Tsvetelin Choranov, profile picture
Uploaded byTsvetelin Choranov
PPTX, PDF895 views

Intro to reverse engineering owasp

The document outlines an introduction to reverse engineering with a schedule for a workshop including topics like C programming, control flow, assembly instructions, and debugging tools. It covers key concepts such as data types, CPU registers, assembly operations (e.g., mov, add, jmp), and calling conventions, while also providing various examples and pseudocode to illustrate these concepts. Additionally, it discusses tools for disassembly and debugging, along with commands and techniques for effective reverse engineering.

Embed presentation

Downloaded 23 times
Intro to Reverse Engineering By: Tsvetelin (Vincent) Choranov OWASP Open Web Application Security Project
Schedule • 9:00 – 10:30 am • C Refresher • Data Types • Process Structure and Virtual Memory • 10:30 – 10:45 am • Break • 10:45 – Noon • X86 Registers • Stack • Noon – 1:00 pm • Lunch • 1:00 – 2:30 pm • Assembly Instructions • Calling Conventions • 2:30 – 2:45 pm • Break • 2:45 – 4:30 pm • Debuggers Disassemblers and Decompilers
C refresher - Control Flow • If statement • If-else • While / Until • For loops • Switch/Case statements ( Jump tables )
C refresher - Control Flow • Pseudo-code – if statement if ( You are hungry ) { Find food while ( Found food is not good ) { Find something else to eat } Eat food } else { Go play }
C refresher - Control Flow • Pseudo-code – else statement if ( You are hungry ) { Find food while ( Found food is not good ) { Find something else to eat } Eat food } else { Go play }
C refresher - Control Flow • Pseudo-code – while statement if ( You are hungry ) { Find food while ( Found food is not good ) { Find something else to eat } Eat food } else { Go play }
C refresher - Control Flow • Pseudo-code – for loop for ( int i = 0 ; i < 10 ; i++ ) { do something } Key points: • Identify the initialization of the counter variable • Identify the limit • Identify the increment
C refresher - Control Flow • Pseudo-code – switch/case statement my_int = 2 ; my_int = 2 ; switch ( my_int ) { case 1: if ( my_int == 1 ) { do something do something break } case 2: else if ( my_int == 2 ) { do something do something break } default: else { do something do something } }
C refresher - Control Flow • Pseudo-code – switch/case statement sometimes produce jump tables
C refresher - Variables • Local • Global • Initialized / Uninitialized • Signed / Unsigned Integer • Pointer • Structure
C refresher - Data Types
C refresher - Data Types • Notations: • half a word = 2 bytes • word = 2/4 bytes • dword = 4 bytes • qword/giant = 8 bytes
Virtual Memory
x86 CPU Registers
Stack and Heap
Assembly Endianness • Big-endian and little-endian are terms that describe the order in which a sequence of bytes are stored in computer memory. Big-endian is an order in which the "big end" (most significant value in the sequence) is stored first (at the lowest storage address).
Assembly Endianness
EFLAGS Register
Assembly NOP • No operation • 0x90 • Used for alignment • In exploitation used for NOP-sleds
Assembly PUSH • Pushes data to the stack • Size of data is word, dword, qword • Data can be an immediate value or register • Decrements ESP
Assembly POP • Pops a value from the stack to a register • Increments ESP
Assembly MOV • Move operation • Moves: • register to register • memory to register • register to memory • immediate to register • immediate to memory • memory to memory • MOV EAX, [EBX]
Assembly SUB • Subtract operation • Source can be memory, immediate or register • Destination can be memory or register • Source and Destination can NOT be memory • It can be used to evaluate an expression • Influences the following EFLAGS • OF, SF, ZF, AF, PF and CF
Assembly ADD • Addition operation • Source can be memory, immediate or register • Destination can be memory or register • Source and Destination can NOT be memory • It can be used to evaluate an expression • Influences the following EFLAGS • OF, SF, ZF, AF, PF and CF
Assembly CALL • Execute a procedure • It pushes the address of the next instruction after the call to the stack, so execution can be restored once the called procedure returns • Changes EIP to the address of the called procedure
Assembly LEAVE • Restores the previous stack frame • Essentially does: • MOV ESP, EBP • POP EBP
Assembly RET • Return from a procedure • RET == POP EIP • POP increments ESP • Also seen as RET 0x?? which pops into EIP and increments ESP by 0x??
Assembly • NOP • PUSH • POP • MOV • SUB • ADD • RET • LEAVE • CALL
Assembly Example int func(int x){ return x; } int main(void){ int x = 0x1337; func(x); return 0xbeef; }
Assembly Example Function Prologue…..............................
Assembly Example Function Epilogue…..............................
Assembly Example EBP holds the base address of the previous stack frame saves EBPESP now points here ->
Assembly Example ESP is COPIED to EBP. EBP is now the base of our new stack frame. Which is the stack frame for main() saved EBPESP now points here ->
Assembly Example saved EBP ESP -> EBP ->
Assembly Example saved EBPEBP -> ESP -> 0x1337
Assembly Example EBP -> ESP -> saved EBP 0x1337 EAX = 0x1337
Assembly Example EBP -> ESP -> saved EBP 0x1337 EAX = 0x1337 0x1337
Assembly Example EBP -> ESP -> saved EBP 0x1337 0x1337 addr of next inst
Assembly Example EBP -> ESP -> saved EBP 0x1337 0x1337 addr of mov eax, 0xbeef saves EBP
Assembly Example EBP and ESP -> previous base ptr 0x1337 0x1337 current base ptr addr of mov eax, 0xbeef
Assembly Example EBP and ESP -> previous base ptr 0x1337 0x1337 current base ptr EAX = 0x1337 addr of mov eax, 0xbeef
Assembly Example base ptr 0x1337 0x1337 EBP -> ESP -> addr of mov eax, 0xbeef
Assembly Example 0x1337 0x1337 EBP -> ESP -> addr of mov eax, 0xbeef RET = POP EIP base ptr
Assembly Example 0x1337 0x1337 EBP -> ESP -> base ptr EAX = 0x1337 EAX = 0xbeef
Assembly Example 0x1337 0x1337 EBP -> ESP -> base ptr LEAVE = MOV ESP, EBP POP EBP
Assembly Example ESP ->
Assembly Example ESP ->
Assembly LEA • Load Effective Address • Does not dereference square brackets – [] • Often used with pointer arithmetic • Often used for loading the address of a local buffer into a register • LEA EAX, [EBP-0x64]
Assembly JMP • Unconditional Jump • Changes EIP to the address of the jump • Does not push the return address to the stack like a CALL does • Relative and Absolute
Assembly Jcc • Conditional Jump – jump is taken only if the condition is met
Assembly JNE / JNZ • Jump if Not Equal / Jump if Not Zero • Both check if the ZF is 0 • Jump is taken if the ZF is 1
Assembly JE / JZ • Jump if Equal / Jump if Zero • Both check if the ZF is 0 • Jump is taken if ZF is 0
Assembly JLE / JNG • Jump if Less or Equal / Jump if Not Greater • Jump if ZF == 1 • Jump if SF != OF
Assembly JGE / JNL • Jump if Greater or Equal / Jump if Not Less • Jump if ZF == 1 • Jump if CF == 1
Assembly JBE • Jump if Below or Equal • Jump if ZF == 1 • Jump if CF == 1
Assembly JB / JL • Jump if Below / Jump if Less • Jump if CF == 1
Assembly What sets the EFLAGS ? • What we care about: CMP and TEST • Any arithmetic can set a flag !
Assembly CMP • Compare • CMP does a SUB but discards the result • Affects flags: CF, OF, SF, ZF, AF and PF
Assembly TEST • Does bitwise logical AND • Sets the flags and discards the result • Affected flags: SF, ZF and PF • Very frequently used for checking if value in question is 0 or anything else
Assembly Example int main(int argc, char* argv[]){ if (argc != 2) { return 1; } else { return 0; } }
Assembly Example
Assembly AND • Logical AND - ‘&’ • Source can be register, immediate or memory • Destination can be register or memory • 1 & 1 = 1 • 1 & 0 = 0 • 0 & 1 = 0 • 0 & 0 = 0
Assembly OR • Logical OR – ‘|’ • Source can be register, immediate or memory • Destination can be register or memory • 1 | 1 = 1 • 1 | 0 = 1 • 0 | 1 = 1 • 0 | 0 = 0
Assembly XOR • Logical Exclusive Or – ‘^’ • Source can be register, immediate or memory • Destination can be register or immediate • 1 ^ 1 = 0 • 1 ^ 0 = 1 • 0 ^ 1 = 1 • 0 ^ 0 = 0
Assembly NOT • Flips the bits – One’s compliment • Single source/destination operand can be register, immediate or memory
Assembly What we know so far • NOP • PUSH/POP • CALL/RET/LEAVE • MOV/LEA • ADD/SUB • JMP/Jcc • CMP/TEST • AND/OR/XOR/NOT
Assembly LOOPS • Identify the initialization of the loop counter variable • Identify the limit of the loop • Identify the increment/decrement
Assembly Example #include <stdio.h> int main(int argc, char* argv[]){ int i; for (i = 0; i < 10; i++){ printf("Looping %dn", i); } }
Assembly • Identify the initialization of the loop counter variable
Assembly • Identify the limit of the loop
Assembly • Identify the increment/decrement
Assembly SHL • Shift Logical Left – ‘<<‘ • Destination operand can be register or memory • Source operand can be CL (lowest byte of ECX) or 1 byte immediate • It multiplies the destination operand by 2 for each bit shifted • Bits shifted off the left side of the operand set the carry flag • 00110011 << 2 = 11001100 with CF = 0 • 01100110 << 2 = 10011000 with CF = 1
Assembly SHR • Shift Logical Right – ‘>>’ • Destination operand can be register or memory • Source operand can be CL (lowest byte of ECX) or 1 byte immediate • It divides the destination operand by 2 for each bit shifted • Bits shifted off the right side of the operand set the carry flag • 00110011 >> 2 = 00001100 with CF = 1 • 01100100 >> 2 = 00011001 with CF = 0
Assembly IMUL • Signed Multiply • Three forms • imul r/m32 edx:eax = eax * r/m32 • imul reg, r/m32 reg = reg * r/m32 • imul reg, r/m32, imm reg = r/m32 * imm
Assembly MUL • Same as IMUL but unsigned
Assembly DIV • Unsigned Division • Two forms: • div AX by r/m8 • AL = quotient, AH = remainder • div EDX:EAX by r/m32 • EAX = quotient, EDX = remainder • Division by 0 raises an exception
Assembly IDIV • Same as DIV but signed
Assembly REP STOS • Repeat Store String • REP is standalone repetition instruction • STOS is also standalone instruction • Uses ECX as a counter • Can move a byte or dword at at time • Moves byte AL into [EDI] or dword EAX into [EDI] • Increments EDI register by 1 or 4 • Pre-requisites: • Set EDI to the destination address • Initialize EAX with value to store • Initialize ECX as counter
Assembly REP MOVS • Repeat Move Data String to String • Same as REP STOS but instead of storing a single byte/dword from EAX we can copy data from source to destination via ESI as source operand and EDI as destination operand • Each loop increments ESI, EDI and decrements ECX • REP MOVS DWORD PTR [ESI], DWORD PTR [EDI] • Pre-requisites: • Initialize ESI with the address of the data source • Initialize EDI with the address of the data dest • Initialize ECX as the counter
Assembly NEG • Negate – Performs two’s compliment • Single operand can be r/m32 • Two’s Compliment = Flip the bits and add 1 • Turns positive to negative and vice versa
Assembly What we know so far • NOP • PUSH/POP • CALL/RET/LEAVE • MOV/LEA • ADD/SUB • JMP/Jcc • CMP/TEST • AND/OR/XOR/NOT • SHL/SHR • MUL/IMUL • DIV/IDIV • REP STOS • REP MOVS • NEG • LOOPS
Assembly Example #include <stdio.h> int main(int argc, char* argv[]){ int int_array[5] = {0x5, 0x10, 0x15, 0x20, 0x25}; int i; for (i = 0; i < 5; i++){ printf("Int at index %d is %dn", i, int_array[i]); } }
Assembly Example Array access is always Base address + offset element (index element) * (times) scale (size of each element of the array)
Assembly
Calling Conventions What are calling conventions ? • How arguments are passed to functions
Calling Conventions What are calling conventions ? • How arguments are passed to functions
Calling Conventions What are calling conventions ? • How arguments are passed to functions • Who cleans the stack • Return values
Calling Conventions CDECL • C Declaration • Arguments are pushed to the stack right to left – meaning the first argument will be on top of the stack • Return value is stored in EAX or EDX:EAX • Caller is responsible for cleaning the stack – meaning cleaning up the arguments pushed
Calling Conventions STDCALL • Standard Call • Arguments are pushed to the stack right to left – meaning the first argument will be on top of the stack • Return value is stored in EAX • Callee is responsible for cleaning the stack – meaning callee function is responsible for cleaning up the arguments pushed by the Caller function
Debuggers and Disassemblers Decompilers • Opposite to compiler, takes compiled binary as input and produces high level source code. • Hex-Rays Decompiler ~$3,000 per architecture • The Hopper ~$80 • Free - https://retdec.com/
Debuggers and Disassemblers Disassemblers • Translates machine language into assembly language • Static Analysis – The binary application is not executed • IDA Pro – The Interactive Disassembler • The Hopper • Objdump
Debuggers and Disassemblers Disassemblers Hotkeys • space – Switch between linear view / graph view • n – name a variable/function/argument • g – Go to address • x – Cross reference • esc – Go back to the previous location / Move out of a function • d – Convert code to data or change the data type from byte/word/dword/qword • c – Convert data to code • p – Define a procedure • u – Undefine a procedure • ; – Set a comment
Debuggers and Disassemblers Debuggers • Can disassemble • Dynamic Analysis – Executes the binary program • GDB • OllyDbg • WinDbg • Radare2 • IDA Pro • Edb
Debuggers and Disassemblers GDB Commands • break <func>/*<addr> – sets a breakpoint • disassemble <func> – disassemblers a routine • x – Examine • x/2wx $esp – examine 2 words (4 bytes) in hex from ESP (top of the stack) towards EBP, UP • x/10i $eip – examine 10 instructions from EIP • x/2bx $eax – examine 2 bytes in hex from EAX • x/s $esp – examine as ASCII string
Debuggers and Disassemblers GDB Commands • set $eax = 1 – set EAX to 1 • set *$eax = 1 – write 1 to the address where EAX points to • info registers – display content of the registers • si/stepi – single step • ni/nexti – step over • finish – step out
Where to Now ? • CTFs !!! • Lena’s tutorials • Practical Malware Analysis book • CrackMe !!! • Malware • Practice Practice Practice… and more practice

More Related Content

PPTX
Dive into ROP - a quick introduction to Return Oriented Programming
bySaumil Shah
 
PPTX
An introduction to ROP
bySaumil Shah
 
PDF
ROP 輕鬆談
byhackstuff
 
PPT
Advance ROP Attacks
byn|u - The Open Security Community
 
PPTX
How Functions Work
bySaumil Shah
 
PDF
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
byfrank2
 
PPTX
Return Oriented Programming (ROP) Based Exploits - Part I
byn|u - The Open Security Community
 
PPTX
Operating Systems - A Primer
bySaumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
bySaumil Shah
 
An introduction to ROP
bySaumil Shah
 
ROP 輕鬆談
byhackstuff
 
Advance ROP Attacks
byn|u - The Open Security Community
 
How Functions Work
bySaumil Shah
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
byfrank2
 
Return Oriented Programming (ROP) Based Exploits - Part I
byn|u - The Open Security Community
 
Operating Systems - A Primer
bySaumil Shah
 

What's hot

PPTX
Introduction to Debuggers
bySaumil Shah
 
PDF
Low Level Exploits
byhughpearse
 
PPTX
Return Oriented Programming (ROP chaining)
byAbhinav Chourasia, GMOB
 
PDF
FortranCon2020: Highly Parallel Fortran and OpenACC Directives
byJeff Larkin
 
PDF
CNIT 127 Ch 2: Stack overflows on Linux
bySam Bowne
 
PDF
Course lecture - An introduction to the Return Oriented Programming
byJonathan Salwan
 
PDF
Exploit techniques and mitigation
byYaniv Shani
 
DOC
Asterisk PBX Commands, Leadinspiration
byLeadinspiration, Inc.
 
PPT
Software Exploitation Techniques by Amit Malik
byn|u - The Open Security Community
 
PDF
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
PPT
Endevor api an introduction to the endevor application programming interface
byKevin Grimes
 
PPTX
Exploits & Mitigations - Memory Corruption Techniques
byCysinfo Cyber Security Community
 
KEY
Emulating With JavaScript
byalexanderdickson
 
PDF
Diving Into Memory Allocation to Understand Buffer Overflow Better
byOguzhan Topgul
 
PPT
Epoll - from the kernel side
byllj098
 
PDF
0.5mln packets per second with Erlang
byMaxim Kharchenko
 
PPTX
Shellcode mastering
byPositive Hack Days
 
PDF
Shellcode injection
byDhaval Kapil
 
PDF
NTUSTxTDOH - Pwn基礎 2015/12/27
bySheng-Hao Ma
 
PPTX
Assembly Language Tutorials for Windows - 04 Data Transfers Part-2
bySangram Kesari Ray
 
Introduction to Debuggers
bySaumil Shah
 
Low Level Exploits
byhughpearse
 
Return Oriented Programming (ROP chaining)
byAbhinav Chourasia, GMOB
 
FortranCon2020: Highly Parallel Fortran and OpenACC Directives
byJeff Larkin
 
CNIT 127 Ch 2: Stack overflows on Linux
bySam Bowne
 
Course lecture - An introduction to the Return Oriented Programming
byJonathan Salwan
 
Exploit techniques and mitigation
byYaniv Shani
 
Asterisk PBX Commands, Leadinspiration
byLeadinspiration, Inc.
 
Software Exploitation Techniques by Amit Malik
byn|u - The Open Security Community
 
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
Endevor api an introduction to the endevor application programming interface
byKevin Grimes
 
Exploits & Mitigations - Memory Corruption Techniques
byCysinfo Cyber Security Community
 
Emulating With JavaScript
byalexanderdickson
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
byOguzhan Topgul
 
Epoll - from the kernel side
byllj098
 
0.5mln packets per second with Erlang
byMaxim Kharchenko
 
Shellcode mastering
byPositive Hack Days
 
Shellcode injection
byDhaval Kapil
 
NTUSTxTDOH - Pwn基礎 2015/12/27
bySheng-Hao Ma
 
Assembly Language Tutorials for Windows - 04 Data Transfers Part-2
bySangram Kesari Ray
 

Similar to Intro to reverse engineering owasp

PPT
Assembly language
byPiyush Jain
 
PDF
CNIT 127 Ch 1: Before you Begin
bySam Bowne
 
PDF
CNIT 127 Ch Ch 1: Before you Begin
bySam Bowne
 
PPTX
Reversing malware analysis training part4 assembly programming basics
byCysinfo Cyber Security Community
 
PPTX
Coal (1)
bytalhashahid40
 
PPTX
Introduction of 8086 micro processor .
bySiraj Ahmed
 
PDF
Lecture-10jbcjnadb vna xbcjnsadvhbkbadk jdb js.pdf
byanawarulsawrov19206
 
PPTX
17
bydano2osu
 
PPTX
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
bysecurityxploded
 
PDF
Assembly language part I
byMohammed A. Imran
 
PDF
Assembly language part I
byn|u - The Open Security Community
 
PPT
Unit 3 assembler and processor
byAbha Damani
 
PPTX
Uc 2(vii)
byAnkita Jaiswal
 
PPTX
Introduction to debugging linux applications
bycommiebstrd
 
PPTX
Assembly language (Example with mapping from C++ to Assembly)
byTish997
 
PPTX
Basic ASM by @binaryheadache
bycamsec
 
PPT
Malware Analysis - x86 Disassembly
byNatraj G
 
PPTX
The 8051 microcontroller
byPallaviHailkar
 
PPT
Instructions_introductionM2.1.about.microcontrollerppt
byyesmskai
 
PPT
8051-instruction-set.ppt explainrs in detail
byprogchaircse
 
Assembly language
byPiyush Jain
 
CNIT 127 Ch 1: Before you Begin
bySam Bowne
 
CNIT 127 Ch Ch 1: Before you Begin
bySam Bowne
 
Reversing malware analysis training part4 assembly programming basics
byCysinfo Cyber Security Community
 
Coal (1)
bytalhashahid40
 
Introduction of 8086 micro processor .
bySiraj Ahmed
 
Lecture-10jbcjnadb vna xbcjnsadvhbkbadk jdb js.pdf
byanawarulsawrov19206
 
17
bydano2osu
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
bysecurityxploded
 
Assembly language part I
byMohammed A. Imran
 
Assembly language part I
byn|u - The Open Security Community
 
Unit 3 assembler and processor
byAbha Damani
 
Uc 2(vii)
byAnkita Jaiswal
 
Introduction to debugging linux applications
bycommiebstrd
 
Assembly language (Example with mapping from C++ to Assembly)
byTish997
 
Basic ASM by @binaryheadache
bycamsec
 
Malware Analysis - x86 Disassembly
byNatraj G
 
The 8051 microcontroller
byPallaviHailkar
 
Instructions_introductionM2.1.about.microcontrollerppt
byyesmskai
 
8051-instruction-set.ppt explainrs in detail
byprogchaircse
 

Recently uploaded

PPTX
Optimized access control techniques in Cloud Computing with Security and Scal...
bymareswariesteru
 
PPTX
Basin Design Service, LLC Introduction Presentation
byHubie Fix
 
PPTX
The Most Controversial TPM Debate in Maintenance Today Checklist TPM vs Outco...
byMaintWiz Technologies Private Limited
 
PDF
TechRush Hackathon 2026: A Platform for Innovation, Learning, and Real-World ...
byreshmi7103
 
PDF
CME397 SURFACE ENGINEERING UNIT 1 FULL NOTES
bykarthi keyan
 
PDF
ERTMS-conference-WS8_Presentations_v0.pdf
byEduardo147194
 
PPTX
35501622005_Sujay Samanta_Seminar22-26.pptx
bysujaysamanta3010
 
PDF
Infinite Sequence and Series: It Includes basic Sequence and Series
byDynamicDomain1
 
PPTX
Electronics Device - EC25C01 - Semiconductor: Types, Conductivity,
byMathavan N
 
PPTX
WOWVerse Workshop: Agentic AI & LLM Workshop
byram27belitkar
 
PPTX
820656155-Unit-III-Univariate-Analysis.pptx
bykalaimugill
 
PDF
PROPOSED 5 BEDROOM DUPLEX DEVELOPMENT DRAWINGS..pdf
byjamessylvester167
 
PPTX
SketchUp Pro 2026 – Advanced 3D Modeling Software
byHoka Moka
 
PPTX
Unit-2: Network Models--OSI Reference Model, TCP/IP Reference Model
bySuvarnaSharma5
 
PDF
God series - Physics video office crossed
byjangidankit8781
 
PDF
Manual de instalacion de notifire NFS320
byMarcoPolitoPerez
 
PDF
Fluid Mechanics, Heat Transfer, and Mass Transfer_ Chemical Engineering Pract...
bynikptl09
 
PDF
generative ai and prompt Engineering with out put images.pdf
byinfo839249
 
PDF
JVM in the Age of AI: 2026 Edition - Deep Dive
byArtur Skowroński
 
PPTX
AI-Agents-Concepts-Applications-and-Types.pptx
bypalbalaram2018
 
Optimized access control techniques in Cloud Computing with Security and Scal...
bymareswariesteru
 
Basin Design Service, LLC Introduction Presentation
byHubie Fix
 
The Most Controversial TPM Debate in Maintenance Today Checklist TPM vs Outco...
byMaintWiz Technologies Private Limited
 
TechRush Hackathon 2026: A Platform for Innovation, Learning, and Real-World ...
byreshmi7103
 
CME397 SURFACE ENGINEERING UNIT 1 FULL NOTES
bykarthi keyan
 
ERTMS-conference-WS8_Presentations_v0.pdf
byEduardo147194
 
35501622005_Sujay Samanta_Seminar22-26.pptx
bysujaysamanta3010
 
Infinite Sequence and Series: It Includes basic Sequence and Series
byDynamicDomain1
 
Electronics Device - EC25C01 - Semiconductor: Types, Conductivity,
byMathavan N
 
WOWVerse Workshop: Agentic AI & LLM Workshop
byram27belitkar
 
820656155-Unit-III-Univariate-Analysis.pptx
bykalaimugill
 
PROPOSED 5 BEDROOM DUPLEX DEVELOPMENT DRAWINGS..pdf
byjamessylvester167
 
SketchUp Pro 2026 – Advanced 3D Modeling Software
byHoka Moka
 
Unit-2: Network Models--OSI Reference Model, TCP/IP Reference Model
bySuvarnaSharma5
 
God series - Physics video office crossed
byjangidankit8781
 
Manual de instalacion de notifire NFS320
byMarcoPolitoPerez
 
Fluid Mechanics, Heat Transfer, and Mass Transfer_ Chemical Engineering Pract...
bynikptl09
 
generative ai and prompt Engineering with out put images.pdf
byinfo839249
 
JVM in the Age of AI: 2026 Edition - Deep Dive
byArtur Skowroński
 
AI-Agents-Concepts-Applications-and-Types.pptx
bypalbalaram2018
 

Intro to reverse engineering owasp

  • 1.
    Intro to Reverse EngineeringBy: Tsvetelin (Vincent) Choranov OWASP Open Web Application Security Project
  • 2.
    Schedule • 9:00 –10:30 am • C Refresher • Data Types • Process Structure and Virtual Memory • 10:30 – 10:45 am • Break • 10:45 – Noon • X86 Registers • Stack • Noon – 1:00 pm • Lunch • 1:00 – 2:30 pm • Assembly Instructions • Calling Conventions • 2:30 – 2:45 pm • Break • 2:45 – 4:30 pm • Debuggers Disassemblers and Decompilers
  • 3.
    C refresher -Control Flow • If statement • If-else • While / Until • For loops • Switch/Case statements ( Jump tables )
  • 4.
    C refresher -Control Flow • Pseudo-code – if statement if ( You are hungry ) { Find food while ( Found food is not good ) { Find something else to eat } Eat food } else { Go play }
  • 5.
    C refresher -Control Flow • Pseudo-code – else statement if ( You are hungry ) { Find food while ( Found food is not good ) { Find something else to eat } Eat food } else { Go play }
  • 6.
    C refresher -Control Flow • Pseudo-code – while statement if ( You are hungry ) { Find food while ( Found food is not good ) { Find something else to eat } Eat food } else { Go play }
  • 7.
    C refresher -Control Flow • Pseudo-code – for loop for ( int i = 0 ; i < 10 ; i++ ) { do something } Key points: • Identify the initialization of the counter variable • Identify the limit • Identify the increment
  • 8.
    C refresher -Control Flow • Pseudo-code – switch/case statement my_int = 2 ; my_int = 2 ; switch ( my_int ) { case 1: if ( my_int == 1 ) { do something do something break } case 2: else if ( my_int == 2 ) { do something do something break } default: else { do something do something } }
  • 9.
    C refresher -Control Flow • Pseudo-code – switch/case statement sometimes produce jump tables
  • 10.
    C refresher -Variables • Local • Global • Initialized / Uninitialized • Signed / Unsigned Integer • Pointer • Structure
  • 11.
    C refresher -Data Types
  • 12.
    C refresher -Data Types • Notations: • half a word = 2 bytes • word = 2/4 bytes • dword = 4 bytes • qword/giant = 8 bytes
  • 13.
  • 14.
  • 15.
  • 16.
    Assembly Endianness • Big-endian andlittle-endian are terms that describe the order in which a sequence of bytes are stored in computer memory. Big-endian is an order in which the "big end" (most significant value in the sequence) is stored first (at the lowest storage address).
  • 17.
  • 18.
  • 19.
    Assembly NOP • No operation •0x90 • Used for alignment • In exploitation used for NOP-sleds
  • 20.
    Assembly PUSH • Pushes datato the stack • Size of data is word, dword, qword • Data can be an immediate value or register • Decrements ESP
  • 21.
    Assembly POP • Pops avalue from the stack to a register • Increments ESP
  • 22.
    Assembly MOV • Move operation •Moves: • register to register • memory to register • register to memory • immediate to register • immediate to memory • memory to memory • MOV EAX, [EBX]
  • 23.
    Assembly SUB • Subtract operation •Source can be memory, immediate or register • Destination can be memory or register • Source and Destination can NOT be memory • It can be used to evaluate an expression • Influences the following EFLAGS • OF, SF, ZF, AF, PF and CF
  • 24.
    Assembly ADD • Addition operation •Source can be memory, immediate or register • Destination can be memory or register • Source and Destination can NOT be memory • It can be used to evaluate an expression • Influences the following EFLAGS • OF, SF, ZF, AF, PF and CF
  • 25.
    Assembly CALL • Execute aprocedure • It pushes the address of the next instruction after the call to the stack, so execution can be restored once the called procedure returns • Changes EIP to the address of the called procedure
  • 26.
    Assembly LEAVE • Restores theprevious stack frame • Essentially does: • MOV ESP, EBP • POP EBP
  • 27.
    Assembly RET • Return froma procedure • RET == POP EIP • POP increments ESP • Also seen as RET 0x?? which pops into EIP and increments ESP by 0x??
  • 28.
    Assembly • NOP • PUSH •POP • MOV • SUB • ADD • RET • LEAVE • CALL
  • 29.
    Assembly Example int func(int x){ returnx; } int main(void){ int x = 0x1337; func(x); return 0xbeef; }
  • 30.
  • 31.
  • 32.
    Assembly Example EBP holds thebase address of the previous stack frame saves EBPESP now points here ->
  • 33.
    Assembly Example ESP is COPIEDto EBP. EBP is now the base of our new stack frame. Which is the stack frame for main() saved EBPESP now points here ->
  • 34.
  • 35.
  • 36.
    Assembly Example EBP -> ESP -> savedEBP 0x1337 EAX = 0x1337
  • 37.
    Assembly Example EBP -> ESP -> savedEBP 0x1337 EAX = 0x1337 0x1337
  • 38.
    Assembly Example EBP -> ESP -> savedEBP 0x1337 0x1337 addr of next inst
  • 39.
    Assembly Example EBP -> ESP -> savedEBP 0x1337 0x1337 addr of mov eax, 0xbeef saves EBP
  • 40.
    Assembly Example EBP and ESP-> previous base ptr 0x1337 0x1337 current base ptr addr of mov eax, 0xbeef
  • 41.
    Assembly Example EBP and ESP-> previous base ptr 0x1337 0x1337 current base ptr EAX = 0x1337 addr of mov eax, 0xbeef
  • 42.
  • 43.
    Assembly Example 0x1337 0x1337 EBP -> ESP ->addr of mov eax, 0xbeef RET = POP EIP base ptr
  • 44.
  • 45.
    Assembly Example 0x1337 0x1337 EBP -> ESP -> baseptr LEAVE = MOV ESP, EBP POP EBP
  • 46.
  • 47.
  • 48.
    Assembly LEA • Load EffectiveAddress • Does not dereference square brackets – [] • Often used with pointer arithmetic • Often used for loading the address of a local buffer into a register • LEA EAX, [EBP-0x64]
  • 49.
    Assembly JMP • Unconditional Jump •Changes EIP to the address of the jump • Does not push the return address to the stack like a CALL does • Relative and Absolute
  • 50.
    Assembly Jcc • Conditional Jump– jump is taken only if the condition is met
  • 51.
    Assembly JNE / JNZ •Jump if Not Equal / Jump if Not Zero • Both check if the ZF is 0 • Jump is taken if the ZF is 1
  • 52.
    Assembly JE / JZ •Jump if Equal / Jump if Zero • Both check if the ZF is 0 • Jump is taken if ZF is 0
  • 53.
    Assembly JLE / JNG •Jump if Less or Equal / Jump if Not Greater • Jump if ZF == 1 • Jump if SF != OF
  • 54.
    Assembly JGE / JNL •Jump if Greater or Equal / Jump if Not Less • Jump if ZF == 1 • Jump if CF == 1
  • 55.
    Assembly JBE • Jump ifBelow or Equal • Jump if ZF == 1 • Jump if CF == 1
  • 56.
    Assembly JB / JL •Jump if Below / Jump if Less • Jump if CF == 1
  • 57.
    Assembly What sets theEFLAGS ? • What we care about: CMP and TEST • Any arithmetic can set a flag !
  • 58.
    Assembly CMP • Compare • CMPdoes a SUB but discards the result • Affects flags: CF, OF, SF, ZF, AF and PF
  • 59.
    Assembly TEST • Does bitwiselogical AND • Sets the flags and discards the result • Affected flags: SF, ZF and PF • Very frequently used for checking if value in question is 0 or anything else
  • 60.
    Assembly Example int main(int argc,char* argv[]){ if (argc != 2) { return 1; } else { return 0; } }
  • 61.
  • 62.
    Assembly AND • Logical AND- ‘&’ • Source can be register, immediate or memory • Destination can be register or memory • 1 & 1 = 1 • 1 & 0 = 0 • 0 & 1 = 0 • 0 & 0 = 0
  • 63.
    Assembly OR • Logical OR– ‘|’ • Source can be register, immediate or memory • Destination can be register or memory • 1 | 1 = 1 • 1 | 0 = 1 • 0 | 1 = 1 • 0 | 0 = 0
  • 64.
    Assembly XOR • Logical ExclusiveOr – ‘^’ • Source can be register, immediate or memory • Destination can be register or immediate • 1 ^ 1 = 0 • 1 ^ 0 = 1 • 0 ^ 1 = 1 • 0 ^ 0 = 0
  • 65.
    Assembly NOT • Flips thebits – One’s compliment • Single source/destination operand can be register, immediate or memory
  • 66.
    Assembly What we knowso far • NOP • PUSH/POP • CALL/RET/LEAVE • MOV/LEA • ADD/SUB • JMP/Jcc • CMP/TEST • AND/OR/XOR/NOT
  • 67.
    Assembly LOOPS • Identify theinitialization of the loop counter variable • Identify the limit of the loop • Identify the increment/decrement
  • 68.
    Assembly Example #include <stdio.h> int main(intargc, char* argv[]){ int i; for (i = 0; i < 10; i++){ printf("Looping %dn", i); } }
  • 69.
    Assembly • Identify theinitialization of the loop counter variable
  • 70.
    Assembly • Identify thelimit of the loop
  • 71.
    Assembly • Identify theincrement/decrement
  • 72.
    Assembly SHL • Shift LogicalLeft – ‘<<‘ • Destination operand can be register or memory • Source operand can be CL (lowest byte of ECX) or 1 byte immediate • It multiplies the destination operand by 2 for each bit shifted • Bits shifted off the left side of the operand set the carry flag • 00110011 << 2 = 11001100 with CF = 0 • 01100110 << 2 = 10011000 with CF = 1
  • 73.
    Assembly SHR • Shift LogicalRight – ‘>>’ • Destination operand can be register or memory • Source operand can be CL (lowest byte of ECX) or 1 byte immediate • It divides the destination operand by 2 for each bit shifted • Bits shifted off the right side of the operand set the carry flag • 00110011 >> 2 = 00001100 with CF = 1 • 01100100 >> 2 = 00011001 with CF = 0
  • 74.
    Assembly IMUL • Signed Multiply •Three forms • imul r/m32 edx:eax = eax * r/m32 • imul reg, r/m32 reg = reg * r/m32 • imul reg, r/m32, imm reg = r/m32 * imm
  • 75.
    Assembly MUL • Same asIMUL but unsigned
  • 76.
    Assembly DIV • Unsigned Division •Two forms: • div AX by r/m8 • AL = quotient, AH = remainder • div EDX:EAX by r/m32 • EAX = quotient, EDX = remainder • Division by 0 raises an exception
  • 77.
  • 78.
    Assembly REP STOS • RepeatStore String • REP is standalone repetition instruction • STOS is also standalone instruction • Uses ECX as a counter • Can move a byte or dword at at time • Moves byte AL into [EDI] or dword EAX into [EDI] • Increments EDI register by 1 or 4 • Pre-requisites: • Set EDI to the destination address • Initialize EAX with value to store • Initialize ECX as counter
  • 79.
    Assembly REP MOVS • RepeatMove Data String to String • Same as REP STOS but instead of storing a single byte/dword from EAX we can copy data from source to destination via ESI as source operand and EDI as destination operand • Each loop increments ESI, EDI and decrements ECX • REP MOVS DWORD PTR [ESI], DWORD PTR [EDI] • Pre-requisites: • Initialize ESI with the address of the data source • Initialize EDI with the address of the data dest • Initialize ECX as the counter
  • 80.
    Assembly NEG • Negate –Performs two’s compliment • Single operand can be r/m32 • Two’s Compliment = Flip the bits and add 1 • Turns positive to negative and vice versa
  • 81.
    Assembly What we knowso far • NOP • PUSH/POP • CALL/RET/LEAVE • MOV/LEA • ADD/SUB • JMP/Jcc • CMP/TEST • AND/OR/XOR/NOT • SHL/SHR • MUL/IMUL • DIV/IDIV • REP STOS • REP MOVS • NEG • LOOPS
  • 82.
    Assembly Example #include <stdio.h> int main(intargc, char* argv[]){ int int_array[5] = {0x5, 0x10, 0x15, 0x20, 0x25}; int i; for (i = 0; i < 5; i++){ printf("Int at index %d is %dn", i, int_array[i]); } }
  • 83.
    Assembly Example Array access isalways Base address + offset element (index element) * (times) scale (size of each element of the array)
  • 84.
  • 85.
    Calling Conventions What arecalling conventions ? • How arguments are passed to functions
  • 86.
    Calling Conventions What arecalling conventions ? • How arguments are passed to functions
  • 87.
    Calling Conventions What arecalling conventions ? • How arguments are passed to functions • Who cleans the stack • Return values
  • 88.
    Calling Conventions CDECL • CDeclaration • Arguments are pushed to the stack right to left – meaning the first argument will be on top of the stack • Return value is stored in EAX or EDX:EAX • Caller is responsible for cleaning the stack – meaning cleaning up the arguments pushed
  • 89.
    Calling Conventions STDCALL • StandardCall • Arguments are pushed to the stack right to left – meaning the first argument will be on top of the stack • Return value is stored in EAX • Callee is responsible for cleaning the stack – meaning callee function is responsible for cleaning up the arguments pushed by the Caller function
  • 90.
    Debuggers and Disassemblers Decompilers • Oppositeto compiler, takes compiled binary as input and produces high level source code. • Hex-Rays Decompiler ~$3,000 per architecture • The Hopper ~$80 • Free - https://retdec.com/
  • 91.
    Debuggers and Disassemblers Disassemblers • Translatesmachine language into assembly language • Static Analysis – The binary application is not executed • IDA Pro – The Interactive Disassembler • The Hopper • Objdump
  • 92.
    Debuggers and Disassemblers Disassemblers Hotkeys •space – Switch between linear view / graph view • n – name a variable/function/argument • g – Go to address • x – Cross reference • esc – Go back to the previous location / Move out of a function • d – Convert code to data or change the data type from byte/word/dword/qword • c – Convert data to code • p – Define a procedure • u – Undefine a procedure • ; – Set a comment
  • 93.
    Debuggers and Disassemblers Debuggers • Candisassemble • Dynamic Analysis – Executes the binary program • GDB • OllyDbg • WinDbg • Radare2 • IDA Pro • Edb
  • 94.
    Debuggers and Disassemblers GDB Commands •break <func>/*<addr> – sets a breakpoint • disassemble <func> – disassemblers a routine • x – Examine • x/2wx $esp – examine 2 words (4 bytes) in hex from ESP (top of the stack) towards EBP, UP • x/10i $eip – examine 10 instructions from EIP • x/2bx $eax – examine 2 bytes in hex from EAX • x/s $esp – examine as ASCII string
  • 95.
    Debuggers and Disassemblers GDB Commands •set $eax = 1 – set EAX to 1 • set *$eax = 1 – write 1 to the address where EAX points to • info registers – display content of the registers • si/stepi – single step • ni/nexti – step over • finish – step out
  • 96.
    Where to Now? • CTFs !!! • Lena’s tutorials • Practical Malware Analysis book • CrackMe !!! • Malware • Practice Practice Practice… and more practice

Editor's Notes

  • #2 Introduce yourself Mention CTFs What is Reverse Engineering all about
  • #14  15 min break
  • #16 Last-In-First-Out Local variables Arguments Back trace (keeps track of which functions were called before that)
  • #19 For now we only care about two: Zero Flag - its set if the result of some instruction is zero, otherwise it’s cleared Sign Flag - Set equal to the MSB of the result, which is the sign bit of a signed integer (0 indicates positive value, 1 indicates negative value)
  • #23 - Explain about square brackets mean dereference
  • #35 This is main()’s current stack frame All the local variables will be placed between this virtual address space, between EBP and ESP EBP is referred as THE BASE POINTER because all the local variables will be referenced by an offset from EBP.
  • #51 Jump Check condition
  • #52 Both are the same
  • #53 Jump Check condition
  • #54 Jump Check condition
  • #55 Jump Check condition
  • #56 Jump Check condition
  • #57 Don’t memorize the FLAGS, memorize the meaning of the jump – meaning BELOW, LESS THAN, EQUAL, NOT EQUAL, GREATER THAN, BELOW and so on…
  • #58 Jump Check condition
  • #66 - One’s compliment is simply flipping all the bits
  • #75 - Explain r/m32 meaning REGISTER or MEMORY operand
  • #79 - All REP instructions use ECX as a counter
  • #83 - Array access
  • #84 - Array access
  • #85 Array access Base+offset*scale
  • #89 - Caller is the outer function that calls the callee function
  • #90 - Caller is the outer function that calls the callee function
  • #92 - Opposite of assemblers