How to Build Exploits and Reverse Engineer

I've coached dozens of candidates through this program. It works. It's simple. It sucks.

Get gritty, commit, learn to learn, and if you get through the late nights, you'll level up.

I wrote the original version of this article as a study outline for both introductions into offensive tool development and reverse engineering. If you're not interested in either of those well-paying career paths, quit now.

Reverse engineering (RE): The art and science of looking deeply at a tool or piece of malware to figure out how it works and then use that information to fix the software and better identify and defend against attacks.

Tool development: the art and science of building software that helps good hackers hack stuff. Your job is to take what reverse engineers found and weaponize it. For good.

While tool development and reverse engineering are two different disciplines, they share core concepts and principles, mostly focused on the C language. That means you're going to learn C. Not C#, not C++, not Python. C. And later some assembly.

Conveniently, low-level developers decompile and debug all the time. Having a computer science background is a HUGE help here, but it not required. However, the chances of succeeding are FAR higher with a technical background.

If you’re starting from scratch, YOU CAN DO IT, but it can take up to a year or more depending on your situation, grit, and ability to teach yourself new content. Get comfortable with asking WHY and learning to research. Here's a couple links that will help.

• New to cyber security? Read this - Why You'll Fail in Cyber Security and then this - How to Learn Cyber Over the Weekend: An Orientation in 48 Hours
• Think you need certifications? Read this - How to Pick Your First/Next Cyber Certification.
• Getting out of the military? Read this - Military Transition - Cyber Focus.
• If you haven't done a self-assessment, do one NOW. Your goal with a self-assessment is to validate your desire to start down this path. If you won't be happy in the role, consider investing into a different career. I recommend StrengthsFinder 2.0.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Each STEP below is broken into two sections: macro and micro. The macro section includes concepts you must know and background information to help frame the technical skills you will develop in the micro section.

ProTip: Post your code to GitHub. Employers want to see you progress.

STEP 1: The goal of this exercise is to understand the C language fundamentals to a 30% solution. Understanding will increase in additional steps. You will also use some tools that are fundamental to progress such as gcc, Ghidra, and IDA Free.

Step 1 Macro: This orients you to the C language.

• Start by downloading the C Cheatsheet from my GitHub. HUGE shoutout to @Sean Eyre who did 90% of the work on the cheatsheet. Print a copy and keep it handy all the time. We designed it with a modern approaches to the language and defined concepts in ways that make sense. @Sean Eyre also added multiple code examples that reinforce learning concepts.

Step 1 Macro Knowledge:

• Disassembler: A disassembler is a software tool which transforms machine code into a human readable mnemonic representation called assembly language.
• Debugger: Debuggers allow the user to view and change the running state of a program.
• Decompiler: Software used to revert the process of compilation. Decompilers take a binary program file as input and output the same program expressed in a structured higher-level language.
• Learn the following sections: Code, Comments, Data Types, Casting, Structs/Arrays/Pointers, Functions, Operations, Statements, Key Words, IO, Memory, Strings, and Compiling
• THERE ARE NO STRINGS IN C! There are arrays of characters. Put an end of line / new line at the end of your array for text
• What is the difference between strcopy and strncopy?
• How does malloc() work? Eventually you will write your own version of strncopy and malloc()

Step 1 Macro

• If you don’t have a background in programming or the C Cheatsheet scares you, take a C Programming course if you need to. Here’s one that some friends have enjoyed on Udemy (not an affiliate): https://www.udemy.com/course/c-programming-for-beginners-/. Don't forget to print the cheatsheet above and use it for all your notes.
• If you already know a couple languages but want a book, get a copy of Learn C the Hard Way by Zed Shaw.

ProTip: Go back and print the cheatsheet. You'll need it.

------------Step 1 Micro------------

You really should be doing this in a virtual machine (VM). It’s good practice. If you don’t know how, go to YouTube. There are plenty of videos that will show you how to spin up a Linux VM. Go find them. This intro is about learning RE and tool dev, not VM fundamentals.

• Install Ghidra from https://ghidra-sre.org/
• Note, to render GitHub html pages in the browser, prepend the https://github with https://htmlpreview.github.io/? or you can download the GitHub repository
• Installation guide: https://ghidra-sre.org/InstallationGuide.html#Install
• Ghidra Cheat Sheet 1: https://htmlpreview.github.io/
• Ghidra Cheat Sheet 2: https://github.com/NationalSecurityAgency/ghidra/blob/master/GhidraDocs/CheatSheet.html
• Ghidra Classes on NSA’s GitHub page: https://github.com/NationalSecurityAgency/ghidra/tree/master/GhidraDocs/GhidraClass
• Download IDA Free: https://www.hex-rays.com/products/ida/support/download.shtml
• Write a quick program in C (possibly copy an example from the Github page above), compile it with gcc, get it to run and make sure it runs as expected, decompile in Ghidra, and debug it in IDA Free. See if code decompiled and debugged as expected. Does decompiled code look the same as the way you wrote it? When debugging your program in IDA free, you watch the registers change, watch the stack, etc. This step is a bit of a jump because you have to put it all together. If you can’t figure it out, go watch YouTube on writing/compiling C programs or look at this link which probably won’t be around forever. You need to teach yourself how to learn. Now talk about the stuff you just did: become conversational in those aspects.

-At the end of STEP 1, you now know a) the basics of the C language b) how write and compile a basic program, and c) are familiar with gcc, Ghidra, and IDA Free.

STEP 2 — Dive deeper into some of the knowledge of what’s going on deeper in the stack and start a GitHub account if you don’t have one yet. Now that you have at least a cursory understanding of C, it’s time to get the age old beauty, AoE — The Art of Exploitation by Jon Erickson. I really need to make these affiliate links. For now, just buy me a beer if this is useful.

S2 Macro: Know buffer overflows at a macro level. Focus on different types of buffer overflows and their general implementations

• Buffer overflows at the high level, ASLR, and stack canaries — https://en.wikipedia.org/wiki/Stack_buffer_overflow
• Buffer overflows at a technical level — specific registers that might be involved
• Learn about ROP, ROP chains, and stack smashing— https://en.wikipedia.org/wiki/Return-oriented_programming
• Read this whole article: https://hshrzd.wordpress.com/how-to-start/
• If you want to go deep fast, read Forrest Orr’s 2020 blog post titled A Modern Exploration of Windows Memory Corruption Exploits — Part I: Stack Overflows

S2 Micro: Dive deep into the following to understand and explain ways to defeat buffer overflows. You should be able to walk up to a whiteboard and explain these concepts on a whim.

• DEP — and, more broadly, executable space prevention. DEP is generally specific to Windows but the community often refers to DEP but means ESP
• Compiler learning: Write a simple program on https://godbolt.org/ and look at how different compilers change your code when they compile. THIS IS A HUGE DEAL and knowing this concept will save you tons and tons of time and frustration later!
• Make a GitHub account, learn how to branch.

• Start looking at strcopy versus strncopy a bit deeper and start thinking about how you would write strncopy from scratch.
• Look into IDEs or just use vim/nano. Up to you. Benefits to both. Oh, and the Linux-based editors now work on Windows via WSL. If you didn’t understand that, don’t worry and just use your favorite notepad tool and read the C cheatsheet.
• Pick up a copy of John Mongan’s book Programming Interviews Exposed (not an affiliate). Learn about Big-O notation and some of the classic fizz-buzz type examples. Yes, they’re still used all the time.
• Start practicing interviewing and white-boarding.

STEP 3 — This looks like a short section, but it’s a bit longer than you might realize. This is often where both disciplines start to split their focus between embedded, OS, and mobile. At this point, you should have proven that you can teach yourself things. So go out and find the information you need to understand and apply the following concepts:

• Go back and learn pointers well and start using them in your practice challenges if you haven’t already. Write 3–4 small (50 lines or less) programs that use pointers. Repeat until you can walk up to a markerboard and diagram how you use pointers ad nauseum.

• Rewrite strncopy from scratch. Focus on how strncopy differs from strcopy. Don’t just call strncopy from your program. Literally take an array of characters, check for bounds, move it somewhere else, and validate that it worked. That’s a simple explanation. There’s more that goes into it. Look at the C Cheatsheet for more info.
• Understand OS-level sandboxing
• TPM — trusted platform module
• SMEP — supervisor mode execution protection
• PAC — pointer authentication codes
• More for RE — Work through Malware Unicorn 101/102
• More for Tool Dev — Learn about dependencies the hard way: Find the source code to Google Chrome and compile it.
• Bonus: Pick 2–3 Level 1 Crackme.one challenges or a couple Level 2 challenges.

— — — — — — — — — — — — — — — — — — — — — — — — — —

Step 4

• Rewrite memcpy in C from scratch
• Find your router’s firmware and binwalk it. Look for flaws.
• Know and understand S-box: https://en.wikipedia.org/wiki/S-box
• Know and understand Rijndael S-Box: https://en.wikipedia.org/wiki/Rijndael_S-box
• Learn about the three types of bugs: Syntactical, Logical, and Runtime
• Learn about the four ways you can run into deadlock.
• For Mac/Android folks: Pick your favorite book by Jonathan Levin.
• @Josh Mason says this dayzerosec is a great resource, too.
• Network until your shoes fall off. It doesn't matter how great you are if no one knows it. I generally recommend showing up to 2-4 networking or professional development events per month. Your goal in those events (even virtual) is to meet 2-3 people per event that's willing to schedule a follow up 1:1 meeting with you. Leave the conversation open. Learn about them. Just network.

— — — — — — — — — — — — — — — — — — — — — — — — — —

Step 5 — now we’re getting crazy. At this point, an employer has you in a training or intern program. If you're feeling perky, write your own (very basic) OS for a Raspberry Pi.

Chances are that you still might be struggling with interviewing and white-boarding. If that's the case, read Gayle McDowell's book Cracking the Coding Interview. You can also watch some of the Google's videos on whiteboarding problems. However, remember that building exploits is NOT about building elegant solutions with optimized Big-O results. Building exploits is literally about hacking together something that works.

— — — — — — — — — — — — — — — — — — — — — — — — — —

If you have an applied understanding of computer science, this won’t take terribly long. If you’re technically-minded but starting from scratch, YOU CAN DO IT! If you have no background whatsoever in tech, YOU CAN DO IT [but you’ll probably want to go back and take some computer science fundamentals first like structures and algorithms]. I’ve seen people get through Step 4 in as little as three weeks. Those people usually have a BS in computer science some formal, applied education through the DoD/Military, or deep backgrounds in math, engineering, or physics.

Priorities are a thing! If you don't have a formal background and have kids running around, be gracious and forgiving to yourself as you go through this journey. This isn’t easy. In fact, the journey can really suck. Take breaks, take notes, and please, for the love of all that is good, comment your code!

As always, this is a living document and I take feedback. The goal here is that rising tides lift all ships: help others help themselves. #sharingiscaring.