Arnau Profile picture
Dec 1, 2020 β€’ 19 tweets β€’ 13 min read
πŸ”₯ #AdventOfReversing 1/24 πŸ”₯
Get dirty as soon as possible. Don't fall into thinking you are not ready. Sure, you will be confused by many things at first. That's fine! I used to confuse sections and segments when I started. Keep pushing, and things will become clear naturally.
πŸ”₯ #AdventOfReversing 2/24 πŸ”₯
Get used to (re)name *everything* in your disassembler. You might be able to mentally track data across registers and memory for small crackmes w/ easy control flow, but this does not scale at all. Unclutter your mind. Make your life easier.
πŸ”₯ #AdventOfReversing 3/24 πŸ”₯
You really want to have some programming foundations, but which languages? I mostly agree with this post by @MalwareTechBlog:

🐍 Python
πŸ—οΈ C
βš™οΈ ASM (different flavors: x86(-64) desktop, ARM mobile...)

Give it a read! πŸ“°
malwaretech.com/2018/03/best-p…
πŸ”₯ #AdventOfReversing 4/24 πŸ”₯
Learn to script on top of (at least one) dedicated #API's from your #RE tools, like @HexRaysSA's IDAPython or @radareorg's r2pipe. Being able to combine different functionalities and automating for custom analysis needs will really make a difference.
πŸ”₯ #AdventOfReversing 5/24 πŸ”₯
Make sure to review the calling conventions for the arch/platform you are dealing with. Yes, many RE tools can identify/label them, but it will make your life easier when quickly skimming through code routines or when in a constrained environment.
πŸ”₯ #AdventOfReversing 6/24 πŸ”₯
Get used to take notes πŸ—’οΈ during your #reversing sessions. They are invaluable in many scenarios, for example:
- In a future, be able to catch up with previous work.
- Easily get others to help you.
- Use it as a draft for a work report/blog post.
πŸ”₯ #AdventOfReversing 7/24 πŸ”₯
My friend @joxeankoret once told me: "Obsession works quite better than books". I'm not suggesting to ditch mental health, and there are great books. But putting the hours in stuff you're deeply interested will boost your skills better than any book.
πŸ”₯ #AdventOfReversing 8/24 πŸ”₯
Don't get stuck on beginner stuff you feel comfortable with. Try new (hard) things that challenge your skills. Push your limits: go play w/ remote kernel debugging of Windows drivers, bang yourself against custom obfuscation, VMs, bizarre anti-RE...
πŸ”₯ #AdventOfReversing 9/24 πŸ”₯
Ask for help. It's normal and totally fine not to know everything. Talk to colleagues. Many tools have public discussion/support channels. But please, make sure to google first, be clear and concise. Be respectful w/ yourself and other people's time.
πŸ”₯ #AdventOfReversing 10/24 πŸ”₯
Don't cold read ASM line by line unless strictly necessary.
- Learn to recognize C-like constructs.
- Understand data and control flow through function calls, x-refs, use of OS APIs...
- Leverage graph views like call graphs and control-flow graphs.
πŸ”₯ #AdventOfReversing 11/24 πŸ”₯
Following up on yesterday's tip (and as @daeken pointed out recently as well): gather as much knowledge as possible w/o having to cold read ASM. Make educated guesses that guide you. These will get better w/ experience and save you tons on time.
@daeken πŸ”₯ #AdventOfReversing 12/24 πŸ”₯
Know your tools. Take your time to master *at least one* RE framework (IDA, r2/Cutter, Ghidra, Binja). It's cool (and I'd say advisable) to experiment, but you really want a comfort-zone toolbox, which might evolve through time, to get work done.
@daeken πŸ”₯ #AdventOfReversing 13/24 πŸ”₯
Decompilers are cool and extremely useful in many scenarios. But they are not bullet-proof, specially when a huge amount of obfuscation and anti-re techniques are placed. Use them wisely and save time, but don't let them be your only asset.
πŸ”₯ #AdventOfReversing 14/24 πŸ”₯
Know your environment. Take your time to learn how the OS (and possibly frameworks, e.g. graphics) you are dealing with works: executable format, loading process, syscalls, common libraries and API calls, threading management...
πŸ”₯ #AdventOfReversing 15/24 πŸ”₯
Related to previous one, seriously read the docs. Wasting hours w/ some win APIs that are documented or attempting to defeat linux ptrace-based antidbg w/o looking at ptrace man page, makes no sense. It seems obvious, but might not be for newcomers.
πŸ”₯ #AdventOfReversing 16/24 πŸ”₯
You might face frustration and despair at some times. That's totally normal. Take a walk, play some game, talk to a friend and even step back for a couple days. Take care of yourself and prevent burn out. I should apply this more to myself as well.
πŸ”₯ #AdventOfReversing 17/24 πŸ”₯
Think of what are you looking for and which questions do you need to answer. Define a clear #goal in mind before fruitlessly wandering through random assembly. E.g.
πŸ‘‰ #CTF: where is/could be the flag?
πŸ‘‰ #malware: what should/must the #IR address?
πŸ”₯ #AdventOfReversing 18/24 πŸ”₯
Doesn't only apply to #RE, but to learning any skill: set goals on the mid-long term to keep you motivated, but daily focus on process (practice 2h) vs specifics (solve that crackme).

Check @Fox0x01 great posts on learning: azeria-labs.com/the-importance…
πŸ”₯ #AdventOfReversing 19/24 πŸ”₯
In several #RE scenarios it's crucial to identify custom implementations of #crypto algorithms, mostly by locating known constants. In #IDA you can use findcrypt. You also have #yara crypto rules that will work everywhere. github.com/Yara-Rules/rul…

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Arnau

Arnau Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @arnaugamez

Apr 22, 2021
Ok, I had some time to read the new paper on MBA deobfuscation: usenix.org/conference/use…

TL;DR Cool stuff and great contribution, but tarnished by some omissions that make it seem to have a bigger impact and general applicability than it really has, imho.

A thread 🧡
First things first. I don't consider myself an expert, but I'm quite familiar with academic literature regarding MBA (de)obfuscation. This paper constitutes great research, provides a novel proof and offers promising results.
That being said, I think it is necessary to point out some omissions, limitations and/or formal inaccuracies that might not be obvious if one is not familiar with MBA literature. I'll use excerpts from my thesis () and literature to clarify some ideas.
Read 25 tweets
Jul 24, 2020
πŸ“’Just published my Maths & CS BSc thesis:
πŸ“„"Code deobfuscation by program synthesis-aided simplification of Mixed Boolean-Arithmetic expressions".

Serves as an intro/review to:
- Code (de)obfuscation
- MBA expressions
- Program synthesis

πŸ‘‰github.com/arnaugamez/tfg Cover of the thesis documentAbstract of the thesis
First @radareorg r2syntia prototype was developed in the context of this work. Now it has already been slightly improved and it is being updated and maintained here, in case you are interested: github.com/arnaugamez/r2s…
There is nothing really new (a part form r2syntia) but I would be glad if this "synthesis" work (pun intended) serves as a first step into the field of code (de)obfuscation and motivates the study of MBA expressions and program synthesis to help in further low-level research.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(