Reverse Engineering: Getting Started
Reverse Engineering | Introduction && Desc
A ton of my articles as most of you have seen are all directly jumping into RE. But, some people mentioned that I should do one small introduction to RE or an article that talked about getting started in RE, what RE is exactly, why someone should get into it and so on from there. So, here we are. I have also recently been doing RE classes in other discord and this has kinda sparked into something that I felt was needed that I do not go over in my classes. This article will basically be that mini guide to getting started in RE and wont be super complex! So without anything to say lets get into this short short module O_O!
Reverse Engineering | A Slow and Steady Start
Before we get started, I would like to get some very very basic terms out of the way that are used throughout this article. This may act as quite a decent guide if you are new to this world and may not understand even the most simplistic of details and names.
- Ghidra: Ghidra is a free and open source reverse engineering tool developed by the National Security Agency (NSA) of the United States.
- IDA: IDA is another common and popular reverse engineering framework that has many different unique systems and mechanisms that allow reverse engineers to easily reverse binary applications.
- RE: The act of reversing the internal functionality of an application, system, protocol, file, etc.
- Code Obfuscation: The act of creating source or machine code that is difficult for humans or computers to understand.
- Static Analysis: Static analysis is understanding or analyzing the functionality of an application in a static state. This is usually done by using frameworks such as Ghidra or IDA to dump the applications code.
- Dynamic Analysis: When someone starts executing dynamic analysis on an application or target for instance, they are analyzing the application in a dynamic state and trying to trigger specific events from the outside. This can be as simple as just executing the program and sending a series of input to the program.
Reverse Engineering | A Slow and Steady Start
This section will be broken up into a few major points. Since I am trying to keep this article lightweight lets make a few good solid points. I found that the introduction to this was a bit weird but I hope you can find it helpful. Below I have listed all of the sections.
- Reverse Engineering | For Starters : A section that talks about how scary RE can seem when in reality it is seriously not that hard.
- Reverse Engineering | Why? : A section that talks about why RE is important, real world experiences and where someone like you might find use in it.
- Reverse Engineering | Real World Problems : A section that talks about real world problems you will face outside of your practice in RE and what to expect in today’s world of security.
- Reverse Engineering | Conclusion && Summary: A section that will conclude this article and then end everything we did talk about.
- Reverse Engineering | Ending Note: A section that will provide you with some basic resources for your research and even talk a little bit about me so you know who I am for further / future readings!
Reverse Engineering | For Starters
For starters, its important to know that RE is a very very difficult road path and contains a ton of information. Many people may find that RE is one of those fields that you just can not perfect and that is very true. Like technology as a whole, this field is constantly growing, for every single protection, there is a bypass and for every new little data type there is a new branch of that data type and 300 different use cases for it. However, despite RE becoming a challenging field for many beginners and seeing it as intimidating, it really isn't. Think of it like mathematics. Many people hop into linear algebra and become scared and start procrastinating on it or look at calculus or quantum mathematics and just over work themselves when in reality it is MUCH more simpler than we make it. If you can learn something as truly tasking as computer science or even something like mathematics without stress on your mind then you should be able to slide into RE just fine. The thing with it is that no matter how hard you try your brain will over complicate it but I can assure you that there are ways to ease that pressure when going in. I put off RE for so long and stuck in the development world mashing it with bare basic concepts of cyber security and procrastinated so hard on it and never understood why. One night I came across a video talking about converting ASM into raw machine code and honestly speaking after that video I figured out that ASM is just one giant branch of logical conditions and basic memory. Once you understand that instructions such as jump are just ways of expressing conditionals and tell your brain to start reading code in a much more complex format that road is already ready to start off easier than you thought. The same thing will happen with RE, when you for the first time step into IDA and correctly know what you are trying to do everything will slap into place. You might still have some trouble understanding things but I think a major misconception about RE is that it is extremely hard to do if you do not master programming or know mathematics- like the people that say you can not program in Haskell unless your a mathematician, its a dumb and out of date statement. Starting with assembly will if anything be MUCH easier than starting with a language like C. This is because languages like C are human readable, they are close to the English language and while it does implement logical conditions and various basic mathematics and arithmetic it doesn't give you good “theory”. The primary thing I talk about here is that theory will be your best friend and now out of all times is the perfect time to express that. Assembler is not a direct programming language, it is considered to be a class of programming language’s because “assembly” simply is a programming language that brings you closest to the raw instructions used by the CPU while also keeping standards for conditions. So, when you go to choose assembler or a specific type of assembly in other words you may notice something quite frequent during your studies and that might be that most of everything can be put together easily. Sure you may not exactly know what an application is doing but it becomes helpful in RE when you need to understand what specific segments are doing directly. For example say we have an application that is debugged and we see this in the CPU tab of the debugger,
0040128A | 0BC0 | or eax,eax |
0040128C | EB 00 | jmp crackme.40128E |
0040128E | 6A 40 | push 40 |
00401290 | 68 0C634000 | push crackme.40630C | 40630C:"Good boy..."
00401295 | 68 DD624000 | push crackme.4062DD | 4062DD:"Yep, thats the right code!\n\rGo write a keygen!"We can assume that the jmp instruction is just jumping to a specific function and then going to push 40 onto the stack. That is as simple as we can see it right now, but you also notice how assembly uses specific registers like eax? Since there is only a limited set of registers per CPU or architecture rather not CPU the program itself we do not need to learn constant high level code that is directly platform dependent and with the use of instructions like cmp and jmp it may be a bit easier for our brains to click on what instructions are doing.
Reverse Engineering | Why?
I have gotten this question more times than I can count in various forms. Either way, it always ends in a “why” whether its why RE exists, why someone should study it, why it becomes helpful along with a million other different questions. I am going to be blunt here, if you do not want to study RE don't do it, if you also feel like there are other fields then shoot! The galaxy is the limit; in other words, infinity- there is no limit. But actually if you want to study reverse engineering there are many real world examples where it comes in to hand and many jobs that are existing for reverse engineering. You may notice that unlike typical cyber security that reverse engineering can be harder to find jobs for and that is aye okay! You just have to keep looking. But regardless lets actually dive into a few reasons where it may be helpful.
- Malware Analysis: One of the top jobs for reverse engineers is malware reversing and analysis. This is mainly popular because of the state of the world and cyber security where most people do actually need malware analysts to reverse and understand the malware that is attacking their systems. This is also really high paying because it is your job to actually understand what the malware is trying to do to the system, files it may affect, and report verified research to the correct people who can add that into something like an anti virus system or system that can block that malware in the future.
- Working With Legacy Systems: In some weird and obscure case, reverse engineering can help you understand undocumented legacy systems if there is not enough code or even enough application design for it. Or maybe say its some weird plugin that not everyone can just pull the source code for or where the source code is lost. Reverse engineering may help you get a good grasp on that system and how to work for it!
- Automotive Security: In the world of automotive security lies the deeper sides to a car, a computer. Each car yes in today’s world has some form of computer, no matter if it is some little module for checking air conditions or if it is the one that powers your engine. Now, in the grander scheme of things, on a much more sophisticated level — automotive security researchers may need to dump the firmware within vehicles so they can get an understanding of how it works. When they get that firmware, before they can document anything, they need to be able to use very specific reverse engineering utilities and frameworks to be able to dissect the application from the inside out. In the general world, this is something that seriously does help you.
- Understanding Proprietary Systems: We have already talked about reverse engineering as a whole and made two points that all revolve around reverse engineering applications. But did you know that reverse engineering goes past the idea of applications? That is correct! Sometimes, a reverse engineer will not be working with an application and instead they will need to reverse engineer a systems function such as a protocol! Take companies like Apple as an example. Those companies, when they release new tools that is, they end up relying on most of their own software and their own tools and frameworks and even their own protocols! When Apple came out with the AppleTV, they relied on their own network protocol known as AirPlay which was later reverse engineered. But that is so weird, how can someone reverse engineer a protocol? Well, simply by documenting it, understanding its layers, being able to abuse it and a million other things! So, this leads us to the more general conclusion that reverse engineering can be used to understand proprietary systems even down to file formats!
In general, there are many many other real world applications to reverse engineering as it really is a type of skill more than it is an entire set of fields. I will also end this section like this: reverse engineering is an extremely handy field and skillset to have, but not every field requires it. If your field does not require it then do not rush into it unless you absolutely need it! Even then, know that reverse engineering is a very complex field and skill to have and it takes time and experience as well as a ton of patience!
Reverse Engineering | Real World Problems
When we all practice some form of hacking or a field of security, we first start with CTF’s from platforms such as HTB and THM, but I will state this right off the bat. While CTF’s are a great idea and a great way to get started and practice, real world experience you will notice is extremely different. This falls the same with reverse engineering. Below I have listed and deeply explained some interesting issues that you will come across when reverse engineering systems and protocols or other various parts of a device or maybe even an application.
- Code Obfuscation: If you do not know what this is, it is the act of hiding code with specific algorithms to put it lightly. Because of this, when you go to pop open a debugger or reverse engineering framework such as IDA or Ghidra, you will notice that the code is going to be hidden in some shape or form and will not be direct. This is a problem that some CTF’s address and even companies that host their own hackathons like Google do make an effort to put onto the application, but in the real world you will notice is going to be a bit harder to work around. This is because often times in much more complex scenarios such as malware, you will find much more intensive algorithms that were used or packers and different pieces of software that may have had unknown or undocumented methods or may not even be public! This is quite an issue that is ran into often when reverse engineers transfer from smaller CTF’s to the real world and was something I struggled heavy with. It is just something to be ware about nonetheless.
- Software Protection: In the modern world, it has been well known that specific programs and methods are used to not only debug applications but also remove them. While CTF’s do good at basic blocking techniques, they do not bother to actually go full scale advanced with everything and figure out every framework a person might pop or a specific tool someone may execute on their system. From my experience, when running an application to perform dynamic and static analysis specific lists and systems are going to be disallowed such as opening or executing reverse engineering frameworks. A good example of this is when I was working to reverse engineer and crack someone’s game exploit, they had embedded systems in the application that could prevent you from opening specific applications while that application was running. The command set they used would basically check the for a window name and then kill the process or itself and tell you that there was a violation. Of course, this system was very week because it was only checking window names — whereas a more advanced and unique system would be checking the threads and other various systems to make sure that is the correct application and would terminate it. In general the primary point is being that when reversing applications, in the real world you may come across a ton of protection on the software that may prevent you from opening debuggers, process watchers and managers, reverse engineering frameworks, binary analysis frameworks and more! All of this mixed together can be frustrating to work with but I promise you this is something that with a little bit of education will not be that much of a problem to you in the future.
- Hardware Protection: In some extreme cases where you may need to access or reverse engineer specific functions or software on hardware you may come across a ton of physical protection that can not only deter a reverse engineer but may even stop them if they do not have enough knowledge. I did not go over this in the previous section, but hackers are very well known for also trying to reverse engineer and exploit the hardware of systems in order to get access to the firmware on the device. However, like software, most people in today’s world cover up a ton of information on the chip by hiding it in areas developers may only know about, may also add extra sillicon protection layers, add extra general layers to the chip to cover up more important information and so on from there. By now you should get where I am going. Regardless, these methods are much much more harder to get around, so when you get into this realm of things; make sure you have a good sense of knowledge behind you on hardware and bypassing specific systems such as debugging checks.
There are many more issues that I could list but those should have given you a good set of information to think of some other issues that you may come across in this world and what it might bring to you! Now, we walk into a deeper section. Everyone always asks this in some shape or form and that is, what exactly comes with the legal world of reverse engineering. By no form am I a lawyer but I will tell you this from my experience in the game cheating world ( which primarily envolves reverse engineering games and building exploits ). There are many legal issues when you reverse engineer an application, if you release exploits on it a company may very well sue you and if you manage to actually go out and tackle someone’s proprietary format they may also come after you. But it all comes down to this — while people can target you if they wanted to, that is only if they know you specifically have reverse engineered and leaked information on their given application. The issues with this are quite vauge and there have not been many cases where people have been thrown in jail but there are cases where people have been sued. Kind of how epic games tried suing a 12 year old for cheating in their game — companies are companies, if they want to snatch you they will, just be careful of how you do it and what you are targeting. By all means, do not do it unethically, if you reverse engineer an application, I deeply suggest that you actually get permission from the owner or even build mock programs if you are trying to actually get after something. Now lets actually go ahead and get you out of here and not stall so long!
Reverse Engineering | Ending This Article
I felt that this article should not be that long and that we should try to keep this one at a minimal. So, It was good to go ahead and end it where we left off. The world of reverse engineering is quite complex and very confusing to some people, but if you know where your going and actually put the work in and take an interest in it; then you have nothing to worry about! The world of reverse engineering also has many different applications, it is used everywhere in various fields even when people may not realize it! So, what exactly is the ending note? I would like to mention that while this article got a little bit into it, that we did not even scratch the surface, we are actually so far above the iceburg right now we did not even get low enough to see the iceberg! So, that being said. This world is quite big and it may seem scary at first but when you again as mentioned before, get a good idea of where to go and then can get settled in your field — you should be good to go!
Ending Note — Extra’s, Resources, Support, Thanks
Typically I never do like promoting stuff but I figured it was worth a shot. This section will provide you with basic information about me, some socials you can follow me on, how you can support me and some resources that were used to build this article / module. Apparently my articles are so long people are calling them “modules” so I will go with that for now hahaha! Below are some bullet points that showcase extra sections.
- Ending Note | About Me → This section will talk obviously about me, who I am, why I am doing this, current projects etc.
- Ending Note | Thank You → A section thanking you for reading this article and explaining why I value community.
- Ending Note | Ways To Support → A section talking about ways you can support me with currency!
- Ending Note | Where To Find Me → A section that talks about where you can find me and how you can follow me.
- Ending Note | Resources To Advance Your Knowledge → A section that explains some basic resources used to help you.
Below, sections are listed and talked into!
Ending Note | About Me
Hello there nerd! My name is Ryan and I am commonly known as Totally_Not_A_Haxxer! I am a 16 year old security researcher and developer with quite the experience primarily in development (50+ language’s including working on my own) and take a huge interest in automotive security! I write the articles I write especially in length as well as books because I believe that knowledge is for everyone and should not really be charged so much. For example, I saw someone write a Golang tutorial that was like 10 hours of content and charged over 1K for it- I thought it was a complete waste of time so I started my blog page to not only do what they were doing but do it better and for free! I also have multiple projects going on around education such as $1 Courses which are courses on various topics in tech or even general that get sold off for a single buck! That is a small about me, you can find more which we will get into in quite a second hahaha!
Ending Note | Thank You
I want to also thank you for reading the article and coming this far, I know these articles are extremely large and take a ton of time but I hope they were worth it. I do try my best to actually go and put the time and effort into the articles by ensuring that I can actually help educate people and go deep into the topics I talk about for free! So, if you have made it this far, I appreciate giving the effort back as far as reading the article and hoped it helped :D!
Ending Note | Ways To Support (Financially)
Currently I am not in the best of situation with money and I do not have the proper funding to afford good equitment for security research even something as much as a laptop where I could do remote work. That being said, I have always been used to saying “I do what I do with passion, and I will stop at nothing to do so”. Even though I do not have the direct resources, I always do try my best to deal with what I have and do what I want to do with said resources that I do have. With this, I ask that if you can bother to donate or do have the extra to spare, this will make my development, skill and more go much MUCH more faster and also make me much more motivated to continue doing what I am doing! Below I have listed my cashapp and venmo as well as crypto wallets!
- Venmo:
- CashApp:
- BitCoin Address: bc1q45ctj3cwl8zr2qdw4xceukr58cdnayxuutymt8
- Ethereum Address: 0x466BA936E2bdbEab74c8cd048CC43279fE712E54
- USDC Address: 0x466BA936E2bdbEab74c8cd048CC43279fE712E54
- Tether Address: 0x466BA936E2bdbEab74c8cd048CC43279fE712E54
- XRP Address: r4s8FeyYCBHJQGJRGuDuPeM2YLMwRCZP4R
Ending Note | Where To Find Me
This sounds weird to say, but you can find me on a few places; social media is one of them. Below I have listed some links of where to find me but I will say this. Often in discord servers, communities and even other platforms: some people always ask me for links and I can get tired of constantly pasting social media links on days where I have a bunch of stuff to do and given social media is not on my phone ( at this time, working on a study / ghost month ). SOOOO, that being said, Google is a good place to go literally search “Totally_Not_A_Haxxer” and some of my socials should pop up + look at it this way, you get more OSINT expirience.
https://www.instagram.com/Totally_Not_A_Haxxer
- Medium:
- Blogger:
- Hakin9 Articles / Research point
https://hakin9.org/external-understanding-dissecting-apis-inside-of-iot-devices-part-1/
- GitHub
Ending Note | Resources To Advance Your Knowledge
This article did not need much resources actually, did not need none to even be created as it was just a simple starter guide for reverse engineering. But, I figured I would link some articles to get you started if you wanted or needed to.
- Getting Started In RE: https://www.youtube.com/watch?v=gPsYkV7-yJk
- Reverse Engineering Deeper Detail: https://www.youtube.com/watch?v=9tZmSFjoOm4
- Reverse Engineering With Ghdira: https://www.youtube.com/watch?v=oTD_ki86c9I
- Reverse Engineering: https://en.wikipedia.org/wiki/Reverse_engineering#:~:text=Reverse%20engineering%20(also%20known%20as,exactly%20how%20it%20does%20so.
