Manual Code Reversing

Part 1
 Manual Code Reversing

During malware analysis, it's not uncommon to encounter samples where dynamic analysis yields little to no useful
information. For instance, a file may be identified as a Windows PE executable with obfuscated code and data—often
indicated by the absence of readable text strings. In such cases, even after using monitoring tools, system logs may show
no observable activity, giving the impression that the malware is inactive. While static and dynamic analysis typically reveal
behavioural patterns, some malware exhibits conditional behaviours that are only triggered under specific circumstances,
such as certain system environments, user actions, or external commands.
 When Static & Dynamic Analysis Reveal Little

1. Absence of Text Strings

● Indication: Heavy obfuscation or packing.

● Countermeasure: Use string decryption techniques or unpacking methods.

2. No Activity During Execution

● Possible Causes:

○ Environment-aware Malware: Detects it's being analyzed (VM, debugger, sandbox).

○ Trigger-based Behaviour: Only activates on a specific date/time, keystroke patterns, external command, or geo-IP.

○ Code Stubs: The actual payload is fetched at runtime from a remote server or decrypted in memory.
 Anti-Analysis & Evasion Techniques
Technique Description

Anti-VM Detects signs of virtualization (e.g., VMware tools, MAC

address prefixes).

Anti-Debugging Uses API calls like IsDebuggerPresent and

NtQueryInformationProcess.

Packing/Obfuscation Compresses or encrypts the payload to hide strings and API

calls.

Code Injection Injects malicious code into legitimate processes.

API Resolves APIs dynamically via hashes or name obfuscation.

Hashing/Resolution

Time Bombs / Logic Delayed or condition-based execution.

Bombs
Unpacking the Malware

● Use tools like x64dbg or PE-sieve to dump memory when unpacked.

● Monitor for RWX memory regions and API calls like VirtualAlloc, WriteProcessMemory.

➤ Behavioral Triggers

● Instrument analysis with fake user activity.

● Manipulate the environment to match expected triggers (e.g., registry keys, files, domain presence).

➤ Memory Analysis

● Use memory forensic tools like Volatility to analyze in-memory payloads.

● Use Procmon, Wireshark, and Regshot for deeper runtime insights.

 Lecture Objectives

● Understand the fundamentals of Reverse Engineering (RE)

● Explore its key applications across industries
● Introduce major RE tools
● Hands-on practice with IDA Pro & Ghidra
 Introduction to Reverse Engineering

● Dissects and analyzes systems/products to understand design and function

● Common in software, mechanical, and electronics fields
● In cybersecurity, used to analyze binaries, uncover algorithms &
vulnerabilities.
 Applications of Reverse Engineering

● Software Security: Malware analysis, vulnerability discovery

● Product Development: Competitor analysis, feature improvement
● Mechanical/Electronics: Circuit/component analysis, repair
● Forensics: Reconstruct cyberattacks; failure analysis
 Core RE Tools Overview

● Disassemblers: Convert binaries to assembly (e.g., IDA Pro, Ghidra)

● Decompilers: Reconstruct high-level code (e.g., Ghidra, RetDec)
● Debuggers: Observe & control program execution (e.g., x64dbg, OllyDbg)
● Patching Tools: Modify binary code
● System Monitoring Tools: Analyze runtime behavior (e.g., Procmon, Wireshark)
● Executable Dumping Tools: Extract memory/process snapshots
 Disassembler

● Converts machine code to assembly.

● Reveals instruction logic and structure.
● Supports vulnerability and algorithm analysis.
 Decompiler

● Translates binaries to high-level code (C/C++)

● Enables analysis of control flow, data structures
● Essential for understanding complex binaries
 Debugger

● Controls and inspects program execution

● Key features: breakpoints, memory inspection, step execution
● Used to uncover hidden functionality and analyze runtime behavior
 Patching Tools

● Modify binaries to change or disable functionality

● Useful for bypassing restrictions or applying fixes
● Employed in exploit analysis and custom patching
 System Monitoring Tools

● Track CPU, memory, file, and network activity

● Reveal behavioral patterns of software
● Useful in malware detection and performance tuning
 Executable Dumping Tools

● Capture in-memory process data and executables

● Used to bypass packing/obfuscation
● Enables offline analysis of live or evasive binaries
 Hands-On Practice

● IDA Pro: Static disassembly, function graph, control flow

● Ghidra: Disassembly + decompilation, scripting support, collaboration tools
 Summary

● RE reveals hidden structures & behavior of software/systems

● Vital in cybersecurity, development, and forensics
● Mastery of tools like IDA, Ghidra, and debuggers is essential
● Hands-on practice deepens understanding
 Decompilers Explained
Decompilers convert binary executables into human-readable code, often using C-like syntax.

Some executables are compiled into bytecode or pseudocode, which is later interpreted into machine code.

Advanced decompilers can recognize and reverse bytecode to approximate the original source code.

Useful for analyzing unknown binaries, malware inspection, and code recovery.
 Decompiler Examples & Tools
dnSpy: Decompiles .NET executables

Java Decompilers: Handle .jar files and Java bytecode

Hex-Rays (IDA plugin): Converts binaries to C-style pseudocode

Ghidra: Free tool with built-in decompiler

Next: Demo using x64dbg (debugger) and a .NET executable with a decompiler
F9 runs the code.
F7 steps into in the
function.
F8 steps over.
Put a breakpoint at
that address press
Ctrl+G then enter the
address.
both x64dbg and IDA Pro offer debugging, but they serve different strengths and workflows. Here’s why someone would still use
x64dbg even when IDA Pro offers a debugger:

Tool Focus Type Use Case Example

IDA Pro Primarily Static Analysis Reverse engineering malware without

executing it

x64dbg Primarily Dynamic Analysis Watching malware unpack itself during runtime

IDA’s debugger is good but not as intuitive or feature-rich for runtime analysis as x64dbg.
2. Runtime Control & Tracing
x64dbg excels at:

● Setting breakpoints easily

● Tracing code execution step-by-step

● Viewing live changes in memory, registers, stack

● Patching binaries on the fly

● Analyzing packed executables

x64dbg is ideal for dynamic behaviour, like when malware:

● Decrypts its code at runtime

● Loads additional code dynamically

● Hides API calls through obfuscation

3. Usability for Reversing & Cracking

x64dbg has:

● User-friendly GUI for interactive debugging

● Built-in tools like scylla for import rebuilding

● Plugins for unpacking, anti-anti-debug bypassing

● Script support (x64dbg scripts or Python via plugins)

IDA’s debugger is more powerful in high-end licenses but less intuitive for quick-and-dirty analysis or real-time behaviour watching.
 4. Complementary Use
In real-world RE workflows, many analysts use:

1. IDA Pro to statically reverse and understand structure

2. x64dbg to trace execution and validate assumptions

👉 Example: Use IDA to find suspicious function names, then x64dbg to break on them and inspect runtime behaviour.

Feature IDA Pro Debugger x64dbg

Static and Dynamic Support Yes Only Dynamic

Runtime Visibility Limited Excellent

Ease of Breakpointing OK Excellent

Anti-debug bypass support Limited Strong via plugins

Plugin Ecosystem Good Excellent for debugging

User Friendliness Moderate Very High