【X02】re的入门

一、locate"the crucial code"

1.some ways

• control flow
• data cross-reference(data xref)
• code cross-reference(code xref)
• memory searching + r/w breakpoint
• tracing
• anything else that can help you

二、some tips we have to remember about real reverse engineering

1.source code is written by programmer

• 区分人写的代码和编译器自己加上去的代码
• 区分库代码和程序代码
• 不需要仔细逆向 code add by compiler

2.regular pattern of binary

• binary layout pattern: |executable|lib1|lib2|lib3|
• identify the code optimized by compoiler

3.identify the open source code

• string xref
• code style
• 开发自动化识别工具

4.dynamic analysis

• identify the key code, verify the guessing
• debugging
• tracing
• symbolic execution
• taint analysis

5.reverse code block by block

• common algorithm identification

Tea/xTea/XXTea/IDEA/RC4/RC5/RC6/AES/DES/IDEA/MD5/SHA256/SHA1 etc.

大数加减乘除/最短路等传统算法

• common data structure identification
• common designed pattern identification

6.obfuscation

• obfuscation techniques examples

ollvm,control flow flatten

push rax,ret

vm/self modify code

• deobfuscation

the key is to recover the control flow

simulation execution/symbolic execution

7.packer

• various types of packers

unpack ->execute

unpack ->execute -> unpack ->ececute

unpack ->[decoder | encode] -> decode ->execute

run the virtual machine

• case by case
• esp law
• read/proc/[pid]/mem

8.anti-debugging

• debugger detection

API call, isDebuggerPrensent(）

try{int3},catch{}

timestamp

........

• Debugger interfering

debugport overwrite

self debugging

......

三、regular re challenge examples

• N1CTF 2018 baby_neural_network
• TCTF 2018 Quals udp
• TCTF 2018 Final vtp
• DEFCON 26 CTF Qual preview
• RCTF 2018 magic
• google CTF 2018 keygenme