Self-Learning Reverse Engineering in 2022

LiveOverflow · Beginner ·🔐 Cybersecurity ·3y ago

Key Takeaways

The video demonstrates self-learning reverse engineering techniques using tools like Godbolt and Decompiler Explorer, and discusses the importance of understanding assembly code and binary analysis in cybersecurity.

Full Transcript

how would i learn reverse engineering in 2022 to learn anything you need to practice and spending time on something always trumps looking for the best tutorial or tool just get started but there's one thing i believe that really really helps especially when you get started so let me show you [Music] back in 2016 i worked on my binary exploitation playlist and of course before we can go into buffer overflows and other memory corruption exploits i had to provide a quick intro to programming and assembly we somehow need to understand how computers work in order to attack them and especially episode hex10 reverse engineering c programs i show a technique that i find invaluable and that is simply comparing the source code to the assembly code that is generated this video was mostly about comparing 32-bit and 64-bit but more generally this is about the process how you can figure stuff out for yourself you know they're kind of like two ways how to do tutorials one kind just tells you the facts teacher center teaching but the much more effective technique is one where the students themselves research and discover a topic so here for example i wrote a basic c program and then compiled it in 32-bit and 64-bit and then we looked at the assembly code and we can simply look at how the c-code translates to the different assembly code but not only do we learn about how c code looks in assembly we automatically also learn how to do reverse engineering for example here i'm creating an integer a with the value hex1234 and we can see that in the assembly code as well so we have here a move instruction that moves the recognizable value hex one two three four into a memory location relative to the stack in 64 bit at a negative offset from the base pointer and in 32bit at a positive offset from the stack pointer so by simply playing around like this you can learn reverse engineering try to remember that a line like this probably means in the c code you created a variable and this process i think is very powerful so now let me show you two amazing tools that make this process even more playful and effective let's start with godbolt.org the compiler explorer so on the left side you can put for example c code and on the right you can see the assembly code generated by various compilers so let me paste in one of the example codes i used in my binary exploitation playlist a very basic license key check see how amazing this is so let's make sure we have c code selected and we can see we use the gcc compiler version 12 to compile it hovering over the lines also shows you which c line is responsible for what assembly code hovering over the function name and parameters we can see that all of this is just junk code it's just function setup code so if you want to reverse engineer the actual algorithm you know code like this maybe not that important the first actual line of code is the comparison if rxc is 2 and here's how that is implemented in assembly the word pointer might be confusing ignore dword and pointer but these brackets are important this means it's referencing a memory area and the value inside is the address imagine it kind of like the memory of a computer being a huge array then to access a value in the array we have this index and the index is calculated from rbp the base pointer register this contains an absolute address but it takes an offset from that minus 36. so it compares that memory value with the value 2. and then we have a jump not equal so either the code continues here or we jump to l2 which is all the way at the bottom if we pass this check we go into the if case and we have a printf and now we can also see here how the function call to printf is prepared specifically how are the parameters passed to printf and at the end we can see a call to printf so the cpu will now jump to the printer function implementation but the arguments are prepared before it one argument is for example the print format string itself checking license and it's here moved into edi so now we know on 64-bit if we call a function the first parameter is probably going to be loaded into edi or rdi so next time you see a call look at the assembly before and if you see a move into rdi it's probably the first parameter of the function anyway you can spend hours on here just looking at how the different c code is looking at assembly and it's really really valuable but it can do even more we can add another compiler here for example an arm compiler this was just intel assembly but nowadays more and more devices run on arm for example mobile phones or the new macbooks so maybe it's time to learn some arm assembly and if you are already familiar with intel assembly you can use this to learn how to read arm and you don't even need any arm specific tutorial just look at the comparison this space is a bit limited on a small screen like this so make sure to use this on a bigger monitor but look at for example the comparison if rxe equal to so apparently arm cannot do a direct comparison of the memory area instead we load rxc from the memory into the r3 register and then we compare r3 to the value 2. and then we have a branch not equal which is equivalent to the jump not equal another tip is to look at not only the assembly but the actual binary being created so here in the compiler settings you can enable compile to binary and now you can see the actual binary code that corresponds to each instruction and now all the jumps are not based on these assembly labels but have actual function names and offsets and addresses and also the printf call we can see now the actual address of the printf format string being moved into the edi register but we can do so much more let's look at the impact of the o3 compiler option this enables aggressive optimization in gcc and look at the result the complete function setup part is now missing the compiler realized it doesn't really need it also remember how we learned earlier that the first parameter to a function is passed in edi or rdi well main is also a function so the value of rxc is of course in rdi and in the non-optimized assembly we can see that at the start of the function edi is moved into this local variable location on the stack and then that location is used to compare against the value 2. but of course this can be optimized we can just directly compare edi to the value 2. it's amazing how much you can learn just from playing around with this but the real reason why i want to make this video is because of another tool that was just released by vector35 and hex-rays they are the developers of binary ninja and ida pro to get the tool you have to reverse engineer got bald it's a bit tricky but what you have to do is take these three letters g o d and then reverse them to d o g there we go dog bolt the decompiler explorer it's kind of similar in the sense that you can compare different decompilers and here you really need a bigger monitor but we can select here a ctf challenge example from the samples and look at the different output binary ninja gita and x-rays produce and a few other tools so let's go to the main and have a look all three tools decompile the same ctf challenge binary sometimes these decompile outputs are a bit hard to read but again you can learn here how to read this code and if a line is confusing to you you can also check what other tools did for example as a beginner this call to stack check fail might be confusing what does that do but it's missing an ida's output this kind of makes sense because this function is actually part of an exploit mitigation stack canneries so to reverse engineer this function it's not really useful to see and ida nicely hides it on the other hand maybe you want to see it it all depends on the use case but i'm sure there's a setting in full ida pro to make this show up as well anyway we can see that the code calls fgets so the user can enter a string and then it is in this variable and then we call encrypt and if the output of encrypt is true so not zero then we call print flag and here is the encryption function ida again produces a pretty beautiful minimal decompile output and binary ninja kinda looks scary but you can also just clean it up by hand and remove these type cards and then it will be pretty similar anyway i'm too lazy to solve this challenge now so i leave it as an exercise to you but i hope you agree both these tools are really amazing especially when you are just starting out it's also awesome for basic ctf challenges big shout out to those companies creating such a free tool this video is not sponsored by the way i just think this is extremely useful i hope this helps you learning reverse engineering in 2022 [Music] you

Original Description

There exist some awesome tools nowadays to accelerate your self-education for reverse engineering. godbolt and dogbolt are amazing to quickly learn basic assembly and reversing. Compiler Explorer: https://godbolt.org/ Decompiler Explorer: https://dogbolt.org/ C code example: https://github.com/LiveOverflow/liveoverflow_youtube/blob/master/0x05_simple_crackme_intro_assembler/license_1.c Introducing Decompiler Explorer - https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html 00:00 - Intro 00:23 - Motivation 01:00 - How to c? 02:11 - godbolt Basic Usage 03:40 - Function Call on x64 04:30 - Intel vs ARM assembly 05:22 - godbolt Compiler Options 05:50 - Enable gcc O3 Compiler Optimization 06:35 - Decompiler Explorer dogbolt 07:16 - Comparing Decompiled main() 08:25 - Outro -=[ ❤️ Support ]=- → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Instagram: https://instagram.com/LiveOverflow/ → Blog: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveOverflow · LiveOverflow · 0 of 60

← Previous Next →
1 LiveOverflow - Trailer
LiveOverflow - Trailer
LiveOverflow
2 Introduction to Linux - Installation and the Terminal - bin 0x01
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
3 Writing a simple Program in C
Writing a simple Program in C
LiveOverflow
4 Writing a simple Program in Python - bin 0x03
Writing a simple Program in Python - bin 0x03
LiveOverflow
5 Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
6 Reversing and Cracking first simple Program - bin 0x05
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
7 Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
8 ROP with a very small stack - 32C3CTF teufel (pwnable 200)
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
9 Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
10 Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
11 Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
12 Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
13 Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
14 First Stack Buffer Overflow to modify Variable - bin 0x0C
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
15 First Exploit! Buffer Overflow with Shellcode - bin 0x0E
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
16 Buffer Overflows can Redirect Program Execution - bin 0x0D
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
17 Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
18 Reverse engineering C programs (64bit vs 32bit) - bin 0x10
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
19 pwnable.kr - Levels: fd, collision, bof, flag
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
20 Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
21 Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
22 Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
23 Live Hacking - Internetwache CTF 2016 - web50, web60, web80
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
24 Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
25 A simple Format String exploit example - bin 0x11
A simple Format String exploit example - bin 0x11
LiveOverflow
26 NEW VIDEOS ARE COMING - loopback 0x00
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
27 HTML + CSS + JavaScript introduction - web 0x00
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
28 The HTTP Protocol: GET /test.html - web 0x01
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
29 Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
30 What is PHP and why is XSS so common there? - web 0x02
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
31 Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
32 Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
33 Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
34 XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
35 Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
36 New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
37 The Heap: what does malloc() do? - bin 0x14
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
38 The Heap: How to exploit a Heap Overflow - bin 0x15
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
39 Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
40 Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
41 Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
42 Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
43 Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
44 Explaining Dirty COW local root exploit - CVE-2016-5195
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
45 What is CTF? An introduction to security Capture The Flag competitions
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
46 The Heap: How do use-after-free exploits work? - bin 0x16
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
47 The Browser is a very Confused Deputy - web 0x05
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
48 The Heap: Once upon a free() - bin 0x17
The Heap: Once upon a free() - bin 0x17
LiveOverflow
49 Simple reversing challenge and gaming the system - BruCON CTF part 1
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
50 int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
51 The Heap: dlmalloc unlink() exploit - bin 0x18
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
52 MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
53 TCP Protocol introduction - bin 0x1A
TCP Protocol introduction - bin 0x1A
LiveOverflow
54 Socket programming in python and Integer Overflow - bin 0x1B
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
55 Linux signals and core dumps - bin 0x1C
Linux signals and core dumps - bin 0x1C
LiveOverflow
56 [Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
57 Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
58 Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
59 How to learn hacking? ft. Rubber Ducky
How to learn hacking? ft. Rubber Ducky
LiveOverflow
60 Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow

This video teaches self-learning reverse engineering techniques using online tools and discusses the importance of understanding assembly code and binary analysis in cybersecurity. It covers topics such as comparing source code to assembly code, using Godbolt and Decompiler Explorer, and analyzing binary code with binary ninja and ida pro.

Key Takeaways
  1. Compare source code to assembly code using Godbolt
  2. Explore compiler-generated assembly code
  3. Play around with c code and assembly code to learn reverse engineering
  4. Use Decompiler Explorer to compare decompiler outputs
  5. Analyze binary code with binary ninja and ida pro
  6. Implement exploit mitigation techniques
  7. Use reverse engineering for defense
💡 Understanding assembly code and binary analysis is crucial for reverse engineering and cybersecurity, and using online tools like Godbolt and Decompiler Explorer can accelerate self-education in these areas.

Related Reads

📰
NGINX Abuse Guard Module: Auto-Ban Scanners and Bots
Learn to auto-ban scanners and bots using the NGINX Abuse Guard Module to improve server security
Dev.to · Danila Vershinin
📰
I built a self-hosted one-time secrets service in Node — here's the threat model
Learn how to build a self-hosted one-time secrets service in Node and understand its threat model, crucial for secure data sharing
Dev.to · Walter White
📰
I built a tamper-evident record log in Go using nothing but SHA-256 and a hash chain
Learn how to build a tamper-evident record log in Go using SHA-256 and a hash chain, and understand the importance of data integrity
Dev.to · Kevin Nambubbi
📰
wp2shell: how a route confusion + a reachable SQLi become pre-auth RCE in WordPress core
Learn how a route confusion and a reachable SQLi vulnerability can be combined to achieve pre-auth RCE in WordPress core
Dev.to · Maxime LeTheoricien

Chapters (11)

Intro
0:23 Motivation
1:00 How to c?
2:11 godbolt Basic Usage
3:40 Function Call on x64
4:30 Intel vs ARM assembly
5:22 godbolt Compiler Options
5:50 Enable gcc O3 Compiler Optimization
6:35 Decompiler Explorer dogbolt
7:16 Comparing Decompiled main()
8:25 Outro
Up next
Best VPN for Mac 2026 — Top 3 Tested and Which ONE Wins
Tutorial Stack
Watch →