A laptop with some code on it.

Reverse Engineering Basics - Cyber Security Essentials

By andro | Cyber Security Essentials | 6 Jun 2020


What is Reverse Engineering?

Reverse engineering programs is required when you need to know how something works but don't have the source code available. Consider the following example: You want to find vulnerabilities in some proprietary piece of software. Obviously, there is no documentation for how its code is written and what everything does so you need to figure that out on your own. The first step is usually to disassemble the executable file.

The programs you run are compiled most of the time, which means that the source code that they are written in was translated into a file that is hard to read for humans, but required to tell the CPU what it has to do. Your task is now to understand that piece of software in its compiled form. Disassembling it makes it a little more readable. If you want even more readability, you can try decompiling it. This means that you try and get it back into a form similar to the source code.

How do I do it?

There are multiple tool you can use for reverse engineering, and they are usually quite complicated. But getting started just takes some practice and you can try and reverse simple programs at first to learn the tools. The ones I use are:

  • Ghidra

Ghidra is a tool released by the National Security Agency for the general public. It involves a disassembler as well as a decompiler and you can use it for what is called static analysis. This means that you analyse a program just by looking at its executable file without executing it. This is especially required for malware analysis, since you have to be really cautious when executing malware. But it is also an important step for pretty much every reverse engineering process since you gain a lot of insight in it. Look at the resources at the end of this article to find some tutorials on Ghidra.

You can get Ghidra here.

  • The Gnu Debugger (GDB)

GDB is used for dynamic analysis, which, you guessed it, is done by executing the executable file you are trying to understand. This way, you can get the current values of registers and variables that are used by the program and get a better understanding of what the program actually does at runtime compared to the static analysis. The Gnu Debugger is originally developed for debugging programs but it is a great tool for reverse engineering as well. You can also install the pwndbg extension which highlights the important stuff with colors and makes the tool easier to use.

You can get GDB from your package manager and the pwndbg extension from here. If you do not use a Unix based OS such as linux you should try and switch to one for learning security or use a debugger for Windows, such as OllyDbg.

Ghidra however is compatible with both Windows and Linux.

What's next?

This was just a real quick article to get you started, but to really learn reverse engineering and how to use these tools you should check out the following resources:

  • Read the GDB manpages and look at http://www.gdbtutorial.com/ for a good introduction to it.
  • Stacksmashing on YouTube has some great videos on how to use Ghidra, just watch whatever looks interesting to you.
  • The following video gives a great overview of reverse engineering, the creator uses a different, more complicated tool however. You can still learn a lot from it.

 

Thank you for reading and I wish you a lot of fun while trying the things you learned.

Stay curious and feel free to comment any questions or feedback.

How do you rate this article?


1

1


Cyber Security Essentials
Cyber Security Essentials

In this blog I go through what you need to know to get started with hacking, playing CTFs and learning information security. I explain the required concepts in an easy manner and point out to good resources that you might want to check out in order to dive deeper into the topics.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.