一、locate"the crucial code"
1.some ways
- control flow
- data cross-reference(data xref)
- code cross-reference(code xref)
- memory searching + r/w breakpoint
- tracing
- anything else that can help you
二、some tips we have to remember about real reverse engineering
1.source code is written by programmer
- 区分人写的代码和编译器自己加上去的代码
- 区分库代码和程序代码
- 不需要仔细逆向 code add by compiler
2.regular pattern of binary
- binary layout pattern: |executable|lib1|lib2|lib3|
- identify the code optimized by compoiler
3.identify the open source code
- string xref
- code style
- 开发自动化识别工具
4.dynamic analysis
- identify the key code, verify the guessing
- debugging
- tracing
- symbolic execution
- taint analysis
5.reverse code block by block
- common algorithm identification
Tea/xTea/XXTea/IDEA/RC4/RC5/RC6/AES/DES/IDEA/MD5/SHA256/SHA1 etc.
大数加减乘除/最短路等传统算法
- common data structure identification
- common designed pattern identification
6.obfuscation
- obfuscation techniques examples
ollvm,control flow flatten
push rax,ret
vm/self modify code
- deobfuscation
the key is to recover the control flow
simulation execution/symbolic execution
7.packer
- various types of packers
unpack ->execute
unpack ->execute -> unpack ->ececute
unpack ->[decoder | encode] -> decode ->execute
run the virtual machine
- case by case
- esp law
- read/proc/[pid]/mem
8.anti-debugging
- debugger detection
API call, isDebuggerPrensent()
try{int3},catch{}
timestamp
........
- Debugger interfering
debugport overwrite
self debugging
......
三、regular re challenge examples
- N1CTF 2018 baby_neural_network
- TCTF 2018 Quals udp
- TCTF 2018 Final vtp
- DEFCON 26 CTF Qual preview
- RCTF 2018 magic
- google CTF 2018 keygenme