Training | Reverse engineering introduction

SYNOPSIS

This training is dedicated to analysts who want to learn key concepts and methodologies and better understand or analyze faster, in a blackbox way, any code that can be found in the wild (malwares, applications, libraries, an exploit…). The training is focused on methodological aspects with all technical concepts that are needed to learn how to reverse a binary from a static and dynamic point of view. Practical exercises owns an important place in this training.

TARGET AUDIENCE

People who want to start with binary analysis on Intel platforms (e.g. malware analysts or application pentesters at large) Target OS are Linux and Windows but knowledge can easily be applied on any platform running on Intel IA-32 architecture.

DURATION

5 days (19-20-21-22-23 April 2021)

PREREQUISITES

Reverse engineering is hard to learn when fully beginning from scratch, some knowledges are needed as prerequisites to let the training focus on analysis methodology.

Some key skills that are needed:

• Python for basic scripting;
• C language basic/intermediate knowledge (pointers handling, standard C library usage);

A VirtualBox VM will be provided with all the tools required for the training.

OBJECTIVES

Be able to:

• analyze userland applications;
• improve its debugging skills and more generally its static/dynamic analysis techniques;
• use standard tools (IDA, LIEF, x64dbg, WinDbg, frida, QBDI, …) to perform static and dynamic analysis;
• bypass basic binary protection with dynamic execution, binary patching, etc.

Methodology is at the heart of the training to maximize the autonomy of attendees once the training is completed.

EXERCISES

The whole training in divided into theoretical courses and practices (more than 50%), proportionally distributed inside each training day.

Exercises will be adapted according attendees group reverse engineering level which can vary from various reasons.

Some practical exercises:

• Various algorithm analysis, some crackmes resolving;
• Bypass anti-debug / anti-analysis tricks;
• Tooling with Frida and some debuggers;
• Malware analysis.

MODULES

Day 1

• Focus on x86/x86-64 assembly language
• Assembly reminders (mnemonics, stacks and main concepts)
• Common structures recognition
• First steps with IDA and static analysis

Day 2

• Binary file format (PE / ELF)
• Binary patching with various tools (LIEF, …)
• Loading operations and customization

Day 3

• Dynamic analysis with debuggers (x64dbg, windbg, IDA debugger)
• Analysis automation
• Instrumentation using Frida, pyQDBDI and hooking technique
• Introduction to dynamic symbolic execution with Triton

Day 4

• Protected binary analysis
• Bypassing anti-debugs, anti-vm and basic obfuscations
• More on tools scripting (Frida and debuggers)

Day 5

Deobfuscation / protected binaries analysis including: – Binaries/functions rebuilding – Understand and bypass common obfuscation techniques