A year in review: 2018-2019

This article was published on the 19th of June 2019.

The first article of the course was published on the 20th of June 2018, which is a year but a day ago at the time of writing (the 19th of June 2019). In the past year, I experienced a lot. This post will reflect upon the start of the course, the highlights, the direction it has taken, and the course’s future. Lastly, I’d like to express my thanks to several people.

Table of contents

The start

When I wrote the first article of the course, I was only planning on releasing some write-ups of CTF challenges. The first entry (posted here and here on Reddit) was very well received, and I enjoyed creating the write-up. As I progressed with other challenges, I did not find the proper resources to learn how to reverse engineer from the beginning, where one knows very little. The few resources that I did find, focused on paid tools like IDA Pro, often with the paid decompiler plug-in. As I did not have a license for the paid tools, I focused on free and open-source tools. Due to this change, the course itself is easily accessible for anyone.

The highlights

As I do not track visitors on my site, I can only measure the network traffic and responses on Twitter and Reddit. Below, notes for each of these metrics are given.

Based on network traffic, the posts regarding malware analysis clearly showed a bigger amount of traffic. Do note here, that the page load the analysis of a sample is significantly higher, when compared to one of the smaller articles, such as the article on how to find new malware samples. Even with the difference in size, the malware analysis samples were the most popular articles.
Aside from the traffic per article, the traffic in general rose up until roughly 16 000 visitors per month in the past few months. After March 2019, when I started to work full time, the traffic decreased again to roughly half of that. I expected a decrease in visitors due to the nature of the blogs I posted during this time.

On Reddit, there was less of a difference in response. The articles regarding the sources for new samples, the Emotet dropper analysis, the assembly crash course, and the analysis of the Android SMS stealer were (in descending order) the most popular. By the looks of it, the speed at which a post is picked up, is the most important factor on Reddit.

All in all, I reached people, and people liked it. Sadly, I received multiple bans on multiple sub-Reddits (both temporary and permanent). All of the bans were lifted after correspondence with the moderators who issued the bans. I have no ill meaning towards these administrators, as they have to combat a lot of spam on these sub-Reddits. After all, a mistake is easily made.

On Twitter, the audience grew post-by-post, as people noticed my articles and kept an eye out for new ones. Most notably were the shares of Binni Shah, who Tweeted multiple times about the Assembly Basics chapter. The assembly crash course update was the most popular Tweet regarding this course, as can be seen here. Two other Tweets that gained a lot of popularity were also posted by Binni Shah. The first Tweet refers to the buffer overflow article. The second Tweet refers to the course itself, with a focus on the (then) latest chapter: Assembly Basics.

Other articles, such as the Emotet dropper analysis, also received quite some attention on Twitter, as it was (one of the) first blogs that also analysed the server sided code. An example is this Tweet. Someone also made a Yara rule that helps to detect the malicious PHP script on a server.

All in all, it seems that the malware analysis posts were the most appreciated, which is great, as this is a core concept of the course. Alas, not all articles are directly related to malware analysis. Since one first needs to learn and understand the techniques that malware authors use, articles that cover these parts are also required.

I’ve tried to maintain an enjoyable difference between malware related posts and more theoretical posts, both in terms of when to release what article and by trying to include technical parts in every article. An example of the latter can be found the Dot Net framework and the Android posts, where a CTF challenge is used to provide practical examples of the theory that is explained prior.

The direction

During the first year, I tried to release a new article every two weeks, which I did, excluding holidays. In total, I published 22 articles, spread out over 11 chapters. These publications happened in 19 iterations.

The course now contains enough information for people to dive deep into reverse engineering. One of the areas which is currently lacking, is the analysis of native binaries. The set-up for this has been created by the first few chapters in the course, which provide information about assembly language and CPU registers. Additionally, the Assembly Code chapter provides more insight in assembly language, which is often encountered when disassembling native binaries.

Expect content regarding native binary analysis in the future, especially with the release of Ghidra! The variety within the released articles will remain, as it also allows me to work on a variety of subjects. Examples of other subjects are the commonly used techniques within malware and the ongoing search for new samples.

The future

In the future, the course will continue to receive additions, although the manner and frequency might differ. The course started when I was still busy with my bachelor at the university, during which I had significantly more time to spare. I spend a great deal of this time on this course, but after I graduated and started working full time, I had significantly less time to spare. As a result, the latest couple of posts were shorter. Since I’d like to continue to create articles with the same quality, more time between the articles is needed. As such, I came up with two options.

The first option is similar to the current situation, where the only difference is the time between the articles. The new aim would be to release an article once a month. Depending on the time that I need for the article, more articles might be posted during that month, but that is not the default planning.

The second option differs in multiple ways. Aside from creating new articles for the course, screen recordings of older articles will also be created and published. This way, the course will (eventually) be available in two formats: written and audio-visual.
As I have little to no experience with creating screen recordings and editing videos, it is hard to estimate the time it takes to create a narrated screen recording. As such, the ratio of screen recordings and new articles is hard to decide upon. As I’m not sure about this path, I’d like to hear from those who follow along with my blogs. As such, I invite anybody to reach out to me via any of the methods that are listed below.

To conclude

To conclude, I’d like to express my thanks to anyone who send me a message regarding the course. I’ve thoroughly enjoyed creating this course and other tools in the last year, and I will continue to do so in the future. Each and every remark and comment I got, sparked joy. Some generous and kind compliments really made my day, and some even my week.

As such, I’d like to thank multiple people for the help and opportunities they’ve given. At first, I’d like to thank Yorick Koster and Han Sahin for their continuous support. Additionally, I’d like to thank everybody at Securify for the help they’ve given me. During my time at ThreatFabric, I learned a lot, for which I’d like to thank Gaetan. I’d like to thank Itay for his words of encouragements at 35C3. Last, but surely not least, I’d like to thank my very good friend Pham, for his continuous help to any question I posed to him.

To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on Twitter @Libranalysis.