Task 27, Day 21 Reverse engineering HELP ME…I’m REVERSE ENGINEERING!

Binaries are files compiled from source code. No matter the structure (Windows Portable Executable [PE] vs Linux Executable and Linkable Format [ELF]), all binaries will contain at least:

  • Code section: Section that contains the instructions the CPU with execute
  • Data section: Section that contains information like variables, resources, etc.
  • Import/Export tables: Tables that reference additional libraries used (imported) or exported by the binary. Binaries often rely on libraries to perform functions, like interacting with Windows API to manipulate files

Disassembly vs. Decompiling

Disassembly shows the low-level machine instructions the binary will perform (assembly). Tools like IDA, Ghidra, and GDB can use disassembly to show a detailed view of how the binary will interact with the system at what stage.

Decompiling converts the binary back to its high-level code (C++, C#, etc.) so it’s easier to read. This translation can lose information like variable names, though. Decomiling is useful if you want a high-level understanding of the applications flow. Key differences between the two options:

Comparison Disassembly Decompiling
Readability Requires knowing assembly and low-level knowledge of computing concepts Requires familiarity with programming and logic
Level of output Translated output is the exact instructions the machine will perform Translated output is often a “best guess”. May not be accurate and useful information (variables, function names, etc.) will likely be lost
Difficulty Higher as machine instructions are translated into assembly Machine instructions are translated into a high-level language, easier to understand if you are familiar with that language
Usefulness Entire behavior of the binary can be studied Quick way to understand some of the logic of the binary

Multi-Stage Binaries

Attacks involving multiple binaries for different actions instead of one performing the entire attack. Usually looks something like:

  • Stage 1 - Dropper: Usually lightweight and basic binary responsible for actions like enumeration to see if the payload will work. Once conditions are verified, it will download a more malicious binary from the attacker’s infrastructure.
  • Stage 2 - Payload: “Meat and bones” of the attack. In case of ransomeware, this binary wil encrypt and exfiltrate the data.

Process can be split into other binaries for other sections of attack chain. Multiple stages help evade detection and make analysis/extrication more difficult. In addition to splitting up functions, this allows time to pass after steps so that it is harder to track and pin down too.

The Task

Reverse engineer two .net binaries using the decompiler ILSpy and PEStudio. Start with PEStudio.

  1. To identify and provide evidence of the files alteration, take note of the hashes of each section of the file (footprints area). Sections represent a memory space with different contect of the executable within the PE format. Can calculate the has of these sections to identify the executable properly.
  2. Use the indicators area to obtain information about the binary, such as URLs or suspicious attributes. Might even be able to find information like crypto wallet ids.
    Switching to ILSpy:
  3. Poke around following the the steps without executing the actual payload.

x86 Assembly Crash Course room.