I’m excited that I get to be at CodeMash for all 4 days and can catch sessions and workshops! Today was the first day of workshops. I didn’t catch a workshop in the morning, as there were some sessions I wanted to catch but they were 2-part sessions. I couldn’t do a 2-part workshop today, as I was determined to catch Jason Slagle and John Hammond’s workshop on Binary Analysis.
My First CTF!
I’ve heard my friends talk about Capture The Flags (CTFs) over the years, and they sounded fun! Jason and John set up a CTF for us to learn how to work with CTFs while learning some cool tools of the trade. It was exciting to poke around! I was also happy to be sitting with my co-worker Thomas and my friend Freddie. It was good to go down app rabbit holes with these guys!
Command Line Adventures
To start the CTF, we learned about the file
command and the strings
command. I ran both of these using Windows Subsystem for Linux (WSL). I found myself staying in WSL for the bulk of this workshop – downloading files with curl
, running cat
and grep
to find lines in files, and other general command line shenanigans. All of my log reading and parsing from my IT admin days pays off, as the commands I used then are relevant today. These were easier flags to track down.
Tear Down the .NET App
Jason wrote .NET apps for us to decompile. We used JetBrains’ free decompiler dotPeek to explore into these files. The flags for these files were fun to track down. It was interesting to see how familiar dotPeek felt – it’s been years since I’ve had to seriously reverse engineer apps. It’s been long enough that I don’t remember the tools I once used. But the general ideas were still applicable.
Ghidra and the Cliffs of C
In the last part of the workshop, John led us through Ghidra, a reverse engineering framework from the NSA. Oh where do I start with this one? First off, it’s a Java app – so I had to remember to have a supported version of Java installed. Once I got that, I ran into issues – only to find out that the prereqs site listed the source code, not the binaries. But once I worked past those hurdles, I saw a UI typical of many Java apps. There’s a distinct feel to many Java desktop apps, and Ghidra has that.
In this part, rather than the coziness of .NET and dotPeek, we were sent to the nightmares of C and Assembler. While I was still excited about this part, I could feel the energy of the rest of room drain quickly. It’s been 20+ years since I last worked in C, so I had to dust a lot of cobwebs off. But otherwise, “the cliffs of C” – as I call it, were bearable enough. Though Jason had something going on with non-null-terminated strings. So he walked us through the solution of one of the labs.
Conclusion
I’m glad I went to this workshop. Once again, I’m learning from Jason – he was the teaching assistant from one of the computer networking labs I took back in college (20+ years ago). He’s a great teacher – so if you get a chance to learn from Jason, take it! You can find him on LinkedIn. I also got to learn from John Hammond – and this was my 2nd time seeing him in person, as he did a key talk at MSPGeekCon in 2023. I really enjoy John’s energy – both in his YouTube videos and in this workshop. He brings great energy for showing how fun this stuff can be and also knows to back it up and show things if we’re getting lost. I really appreciated how well Jason and John presented both separately and working together. They make a great set of instructors – both together and separately.
Will I use this in my everyday work life? Nope. Will I use this throughout the year? Maybe. CTFs sound like a lot of fun. If the timing works right where I can do a CTF while still appreciating a conference, I may give it a try!
[…] Binary Analysis – Learn to break stuff – Jason Slagle, John Hammond […]