Lectures

Please watch the relevant video prior to class. Also, download the exercises - we will be using them during class. Subtitles (English, Swedish, Japanese, Spanish, and Chinese (PRC and TW)) are available for some videos. Slides exist in two forms, with and without animations. Instructors can contact us for the key to unlock answers to in-class exercises.

Introduction

#Topic Video SlidesIn-class
Exercises		 Prereq-
uisite		 Video
Length
intro-1Introduction
  • Famous Reverse Engineering Projects
  • Binary Reverse Engineering
  • Reverse Engineering vs. Software protection
  • Attacks on Mobile Devices
  • Attacks on Critical Infrastructure
  • Attacks on Consumer Products
  • Attacks on Media Distribution
  • Attacks on Computer Games
  • Protecting Malware
  • Tools of the Trade
  • https://LigerLabs.org
  28m
model-1Modeling Attacks and Defenses pdfmodels-1-exercises.pdfmisc-120m
misc-1Miscellaneous Tools and Techniques
  • Graphviz
  • Weird C Constructs
  • Bash tricks
9m

Low-level Programming

Lectures on X86 assembly code and machine code.

#Topic Video SlidesIn-class
Exercises		 Prereq-
uisite		 Video
Length
X86-1X86 Instruction Set
  • Global Variables
  • X86 Assembly Syntax
  • Data Movement Instructions
  • Arithmetic and Bitwise Instructions
  • Switch Statements8-bit vs. 16-bit vs. 32-bit vs. 64-bit
  • Addressing Modes
  • x86 Example Execution x86 Intel vs. AT&T Syntax
  • Disassembly
  32m
x86-2X86 Control Flow Instructions
  • Unconditional Control Flow Instructions
  • Conditional Control Flow Instructions
  • Conditional Move Instructions
  • Conditional Set Byte Instructions
  • Disassembly with Binary Ninja
 x86-2-exercises.zip x86-126m
x86-3X86 Memory Operations
  • Global Variables
  • More Data Movement Instructions
  • Bits and Bobs
  • Arrays
  • Switch Statements
  • Floating Point
 x86-3-exercises.zip x86-221m
x86-4X86 Calling Conventions
  • The Call Stack
  • Activation Record Layout
  • Argument Passing (32-bit)
  • Argument Passing (64-bit)
  • Dynamic Link
  • Return Value
  • System Calls
 x86-4-exercises.zip x86-324m
x86-5X86 Instruction Encoding pdf

Static Analysis

Lectures on statically analyzing data and control flow.

#Topic Video SlidesIn-class
Exercises		 Prereq-
uisite		 Video
Length
ast-1Abstract Syntax Trees pdfast-1-exercises.zipmisc-120m
cfg-1Control Flow Analysis cfg-1-exercises.zip misc-1, x86-224m
file-1Executable File Formats
  • Statically Linked Binaries
  • Dynamically Linking LIBC
  • Creating a Dynamically Linked Library
  • Command Line Tools
  • The ELF File Format
 pdf file-1-exercises.zip 12m
disass-1Disassembly
  • Linear Sweep Disassembly
  • Recursive Descent Disassembly
  • Issue #1: Finding Entry Points
  • Issue #2: Statically Unknown Control Flow
  • Issue #3: Mixing Code and Data
  • Issue #4: Shared Basic Blocks
  • Issue #5: Overlapping Instructions
  • Anti-Disassembly
  • Branch Functions
  • Tigress
pdf disass-1-exercises.zip x86-2,
cfg-1		25m

Dynamic Analysis

Lectures on debugging, tracing, etc.

#Topic Video SlidesIn-class
Exercises		Prereq-
uisite		Video
Length
gdb-1Debugging with gdb
  • Running, Stepping, Breaking
  • Automating Debugging
  • Hardware vs. Software Breakpoints
  • Patching with gdb
  • Watchpoints
  • Searching
  • Gdb + Ghidra
  • Extensions
  pdfgdb-1-exercises.zipx86-2, ghidra-329m
trace-1Tracing
  • strace
  • ltrace
  • gdb trace points
  • pintools
  pdftrace-1-exercises.zipopaque-122m
symex-1Symbolic Execution
  • License Checking Revisited
  • Klee
  • Symbolic Execution
  • Solvers
  pdfsymex-1-exercises.zipast-1, softprot-1, x86-125m
symex-2Symbolic Execution with angr
  • Example
  • angr API
  pdfsymex-2-exercises.zipsymex-18m

Reverse Engineering

Lectures on using reverse engineering tools and strategies for attacking binary programs.

#Topic Video SlidesIn-class
Exercises		 Prereq-
uisite		 Video
Length
ghidra-1Introduction to Ghidra 1
  • Starting a New Project
  • Top Level Interface
  • Viewing Binary Code
  • Viewing Disassembled Code
  • Viewing the CFG
  • Viewing Decompiled Code
  • Viewing Strings
  ghidra-1-exercises.zipx86-2, cfg-119m
ghidra-2 Introduction to Ghidra 2
  • Viewing The Program Graph
  • Viewing The Call Graph
  • Cross References
  • Fixing Names,Types, and Functions
  • Documenting Your Work
  • Viewing Symbols
  • Navigating the Code
  • Searching for Strings
  • Searching for Instructions
  ghidra-2-exercises.zipghidra-118m
ghidra-3Ghidra Code Patching
  • Editing Instructions
  • Removing Instructions
  • Replacing Instructions
  • Referencing External Functions
  • Adding Instructions
  • Code Stealing
  • Adding a Segment
  ghidra-3-exercises.zipghidra-119m
ghidra-4Ghidra Scripting
  • Creating, Editing, and Running Scripts
  • The Ghidra API
  • API Documentation
  ghidra-4-exercises.zipghidra-321m
re-1Reverse Engineering Strategies
  • Game Cheating
  • Cryptographic Key Recovery
  • License Key Recovery
  ghidra-1,
trace-1,
virt-1		18m

Software Protection

Lectures on code obfuscation and tamper-proofing.

#Topic Video SlidesIn-class
Exercises		 Prereq-
uisite		 Video
Length
virt-1Virtualization Obfuscation
  • What is a byte code interpreter?
  • Obfuscating Virtual Machines
 pdfvirt-1-exercises.zipcfg-116m
virt-2Protecting Virtualized Code
  • Randomizing the Instruction Set
  • Random Dispatchers
  • Protecting Handlers
  • Protecting the Byte Code
  • Dynamic Attacks and Defenses
 pdfvirt-2-exercises.zipvirt-128m
checksum-1Checksum Integrity Check
  • Checksumming
  • Attacks!
  • Running Example
  • Attack with gdb
 pdfchecksum-1-exercises.zip24m
arith-1Encoding Integer Expressions
  • Diversifying Integer Expressions
  • Tree Patterns
  • Tree Pattern Matching
  • Attacks
  • Add Your Own Patterns
  • Making Obfuscated Constants
 pdf arith-1-exercises.zipast-122m
flatten-1Control Flow Flattening
  • Control flow Flattening
  • Dispatch Methods
  • Attacks and Defenses
 pdfflatten-1-exercises.zipcfg-118m
checksum-2Checksum Attacks and Defenses
  • Attack with Binary Ninja
  • Attack with Ghidra
  • Defenses: Check-Repair Networks
  • Defenses: Overlapping Checkers
  • Defenses: Stealthy Hash Functions
  • Responding to Attacks
 pdfchecksum-120m
softprot-1Software Protection
  • Software License Checking
  • DRM and Whitebox Cryptography
  • Code Transformations
  • Code Obfuscation
  • Tamperproofing
  • Tigress
  • Environment Detection
  • Software Fingerprinting
  • Executable Packing
  • Anti-Disassembly
  • Diversification
 pdfsoftware-protection-1-exercises.zipintro-1, ghidra-128m
opaque-1Opaque Expressions
  • What is an Opaque Value?
  • Adding Bogus Control Flow
  • Array-based Opaque Predicates
  • Graph-based Opaque Predicates
  • Tigress
  • Dynamic Opaque Predicates
 pdfopaque-1-exercises.zipflatten-120m
data-1Data Encodings
  • XOR Encoding
  • Polynomial Encoding
  • Residue Number Encoding
 pdfdata1-1-exercises.zipflatten-120m