood in a way that implies reverse engineering only occurs on malicious executable binaries programmed in a compiled language like C. Reverse engineering is far more encompassing than this. Whenever a Cyber actor interacts with or takes something apart to learn about how it works, they are performing reverse engineering. It is that simple. All exploitation and defense is based on taking things apart and understanding how they work whether that be with an electron microscope, an x86 disassembler, interaction with the object, or through reading the manual/source code. Reverse engineering is performed on software, hardware, network/signal protocols, and just about anything another human has created. It is performed with the aim of understanding something better to achieve the goals of an individual or organization.
What is reverse engineering?
Why do we teach binary reverse enginnering?
What is a stack?
A section of memory reserved for temporary data storage, managed by the system to support program execution.
Last in, first out (LIFO)
|--------------|
| Stack | (grows downward)
|--------------|
| |
| ... |
| |
|--------------|
| Heap | (grows upward)
|--------------|
| Data |
|--------------|
| Text |
|--------------|Heap | Memory that can be allocated and deallocated |
Stack | A contiguous section of memory used for passing arguments |
General Register | A multipurpose register that can be used by either programmer or user to store data or a memory location address |
Control Register | A processor register that changes or controls the behavior of a CPU |
Flags Register | Contains the current state of the processor |
Assembly can use different sized data references.
Data Size | Description |
Bit | Smallest unit in computing - 0 or 1 |
Nibble | 4 bits/half an octet |
Byte | 8 bits |
Word | 16 bits |
DWord | 32 bits - common |
QWord | 64 bits - common |
There are 16 general purpose 64-Bit registers
%rax | the first return register |
%rbp | the base pointer that keeps track of the base of the stack |
%rsp | the stack pointer that points to the top of the stack |
You will see arguments passed to functions as something like:
[%ebp-0x8]
There is one instruction pointer register that points to the memory offset of the next instruction in the code segment:
| 64-Bit | Lower 32 bits | Lower 16 bits | Descrition |
|---|---|---|---|
RIP | EIP | IP | Instruction Pointer; holds address for next instruction to be executed |
High Memory Addresses
+-----------------+
| Return Address | <--- [EBP]
+-----------------+
| Saved EBP |
+-----------------+
| |
| ... |
| |
+-----------------+
| | <--- [ESP]
+-----------------+
Program Execution:
[EIP] points to the next instructionMOV | move source to destination |
PUSH | push source onto stack |
POP | Pop top of stack to destination |
INC | Increment source by 1 |
DEC | Decrement source by 1 |
ADD | Add source to destination |
SUB | Subtract source from destination |
CMP | Compare 2 values by subtracting them and setting the %RFLAGS register. ZeroFlag set means they are the same. |
JMP | Jump to specified location |
JLE | Jump if less than or equal |
JE | Jump if equal |
Flags Register - This register holds the current state of the processor, reflecting the outcomes of various operations and influencing subsequent instructions.
Flag | Description |
CF - Carry Flag | Generates a carry or borrow |
ZF - Zero Flag | Set by most instructions if the result of an operation is binary zero |
SF - Sign Flag | Set this bit the same as the most significant bit of the result. 0 = positive, 1 = negative |
OF - Overflow Flag | Set if the result was too large to fit in the designation. |
+--------------+
| Stack |
+--------------+
| FLAGS | <-- saved flags (CF, ZF, SF, OF, etc.)
+--------------+
| RBP |
+--------------+
| ... |
+--------------+
| |
| Heap |
+--------------+Assembly Code
Go to the following website and complete the following exercises: 1, 2, 5, 6, 7, 8
Initial static analysis of a binary gives an analyst, or team of analysts, several clues as to what the binary is designed to do and how it really works.
What are we looking for?
file types
if the file is packed/compressed
find plain text ascii & unicode strings
view sections of the executable to find potential obfuscation
view imports/exports to get a hint of funcationality
view resources to find embedded objects
is the most basic form of analysis
is the fastest way to gain instight into how a binary works
This is where one can learn more about how a binary runs
Tools such as Ghidra is used
Why Document Findings?
Perform Debugging and Disassembly
Find the Success/Failure
Adjust Instructions
Apply Patch and Save
Execute Patched Binary