eCRE certification

obuno | | 5 min read
eCRE certification

A while ago, in 2017 actually, I've registered for a number of training's @eLearnSecurity. I remember registering for what was at the time called "4 in a Box", meaning 4 training's out of the proposed catalog, all at once.

The funny part is that I recall having discussed this, whether to purchase the package or not on an InfoSec savvy forum and one of the members there said something like this;

...well purchasing anything never is the issue, doing it is...

It turns out he was absolutely right.

I'm working full time, on a rather demanding job. Finding the needed time to clear this proven to be extremely difficult. Maybe even more so because if I want to be serious about any topics, I need to have that one goal in my mind and nothing else...

You'll find the complete ARES/REP (Advanced Reverse Engineering of Software, recently renamed and updated to Reverse Engineering Professional) training syllabus here; https://www.elearnsecurity.com/collateral/Syllabus_REPV1.pdf

Somehow, I've managed to do this on and off. As said, it's been extremely challenging for me to address the amount of needed time. I remember telling my partner that nope; I wouldn't sit behind my computers for the next two hours "only" because this would just frustrate me; I'd just start to understand a concept that it would already be time to leave...

That being laid down, the training is fantastic! Now, oh far from me the idea of being now a pro reversing engineer, do not think about that for a second. Nope, not at all. But, and that is the key, I gathered the concepts, the how's, the why's and potentially the big picture of this ultimately challenging task that reverse engineering in computer science really is.

The training is well driven, with supporting videos and PDFs lectures. Here is what the eLearnSecurity website say's about it:

  • Learn from a world renown professional reverse engineer
  • Start from the basics up to highly technical chapters
  • Learn about IA-32 CPU Architecture
  • Learn about functions, stack frames, heaps, PE file format
  • Master debugging tools
  • Learn about important Ring3 Windows Internal Structures
  • Learn different methods to locate important algorithms
  • Understand and bypass Anti-Reversing techniques
  • Perform manual unpacking on packed executables
  • Practice based course with dozens of guided exercises
  • Challenge your mind with hardcore technical topics
  • After obtaining the eCRE certification qualifies you for 40 CPE

Of course, I only did it for the last entry above.. Jokes aside, I've learned a ton of very valuable information's. As explained, I'm not and won't be a reverse engineer on a daily basis. Although, understanding it, managing it to a certain extent is a rewarding knowledge. Securing communications, edges, clouds means nothing without understanding that at the top of all the underneath deployed technologies, applications rules. Hence, being able to understand the base of reversing any applications, malicious or not was to me an absolute must have.

The trainer and creator of this course is/was kyREcon, and indeed, he's a known and acclaimed Reverse Engineer & Security Developer. He's also developing other projects, which shows no mercy to numerous security layers =)

Something I wanted to highlight here as well is that with the ARES to REP update, the whole PDFs lectures got updated. It now comes in a more reader friendly format, all searchable documents etc, so this update helped a ton.

I've read some peoples being concerned with the fact that ARES/REP is 32bits based. While this is true, it nevertheless is absolutely worth your time and money. All the principle learned are so to speak universal, once you've got this base you shall be able to adapt to new, different or updated architectures.

Another item to note as well, is that eLearnSecurity has released a new training called Malware Analyst Professional (MAPv1) which embed all the REPv1 contents plus of course the MAPv1 contents. MAPv1 also adds a very welcome x64 Assembly Crash Course and much more. Note that you will not obtain both certifications by enrolling to MAPv1, if I've got that correctly. Although, you'll have all the lectures, labs etc of both, MAP and REP/ARES. Hence, getting MAP and doing all the REP items, you'd be fine by just attempting the eCRE exam, which means buying an eCRE exam voucher. So this is the ultimate package to go for today.

Onto the certification examination process; it's a 2 steps program, you need 1st to pass a theoretical exam served as a MCQs online exam. It's a pretty tough one, there is a load of materials to have at mind and the whole training (as any InfoSec trainings should I add) isn't very compatible with my ON/OFF studies style on this one (and so proven to be my personal notes...). Of course, this will all depend your own abilities to sit a multiple choice type of exams, which I personally don't fancy that much. The only positive outcome about MCQs is potentially that the next question might help you answer the previous...

The next step after having passed the 1st stage/theoretical exam is a practical reversing exercise on a given binary and rules of engagement. This will of course regroup all the taught techniques throughout the course, of course slightly divergent from what you saw in the exercises before. Perhaps just to make it more fun and educative...

You have 24 hours to dissect the given binary, make your ways around anti-debugging techniques, heavily obfuscated code, mind shuffling algorithms etc. Your output is a thorough documentation explaining all your steps around software protection, manual unpack moves, thwart every possible pitfall and finding the needed items in order to pass different stages within the challenge. Obviously, the trainer made sure that any dumb approaches would fail, hence you got to get your hands dirty..

I've prepared an exam environment, which consisted of a Windows 10 VM on top of which I've deployed the wonderful Flare VM package from FireEye, you can find this here: https://github.com/fireeye/flare-vm

I've shifted from Ollydbg and used only x64dbg (x32 in this case) and made good usage of IDA 7.0 (the free version is perfectly enough).

Finally, I've found peoples @eLearnSecurity very friendly, they've helped me out on many aspects. I have also to say it loud; these are peoples you can talk with and they're really making sure you'll get their support in any ways. So a massive thank you to the eLearnSecurity team !! Well done, chapeau bas!

Thanks for the read,
Cheers,
Obuno

Resources and links:


A few freely available RE trainings etc:
https://martin.uy/blog/projects/reverse-engineering/
https://beginners.re/
https://malwareunicorn.org/#/workshops
http://security.cs.rpi.edu/courses/binexp-spring2015/
https://upload.wikimedia.org/wikipedia/commons/5/53/X86_Disassembly.pdf

Essential books:
https://nostarch.com/malware
https://nostarch.com/malwaredatascience
https://nostarch.com/idapro2.htm
https://www.packtpub.com/networking-and-servers/mastering-malware-analysis
https://www.wiley.com/en-us/Reversing%3A+Secrets+of+Reverse+Engineering+-p-9781118079768
https://www.wiley.com/en-us/Practical+Reverse+Engineering%3A+x86%2C+x64%2C+ARM%2C+Windows+Kernel%2C+Reversing+Tools%2C+and+Obfuscation-p-9781118787311

And "en vrac" links & info's:
https://tech-zealots.com/malware-analysis/understanding-concepts-of-va-rva-and-offset/
https://tech-zealots.com/malware-analysis/pe-portable-executable-structure-malware-analysis-part-2/
https://tech-zealots.com/category/malware-analysis/
https://www.wikiwand.com/ru/Участник:FeelUs/PE_header#
http://www.iosrjournals.org/iosr-jce/papers/Vol16-issue1/Version-1/L016117177.pdf
https://modexp.wordpress.com/2017/06/07/x86-trix-one/
https://writequit.org/blog/index.html
http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/
https://xpatched.wordpress.com/2016/10/24/upx-unpacking-manually-using-ollydebugger/
https://kr-manish.github.io/aragorn/blog/Reversing-Portable-Executable
https://www.goggleheadedhacker.com/blog/post/6
http://secmem.blogspot.com/2013/07/dealing-with-upx-packed-executables.html
https://geek-answers.github.io/articles/997219/index.html
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/dynamic-analysis-of-artefacts-handbook.pdf
https://alexandreborgesbrazil.files.wordpress.com/2017/05/bsides_2017_b_version.pdf
http://www.cs.utah.edu/~aburtsev/malw-sem/slides/02-anti-debugging.pdf
http://www.t-gr.com/fotis/books/re.pdf
http://www.stonedcoder.org/~kd/lib/CBJ-2005-74.pdf
https://techtalk.pcmatic.com/2017/11/29/unpacking-malware-part-2-reconstructing-import-address-table/

Image Credits; Wayne Haag

Share:
Show Comments