Self-Learning Reverse Engineering in 2022
Key Takeaways
The video demonstrates self-learning reverse engineering techniques using tools like Godbolt and Decompiler Explorer, and discusses the importance of understanding assembly code and binary analysis in cybersecurity.
Full Transcript
how would i learn reverse engineering in 2022 to learn anything you need to practice and spending time on something always trumps looking for the best tutorial or tool just get started but there's one thing i believe that really really helps especially when you get started so let me show you [Music] back in 2016 i worked on my binary exploitation playlist and of course before we can go into buffer overflows and other memory corruption exploits i had to provide a quick intro to programming and assembly we somehow need to understand how computers work in order to attack them and especially episode hex10 reverse engineering c programs i show a technique that i find invaluable and that is simply comparing the source code to the assembly code that is generated this video was mostly about comparing 32-bit and 64-bit but more generally this is about the process how you can figure stuff out for yourself you know they're kind of like two ways how to do tutorials one kind just tells you the facts teacher center teaching but the much more effective technique is one where the students themselves research and discover a topic so here for example i wrote a basic c program and then compiled it in 32-bit and 64-bit and then we looked at the assembly code and we can simply look at how the c-code translates to the different assembly code but not only do we learn about how c code looks in assembly we automatically also learn how to do reverse engineering for example here i'm creating an integer a with the value hex1234 and we can see that in the assembly code as well so we have here a move instruction that moves the recognizable value hex one two three four into a memory location relative to the stack in 64 bit at a negative offset from the base pointer and in 32bit at a positive offset from the stack pointer so by simply playing around like this you can learn reverse engineering try to remember that a line like this probably means in the c code you created a variable and this process i think is very powerful so now let me show you two amazing tools that make this process even more playful and effective let's start with godbolt.org the compiler explorer so on the left side you can put for example c code and on the right you can see the assembly code generated by various compilers so let me paste in one of the example codes i used in my binary exploitation playlist a very basic license key check see how amazing this is so let's make sure we have c code selected and we can see we use the gcc compiler version 12 to compile it hovering over the lines also shows you which c line is responsible for what assembly code hovering over the function name and parameters we can see that all of this is just junk code it's just function setup code so if you want to reverse engineer the actual algorithm you know code like this maybe not that important the first actual line of code is the comparison if rxc is 2 and here's how that is implemented in assembly the word pointer might be confusing ignore dword and pointer but these brackets are important this means it's referencing a memory area and the value inside is the address imagine it kind of like the memory of a computer being a huge array then to access a value in the array we have this index and the index is calculated from rbp the base pointer register this contains an absolute address but it takes an offset from that minus 36. so it compares that memory value with the value 2. and then we have a jump not equal so either the code continues here or we jump to l2 which is all the way at the bottom if we pass this check we go into the if case and we have a printf and now we can also see here how the function call to printf is prepared specifically how are the parameters passed to printf and at the end we can see a call to printf so the cpu will now jump to the printer function implementation but the arguments are prepared before it one argument is for example the print format string itself checking license and it's here moved into edi so now we know on 64-bit if we call a function the first parameter is probably going to be loaded into edi or rdi so next time you see a call look at the assembly before and if you see a move into rdi it's probably the first parameter of the function anyway you can spend hours on here just looking at how the different c code is looking at assembly and it's really really valuable but it can do even more we can add another compiler here for example an arm compiler this was just intel assembly but nowadays more and more devices run on arm for example mobile phones or the new macbooks so maybe it's time to learn some arm assembly and if you are already familiar with intel assembly you can use this to learn how to read arm and you don't even need any arm specific tutorial just look at the comparison this space is a bit limited on a small screen like this so make sure to use this on a bigger monitor but look at for example the comparison if rxe equal to so apparently arm cannot do a direct comparison of the memory area instead we load rxc from the memory into the r3 register and then we compare r3 to the value 2. and then we have a branch not equal which is equivalent to the jump not equal another tip is to look at not only the assembly but the actual binary being created so here in the compiler settings you can enable compile to binary and now you can see the actual binary code that corresponds to each instruction and now all the jumps are not based on these assembly labels but have actual function names and offsets and addresses and also the printf call we can see now the actual address of the printf format string being moved into the edi register but we can do so much more let's look at the impact of the o3 compiler option this enables aggressive optimization in gcc and look at the result the complete function setup part is now missing the compiler realized it doesn't really need it also remember how we learned earlier that the first parameter to a function is passed in edi or rdi well main is also a function so the value of rxc is of course in rdi and in the non-optimized assembly we can see that at the start of the function edi is moved into this local variable location on the stack and then that location is used to compare against the value 2. but of course this can be optimized we can just directly compare edi to the value 2. it's amazing how much you can learn just from playing around with this but the real reason why i want to make this video is because of another tool that was just released by vector35 and hex-rays they are the developers of binary ninja and ida pro to get the tool you have to reverse engineer got bald it's a bit tricky but what you have to do is take these three letters g o d and then reverse them to d o g there we go dog bolt the decompiler explorer it's kind of similar in the sense that you can compare different decompilers and here you really need a bigger monitor but we can select here a ctf challenge example from the samples and look at the different output binary ninja gita and x-rays produce and a few other tools so let's go to the main and have a look all three tools decompile the same ctf challenge binary sometimes these decompile outputs are a bit hard to read but again you can learn here how to read this code and if a line is confusing to you you can also check what other tools did for example as a beginner this call to stack check fail might be confusing what does that do but it's missing an ida's output this kind of makes sense because this function is actually part of an exploit mitigation stack canneries so to reverse engineer this function it's not really useful to see and ida nicely hides it on the other hand maybe you want to see it it all depends on the use case but i'm sure there's a setting in full ida pro to make this show up as well anyway we can see that the code calls fgets so the user can enter a string and then it is in this variable and then we call encrypt and if the output of encrypt is true so not zero then we call print flag and here is the encryption function ida again produces a pretty beautiful minimal decompile output and binary ninja kinda looks scary but you can also just clean it up by hand and remove these type cards and then it will be pretty similar anyway i'm too lazy to solve this challenge now so i leave it as an exercise to you but i hope you agree both these tools are really amazing especially when you are just starting out it's also awesome for basic ctf challenges big shout out to those companies creating such a free tool this video is not sponsored by the way i just think this is extremely useful i hope this helps you learning reverse engineering in 2022 [Music] you
Original Description
There exist some awesome tools nowadays to accelerate your self-education for reverse engineering. godbolt and dogbolt are amazing to quickly learn basic assembly and reversing.
Compiler Explorer: https://godbolt.org/
Decompiler Explorer: https://dogbolt.org/
C code example: https://github.com/LiveOverflow/liveoverflow_youtube/blob/master/0x05_simple_crackme_intro_assembler/license_1.c
Introducing Decompiler Explorer - https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html
00:00 - Intro
00:23 - Motivation
01:00 - How to c?
02:11 - godbolt Basic Usage
03:40 - Function Call on x64
04:30 - Intel vs ARM assembly
05:22 - godbolt Compiler Options
05:50 - Enable gcc O3 Compiler Optimization
06:35 - Decompiler Explorer dogbolt
07:16 - Comparing Decompiled main()
08:25 - Outro
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
NGINX Abuse Guard Module: Auto-Ban Scanners and Bots
Dev.to · Danila Vershinin
I built a self-hosted one-time secrets service in Node — here's the threat model
Dev.to · Walter White
I built a tamper-evident record log in Go using nothing but SHA-256 and a hash chain
Dev.to · Kevin Nambubbi
wp2shell: how a route confusion + a reachable SQLi become pre-auth RCE in WordPress core
Dev.to · Maxime LeTheoricien
Chapters (11)
Intro
0:23
Motivation
1:00
How to c?
2:11
godbolt Basic Usage
3:40
Function Call on x64
4:30
Intel vs ARM assembly
5:22
godbolt Compiler Options
5:50
Enable gcc O3 Compiler Optimization
6:35
Decompiler Explorer dogbolt
7:16
Comparing Decompiled main()
8:25
Outro
🎓
Tutor Explanation
DeepCamp AI