Office Hour Notes from 6/25/20

Questions:

• When is code obfuscation executed?
• There are various levels of code obfuscation, sometimes the source code itself is obfuscated, and other times it’s applied to the machine code. 
• What do you consider .NET stuff?  Is it a binary file or something else?
• It is technically a binary - but when reversing things build on the .NET framework one would want to start with the dotpeek tool: http://www.jetbrains.com/decompiler/
• Do people obfuscate by handwriting assembly or are there obfuscating compilers?
• Obfuscation can be performed in a number of ways. For example, there are obfuscating assemblers, and various compiler tricks that can be done to aid in obfuscation.
• How often is obfuscation in play?
• It depends on your target, you’ll find it often in games and other things that require some sort of DRM, but it’s less common when looking at embedded firmware images for example.
• It would be great if you can give some pointer on how to identify packed or encrypted code using Ghidra
• There is a plugin here: https://github.com/d3v1l401/FindCrypt-Ghidra that can be used.
• Identifying packed or encrypted code can also be done by performing entropy analysis on the code segment.  Binwalk can do this with the -E option.
• Any binary can be reversed?
• Yes, technically speaking anything that contains machine code that can eventually be run by the CPU can be reverse engineered.
• Do you have any resources for extracting binaries from a platform/uC?
• Yes! Below are some examples that I have done on my website: https://wrongbaud.github.io
• JTAG
• SWD
• SPI Flash
• Parallel Flash
• On embedded systems do you often see heap being used? Or is deterministic memory (stack) more common?
• This depends entirely on what the system is used for - if it’s running an RTOS or a Linux based OS, then you’re going to see heap usage. Smaller microcontrollers may not have space/resources to implement a memory allocator and will rely on statically sized buffers in SRAM. 
• Is the memory for AH / AX / EAX / etc. shared? i.e. can you access 8 bits of AX by accessing AH?
• Yes, the various representations of these registers can be used to access those specific size ranges. 
• Is there a universal reference to the instruction set for x86_64?
• Yes, the Intel instruction set architecture reference is linked on the course page. 
• x86-64 has a flat 64bit memory model so RAM, as well as PCIe peripherals, can end up in memory space, correct?
• Technically this is correct, however there are memory protections in place to try to prevent these regions from being accessed. The operating system / mmu will protect these regions of memory, as well as the drivers utilizing them from being accessed. 
• What are 'high level' differences between Ghidra and Ida Pro? [understand it may just be OpenSource vs not]
• There are many differences between the two, and we will go over these during the second class session!
• Will we be touching on what to do if Ghidra can’t find cross-references because the pointers are some +value off from the virtual addresses in this course? (trying to reverse some firmware blob)
• When looking at firmware blobs, properly creating a memory map is very important, and may be the reason why you’re having issues with XRefs.. This can be done from within ghidra by clicking on the memory viewer, or by writing a loader / script to perform this for you. It is important to also create relevant RAM regions when working with firmware images as these are often where the XRefs will be located. 
• Thank you for the amazing tour of the tools, but what is the "goal" - what can we expect to do with all this? :) 
• The goal of this course is to familiarize students with the concepts behind reverse engineering software, and provide a base understanding of how to use Ghidra to solve binary puzzles and challenges. 
• By the end of this course, students will be comfortable loading x86_64 ELF files into Ghidra and be able to analyze them. 
• I thought EABI was for embedded - why is this present in x86 code?
• ABI = Application Binary Interface, this is what is used to determine things like calling conventions, object file formats and executable formats. When looking at embedded platforms you’ll often see EABI or Embedded ABI’s in place. 
• Why there is EAX if its a 64-bit file? e.g TEST EAX, EAX, shouldn't it be TEST RAX, RAX?
• This is likely a compiler optimization, writing a 32 bit register implicitly zero-extends in x86_64.
• Can Ghidra inject new assembly, or modify the assembly and store to another elf?
• Yes, using the patching feature assembly code can be modified and added, we will be going over how to do this in the third session.
• Will the docker container be used for future classes? I'm new to docker and not sure how to open a GUI from the docker CLI/Bash/Command Prompt
• The docker container is just for running the test applications, if you are uncomfortable with Docker you can use an Ubuntu 18.04 virtual machine instead!
• How can you find the base address of a firmware image:
• This tool can be used, also oftentimes the load address is located within the image header: https://github.com/sgayou/rbasefind