Manual Code Reversing
Part 1
                                           Manual Code Reversing
During malware analysis, it's not uncommon to encounter samples where dynamic analysis yields little to no useful
information. For instance, a file may be identified as a Windows PE executable with obfuscated code and data—often
indicated by the absence of readable text strings. In such cases, even after using monitoring tools, system logs may show
no observable activity, giving the impression that the malware is inactive. While static and dynamic analysis typically reveal
behavioural patterns, some malware exhibits conditional behaviours that are only triggered under specific circumstances,
such as certain system environments, user actions, or external commands.
                             When Static & Dynamic Analysis Reveal Little
1. Absence of Text Strings
  ●   Indication: Heavy obfuscation or packing.
  ●   Countermeasure: Use string decryption techniques or unpacking methods.
2. No Activity During Execution
  ●   Possible Causes:
         ○   Environment-aware Malware: Detects it's being analyzed (VM, debugger, sandbox).
         ○   Trigger-based Behaviour: Only activates on a specific date/time, keystroke patterns, external command, or geo-IP.
         ○   Code Stubs: The actual payload is fetched at runtime from a remote server or decrypted in memory.
            Anti-Analysis & Evasion Techniques
      Technique                                   Description
Anti-VM               Detects signs of virtualization (e.g., VMware tools, MAC
                      address prefixes).
Anti-Debugging        Uses API calls like IsDebuggerPresent and
                      NtQueryInformationProcess.
Packing/Obfuscation   Compresses or encrypts the payload to hide strings and API
                      calls.
Code Injection        Injects malicious code into legitimate processes.
API                   Resolves APIs dynamically via hashes or name obfuscation.
Hashing/Resolution
Time Bombs / Logic    Delayed or condition-based execution.
Bombs
Unpacking the Malware
  ●    Use tools like x64dbg or PE-sieve to dump memory when unpacked.
  ●    Monitor for RWX memory regions and API calls like VirtualAlloc, WriteProcessMemory.
➤ Behavioral Triggers
  ●    Instrument analysis with fake user activity.
  ●    Manipulate the environment to match expected triggers (e.g., registry keys, files, domain presence).
➤ Memory Analysis
  ●    Use memory forensic tools like Volatility to analyze in-memory payloads.
  ●    Use Procmon, Wireshark, and Regshot for deeper runtime insights.
                                Lecture Objectives
●   Understand the fundamentals of Reverse Engineering (RE)
●   Explore its key applications across industries
●   Introduce major RE tools
●   Hands-on practice with IDA Pro & Ghidra
                           Introduction to Reverse Engineering
●   Dissects and analyzes systems/products to understand design and function
●   Common in software, mechanical, and electronics fields
●   In cybersecurity, used to analyze binaries, uncover algorithms &
    vulnerabilities.
                                         Applications of Reverse Engineering
●   Software Security: Malware analysis, vulnerability discovery
●   Product Development: Competitor analysis, feature improvement
●   Mechanical/Electronics: Circuit/component analysis, repair
●   Forensics: Reconstruct cyberattacks; failure analysis
                                                Core RE Tools Overview
●   Disassemblers: Convert binaries to assembly (e.g., IDA Pro, Ghidra)
●   Decompilers: Reconstruct high-level code (e.g., Ghidra, RetDec)
●   Debuggers: Observe & control program execution (e.g., x64dbg, OllyDbg)
●   Patching Tools: Modify binary code
●   System Monitoring Tools: Analyze runtime behavior (e.g., Procmon, Wireshark)
●   Executable Dumping Tools: Extract memory/process snapshots
                                    Disassembler
●   Converts machine code to assembly.
●   Reveals instruction logic and structure.
●   Supports vulnerability and algorithm analysis.
                                     Decompiler
●   Translates binaries to high-level code (C/C++)
●   Enables analysis of control flow, data structures
●   Essential for understanding complex binaries
                                    Debugger
●   Controls and inspects program execution
●   Key features: breakpoints, memory inspection, step execution
●   Used to uncover hidden functionality and analyze runtime behavior
                                    Patching Tools
●   Modify binaries to change or disable functionality
●   Useful for bypassing restrictions or applying fixes
●   Employed in exploit analysis and custom patching
                               System Monitoring Tools
●   Track CPU, memory, file, and network activity
●   Reveal behavioral patterns of software
●   Useful in malware detection and performance tuning
                                 Executable Dumping Tools
●   Capture in-memory process data and executables
●   Used to bypass packing/obfuscation
●   Enables offline analysis of live or evasive binaries
                                                     Hands-On Practice
●   IDA Pro: Static disassembly, function graph, control flow
●   Ghidra: Disassembly + decompilation, scripting support, collaboration tools
                                     Summary
●   RE reveals hidden structures & behavior of software/systems
●   Vital in cybersecurity, development, and forensics
●   Mastery of tools like IDA, Ghidra, and debuggers is essential
●   Hands-on practice deepens understanding
                                       Decompilers Explained
Decompilers convert binary executables into human-readable code, often using C-like syntax.
Some executables are compiled into bytecode or pseudocode, which is later interpreted into machine code.
Advanced decompilers can recognize and reverse bytecode to approximate the original source code.
Useful for analyzing unknown binaries, malware inspection, and code recovery.
                                 Decompiler Examples & Tools
dnSpy: Decompiles .NET executables
Java Decompilers: Handle .jar files and Java bytecode
Hex-Rays (IDA plugin): Converts binaries to C-style pseudocode
Ghidra: Free tool with built-in decompiler
Next: Demo using x64dbg (debugger) and a .NET executable with a decompiler
F9 runs the code.
F7 steps into in the
function.
F8 steps over.
Put a breakpoint at
that address press
Ctrl+G then enter the
address.
both x64dbg and IDA Pro offer debugging, but they serve different strengths and workflows. Here’s why someone would still use
x64dbg even when IDA Pro offers a debugger:
         Tool                Focus Type                                   Use Case Example
       IDA Pro    Primarily Static Analysis           Reverse engineering malware without
                                                      executing it
       x64dbg     Primarily Dynamic Analysis          Watching malware unpack itself during runtime
 IDA’s debugger is good but not as intuitive or feature-rich for runtime analysis as x64dbg.
2. Runtime Control & Tracing
x64dbg excels at:
  ●    Setting breakpoints easily
  ●    Tracing code execution step-by-step
  ●    Viewing live changes in memory, registers, stack
  ●    Patching binaries on the fly
  ●    Analyzing packed executables
x64dbg is ideal for dynamic behaviour, like when malware:
  ●    Decrypts its code at runtime
  ●    Loads additional code dynamically
  ●    Hides API calls through obfuscation
3. Usability for Reversing & Cracking
x64dbg has:
  ●    User-friendly GUI for interactive debugging
  ●    Built-in tools like scylla for import rebuilding
  ●    Plugins for unpacking, anti-anti-debug bypassing
  ●    Script support (x64dbg scripts or Python via plugins)
IDA’s debugger is more powerful in high-end licenses but less intuitive for quick-and-dirty analysis or real-time behaviour watching.
  4. Complementary Use
  In real-world RE workflows, many analysts use:
   1.    IDA Pro to statically reverse and understand structure
   2.    x64dbg to trace execution and validate assumptions
  👉 Example: Use IDA to find suspicious function names, then x64dbg to break on them and inspect runtime behaviour.
                    Feature                                 IDA Pro Debugger                             x64dbg
Static and Dynamic Support                          Yes                                Only Dynamic
Runtime Visibility                                  Limited                            Excellent
Ease of Breakpointing                               OK                                 Excellent
Anti-debug bypass support                           Limited                            Strong via plugins
Plugin Ecosystem                                    Good                               Excellent for debugging
User Friendliness                                   Moderate                           Very High