2. Why reverse engineering?
● Because it’s fun
● Malware hunting
● Curiousity
● Military or commercial espionage
● Security auditing
● Increase (reduce) public security
● Product analysis
● Loss of documentation and/or source code
3. What can be reverse engineered?
● Physical hardware
● PHP/Javascript/Python/Ruby code
● Microsoft’s .NET family
● Java/Scala/Clojure and other JVM languages
● C/C++/Rust and other system languages
● Swift/Objective-C and other Apple products
● More or less everything
4. What tools is used for reverse engineering?
● Physical hardware
● Debug tools
● Dynamic binary instrumentation
● Forensics tools
● System monitoring
● Kernel drivers
● Hardware breakpoints
● Hex editors
5. What about decompilers?
● Assembly/Bytecode to “source code” again
● The quality of produced code is varying
● Works best with script and VM languages
6. What about decompilers?
● Assembly/Bytecode to “source code” again
● The quality of produced code is varying
● Works best with script and VM languages
● Script languages are usually never “compiled”
● The .NET family is without doubt easiest
● The JVM family is next in line
● Erlang? Sorry, forgot about it, but google says it’s
doable in the minutes before this presentation :)
7. Decompilers in action (.NET)
● 100% reversible
● 100% readable
● Can recompile
● Symbols (names)
● Strings (text)
● Keep all metadata
11. Why anti debug?
● Protect proprietary software
● Malware in need of hiding
● Hide baaaaad code
● Just being a douchebag
Help text
12. How to do anti debugging for VM code?
● Obfuscation mostly for JVM/.NET
● Hide functionality in native shared libraries
● Runtime decryption of strings
● Multiple entry points (start of application)
○
● Various of debugger detection techniques
13. How to do anti debugging for native code?
● All the same ways as VM code can
● Deny run in virtual machine
● Operating system hooks/API to disable “debuggable”
● Debug yourself :)
● Make sure LD_PRELOAD/DYLD_INSERT_LIBRARIES is empty
● Screw up ELF/Mach-O headers just enough
● Entry point via Unix signals (Linux / OSX)
● Entry point via Thread Local Storage (TLS) (Windows only)
14. How to do anti debugging
● We’ll focus on VM based languages
● Anti debugger / evasion techniques in native code
○ Hard for n00bs
○ Requires much system knowledge
● String decryption at runtime might help
● Decryption of code at runtime (Not easily done in JVM)
● Transform your code to something a little more ugly
19. Inject JavaScript to explore native apps on Windows, macOS,
Linux, iOS, Android, and QNX.
● Scriptable
○ Python
○ Javascript
○ Swift
○ C
● No root needed
● No jailbreak either
● Easy to start with
20. Compile your whole application with the “mov” instruction
● Horrible
○ No control flow
○ No syscalls
● C/asm products
● Only x86?
● Binary size rises