Reverse Engineering
When to Activate
- Analyzing compiled binaries for vulnerabilities
- Understanding proprietary protocols or file formats
- Malware analysis and unpacking
- Firmware extraction and analysis
- Bypassing anti-debugging/anti-tampering protections
- CTF binary challenges
- Patch diffing to find 1-day vulnerabilities
Static Analysis
Initial Triage
# File identification
file target_binary
rabin2 -I target_binary # binary info (arch, bits, endian, protections)
# Strings extraction
strings -n 8 target_binary | grep -iE '(password|key|secret|flag|http|/bin)'
rabin2 -z target_binary # strings with addresses
rabin2 -zz target_binary # all strings including wide
# Imports/Exports
rabin2 -i target_binary # imports
rabin2 -E target_binary # exports
objdump -T target_binary # dynamic symbols
# Security mitigations
checksec --file=target_binary
# RELRO, Stack Canary, NX, PIE, FORTIFY
Disassembly & Decompilation
# Ghidra headless analysis
analyzeHeadless /tmp/ghidra_project proj -import target_binary \
-postScript ExportDecompilation.java -scriptPath /scripts/
# radare2 analysis
r2 -A target_binary
> afl # list functions
> axt @sym.target_func # xrefs to function
> pdf @main # disassemble function
> VV @main # visual graph mode
> afn new_name @addr # rename function
# IDA (via MCP or IDAPython)
# Decompile function, rename variables, set types
# Cross-references: xrefs_to(addr), xrefs_from(addr)
Pattern Recognition
# Common vulnerability patterns in disassembly:
# - strcpy/sprintf without bounds → buffer overflow
# - malloc(user_controlled_size) → integer overflow
# - free() followed by use → UAF
# - system()/exec() with user data → command injection
# - Custom crypto (XOR loops, fixed keys) → weak encryption
Dynamic Analysis
Debugging
# GDB with pwndbg/GEF
gdb -q ./target
> break *main
> run
> vmmap # memory layout
> heap # heap state
> telescope $rsp 20 # stack inspection
> search-pattern "AAAA" # find pattern in memory
# Conditional breakpoints
> break *0x401234 if $rax == 0x41414141
> commands
> x/s $rdi
> continue
> end
# Anti-debug bypass
> catch syscall ptrace
> commands
> set $rax = 0
> continue
> end
Frida Instrumentation
// Hook function and modify behavior
Interceptor.attach(Module.findExportByName(null, "strcmp"), {
onEnter: function(args) {
console.log("strcmp(" + args[0].readUtf8String() + ", " + args[1].readUtf8String() + ")");
},
onLeave: function(retval) {
retval.replace(0); // force match
}
});
// Bypass SSL pinning (Android)
Java.perform(function() {
var TrustManager = Java.use('com.android.org.conscrypt.TrustManagerImpl');
TrustManager.verifyChain.implementation = function() {
return arguments[0];
};
});
// Trace all JNI calls
Java.perform(function() {
var System = Java.use('java.lang.System');
System.loadLibrary.implementation = function(lib) {
console.log("Loading: " + lib);
this.loadLibrary(lib);
};
});
Symbolic Execution
import angr, claripy
proj = angr.Project('./target', auto_load_libs=False)
state = proj.factory.entry_state()
# Symbolic input
sym_input = claripy.BVS('input', 8 * 32)
state.memory.store(input_addr, sym_input)
# Explore to find path to target
simgr = proj.factory.simulation_manager(state)
simgr.explore(find=target_addr, avoid=avoid_addrs)
if simgr.found:
solution = simgr.found[0].solver.eval(sym_input, cast_to=bytes)
print(f"Input: {solution}")
Firmware Analysis
# Extraction
binwalk -e firmware.bin
# Filesystem extraction
binwalk --dd='.*' firmware.bin
unsquashfs squashfs-root.img
# Identify architecture
file extracted_binary
readelf -h extracted_binary
# Emulation
qemu-system-arm -M versatilepb -kernel zImage -dtb vexpress.dtb -drive file=rootfs.img
# Common targets in firmware:
# - /etc/shadow, /etc/passwd (hardcoded creds)
# - Web server configs (lighttpd, uhttpd)
# - init scripts (startup services)
# - Proprietary binaries (custom protocols)
# - Certificate/key files
Anti-Reversing Bypass
| Technique | Bypass |
|---|
| IsDebuggerPresent | Patch return value, hook API |
| ptrace(PTRACE_TRACEME) | LD_PRELOAD hook, patch syscall |
| Timing checks (rdtsc) | Patch comparison, single-step with HW breakpoints |
| Self-modifying code | Dump after unpacking, trace execution |
| VM detection | Patch CPUID, hide VM artifacts |
| Obfuscation (OLLVM) | Symbolic execution, pattern matching, devirtualization |
| Packed binaries | Run until OEP, dump from memory |
| Anti-disassembly | Fix control flow, NOP junk bytes |
Patch Diffing (1-day Research)
# BinDiff / Diaphora workflow:
# 1. Get vulnerable version and patched version
# 2. Generate IDB/BinExport for both
# 3. Diff — focus on changed functions
# 4. Analyze what was fixed → understand the vulnerability
# 5. Write exploit for the pre-patch version
# Key indicators in patches:
# - Added bounds checks → buffer overflow
# - Added NULL checks → null deref / UAF
# - Changed comparison logic → auth bypass
# - Added sanitization → injection
# - Changed allocation size → heap overflow
Advanced: Firmware Analysis (UEFI/BIOS)
UEFI Extraction & Analysis
# Extract UEFI firmware
UEFIExtract firmware.bin # Extracts all volumes, sections, files
# Or: uefi-firmware-parser -e firmware.bin
# Identify DXE drivers (most attack surface)
# DXE drivers run with full hardware access before OS loads
# Vulnerable DXE driver = persistent pre-OS implant
# Common UEFI vulnerability classes:
# - SMM (System Management Mode) callout → ring -2 code execution
# - DXE driver buffer overflow → persistent implant
# - Secure Boot bypass → load unsigned bootloader
# - Variable overflow (NVRAM) → code execution in PEI/DXE phase
# Analyze with Ghidra:
# Load as PE/TE binary, set base address from volume header
# Look for: EFI_BOOT_SERVICES, EFI_RUNTIME_SERVICES calls
# Focus on: SMI handlers (SW SMI dispatch), variable access
Secure Boot Bypass Research
# Secure Boot chain: UEFI → shim → GRUB → kernel
# Attack points:
# 1. Vulnerable signed bootloader (BlackLotus technique)
# - Find old signed bootloader with known vulnerability
# - Not yet revoked in DBX (Secure Boot blacklist)
# - Use it to load unsigned code
# 2. GRUB vulnerabilities (BootHole, CVE-2020-10713)
# - Buffer overflow in GRUB config parsing
# - Craft malicious grub.cfg → code execution before kernel
# 3. Shim vulnerabilities
# - Bypass signature verification in shim loader
# - Load arbitrary EFI binary
# Check revocation status:
# Parse DBX (Forbidden Signatures Database) from NVRAM
# Compare against known-vulnerable bootloader hashes
Advanced: De-obfuscation Techniques
Control Flow Flattening (OLLVM)
# OLLVM flattens control flow into a switch-based dispatcher:
# Original: if/else/loops → Flattened: while(1) { switch(state) { ... } }
#
# De-flattening approach:
# 1. Identify dispatcher (switch variable, state assignments)
# 2. Trace state transitions for each case
# 3. Reconstruct original control flow graph
# 4. Tools: D-810 (IDA plugin), SATURN, deflat.py
# Symbolic execution for de-obfuscation:
import angr
def deobfuscate_cfg(binary, func_addr):
proj = angr.Project(binary, auto_load_libs=False)
cfg = proj.analyses.CFGFast()
func = cfg.functions[func_addr]
# Identify dispatcher block (highest in-degree)
dispatcher = max(func.blocks, key=lambda b: len(list(func.graph.predecessors(b))))
# For each state value, trace execution to find real successor
# Build de-obfuscated CFG from state transitions
String Deobfuscation (Automated)
# Common patterns:
# 1. XOR with key: for(i=0;i<len;i++) str[i] ^= key[i%keylen]
# 2. Stack strings: mov [rsp+0], 'H'; mov [rsp
