reverse engineering

Reverse engineering

By :Sitanshu DubeySecurity analyst and researcherHicube Infosec Pvt. Ltd.E-mail: sitanshu@hicubes.com

Reverse engineering

Content- Introduction- Needs- Assembly Language basics- Debuggers

Reverse engineering

Introduction- Reverse Engineering is a process of redesigning an

existing product to improve and broaden its function, add quality and to increase its useful life. Also and important additional goal is to reduce manufacturing costs of the new product making it competitive in the market place.

Reverse engineering

Reverse engg. Vs Forward engg.Forward Engineering Reverse Engineering

Requirements

Design

Source Code

Behavior

Reverse engineering

Needs- Reverse engineering is used for testing

purpose. - It is used for updating and adding new

features. - Migration to another hardware/software

platform.

- Facilitating software reuse.

Reverse engineering

Assembly Language basics- Assembly language is the most basic

programming language available for any processor. With assembly language, a programmer works with the operations which are implemented directly on the physical CPU.

Reverse engineering

Assembly Language basics- Every code of a software converts in assembly

language whether it is written in java or c, or c++ or in any high level language.

- Assembly language contains mnimonics for performing an operation likeMOV AX, 47104MOV DS, AXMOV [3998], 36INT 32

Reverse Engineering

Flags- Flags are single bits which indicate the status of

something. There are 32 different flags. You will mostly need only 3 of them in reversing. The Z-Flag, the O-Flag and the C-Flag.

- A flag can only be '0' or '1', meaning ‘ok' or ‘not ok'.

Reverse Engineering

Segments and offsets- A segment is a piece in memory where

instructions (CS), data (DS), stack (SS) or just an extra segment (ES) are stored. Every segment is divided in 'offsets'. In 32-bits applications (Windows 95/98/ME/2000), these offsets are numbered from 00000000 to FFFFFFFF.

- A segment is like a page in a book.- And an offset is like a specific line at that page.

Reverse Engineering

Registers- Generally 32 bit / 64 bit windows supports mailly 9

registers.- EAX : Extended Accumulator Register- EBX : Base Register- ECX : Counter Register- EDX : Data Register- ESI : Source Index- EDI : Destination Index

Reverse Engineering

Pointer Registers- EBP : Base Pointer- ESP : Stack Pointer- EIP : Instruction Pointer

Reverse Engineering

Jumps- Different jump statements:

JNZ Jump if not zeroJMP Jumps alwaysJLE Jump if (signed) less or equalJE Jump if equal

Reverse Engineering

Debuggers- A debugger or debugging tool is a computer

program that is used to test and debug other programs .

- Debuggers show the assembly code of the program.

Reverse Engineering

Debuggers- Widely used Debuggers

i) Ollydbgii) Windbgiii) Hdasm

Reverse Engineering

Ollydbg

Reverse Engineering

Windbg

Reverse Engineering

Hdasm

Packing & Unpacking

Packing & Unpacking

Content- Introduction- Need- Objective Unpacking- Useful Tools- Conclusion

Packing & Unpacking

IntroductionPacking

- Packing is a process of protecting the code from the malicious users who use reverse engineering for malicious purpose such as braking security, braking copyrights etc..

Packing & Unpacking

IntroductionUnpacking

- Unpacking is the technique by which one can remove packers or protectors.

Packing & Unpacking

Need- Packing is very important to protect the codes.- If a malicious person become successful to

brake the packer or protector then he can do normal reverse engineering to brake the code.That’s why its very important to use good protectors/packers.

Packing & Unpacking

Objective Unpacking- Packers 'pack' or 'compress' a program much

the same way as compressor, packers then attach their own decryption / loading stub which 'unpacks' the program before resuming execution normally at the programs original entry point.

Packing & Unpacking

Objective Unpacking- The main objective of unpacking a software is

to get the OEP (Original Entry Point) of the software.

- Basically when a packer compress the application, the entry point become change to the entry point of packer rather then application.

Packing & Unpacking

Objective Unpacking- OEP is refer to the entry point of application.- If one can get the OEP then he can modify the

code.

Packing & Unpacking

Useful Tools- Packers:

i) Armadilloii) ASPack & ASProtectiii) PECompactiv) WWPack(32) etc..

Packing & Unpacking

Useful Tools- Unpackers

i) PEidii) ArmKilleriii) UnAspackiv) UnShrinker etc..

Packing & Unpacking

Useful Tools- PEiD detects most common packers, crypters

and compilers for PE files. It can currently detect more than 470 different signatures in PE files.

- It is useful to get the packer’s name which helps to unpacking because for different packer we have to use different techniques.

Packing & Unpacking

PE files- The PE ("portable executable") file format is

the format of executable binaries (DLLs and programs) for windows.

- It can also be used for object files and libraries.

Reverse Engineering

Conclusion- Reverse Engineering is a new research area

among software maintenance.- RE includes activities of understanding the

system and recovery info from system.- Program understanding is the most important

subset of Reverse Engineering.- Discovery of abstraction is key issue.