Upload File

Download - Reverse code engineering

Transcript
Page 1: Reverse code engineering

Reverser view to application security

Reverse Code Engineering

Page 2: Reverse code engineering

Speaker Info

Krishs Patil

Hold master degree in computer application

Computer programmer

Reverser

And hobbyist security researcher

Page 3: Reverse code engineering

Outline Introduction

Reversing Process

Tools and Techniques

Reversing in different context (Practice)

Lab demonstration

Defeating Reverse Engineering

Resources

Page 4: Reverse code engineering

Introduction “Reverse engineering is the process of extracting the

knowledge or design blueprints from anything man-made”.

It is usually conducted to obtain missing knowledge, ideas and design philosophy when such information is unavailable.

In computer science, It is the process of dis-assembling or de-compiling the binary code of computer program for various purpose.

Requires skills and understanding of computer and software development

Page 5: Reverse code engineering

Introduction Cont…Why reverse engineering…

different people do it for different purpose …

But, Specifically in the field of Cyber Security…

… If you want to be serious security researcher, you must posses skills of reverse code engineering.

Page 6: Reverse code engineering

Reversing Process

Defining scope of reversing…

System Reverse Engineering

Code Reverse Engineering

Data Reverse Engineering

Protocol Reverse Engineering

Page 7: Reverse code engineering

Reversing Process Cont…Setting up environment…

Setup Isolated environment (VMware, Virtual Box)

System monitoring (SysInternal Tools)

Static Analysis

Dynamic Analysis (Debugging/Tracing)

Page 8: Reverse code engineering

Reversing Process Cont…Disassembling Vs Decompiling…

Native Code – Directly perform operations on CPU

(Compiled with C,C++,Delphi)

Intermediate Code – Interpreter drives it to perform operations on CPU

(Java byte code, MSIL)

Page 9: Reverse code engineering

Reversing Process Cont…Program structure…

Higher level perspective …

Modules

Data

Control flow

Lower level perspective …

Just assembly language!!!

Page 10: Reverse code engineering

Reversing Process Cont…So what I need to know prior reversing binary code ...

Just a computer and brain would be enough but …

… mastering it might take time if you don’t know about

Computer architecture

Programming in Assembly Language and C,C++

Operating System-Platform and HEX numbering

Page 11: Reverse code engineering

Assembly Language Lowest level in software

Platform specific (IA-32, IA-64,AMD)

Machine code (OpCode) Assembly commands

Assembler converts assembly program into machine code that is executable by CPU

Dis-assembler is the program that coverts machine code into textual presentation of assembly commands

Mastering reversing without knowing assembly is almost impossible.

Page 12: Reverse code engineering

Assembly Language

Page 13: Reverse code engineering

Assembly LanguageRegisters

Internal memory in processor

IA-32 has eight generic registers (EAX,EBX,ECX,EDX,ESI,EDI,EBP and ESP)

Floating point and debug registers

Special register – EFLAGS for flag management

flags

OF, SF, ZF, AF, PF, CF

Page 14: Reverse code engineering

Assembly LanguageBasic Instructions

MOV - data copying

LEA – address loading (POINTER)

ADD, SUB, MUL, DIV, IMUL, IDIV – arithmetic

CMP, TEST – comparison

CALL , RET – function call and Return

J** - conditional branching

PUSH/POP - stack management

NOP – do nothing

Page 15: Reverse code engineering

System Calls Used as interface between application and operating

system.

System calls ask OS to perform specific task

Most operating system are written in “C” language, so providing SYSTEM Calls as “C” api’s

- NIX system calls – unistd.h

- WINDOWS system calls - windows.h

Studying OS platform and system calls is necessary part of reverse engineering

Page 16: Reverse code engineering

PE – Portable Executable file

Page 17: Reverse code engineering

Tools and Techniques Various tools helps in reverse-engineering the binary

code/program. Compiler is the tool used to convert high level language

like C,C++ into machine code. Assembler is the tool used to convert pseudo-code written

specific to processor into machine code. At reverse Dis-Assembler and De-Compilers help us in

reversing the process, recovering the high level code from machine code.

Debuggers are the tools used to debug live running program.

Virtual machines might help in providing protective/isolated environment for analysis.

Page 18: Reverse code engineering

Tools and Techniques Cont…Broad category of tools are divided into two category.

Static Analysis Tools

-Tools helps us to analysis program without even running it.

- Tools includes Dis-assembler and De-Compilers

Dynamic Analysis Tools- Tools in this category helps us dive deep into program by analyzing it while running it.

- Tools includes Debuggers, Loaders and System Monitoring tools

Page 19: Reverse code engineering

Tools and Techniques Cont… Compilers

(VC compiler, GCC compiler suite, .NET framework)

Assemblers

(MASM, NASM, TASM, FASM)

Dis-assemblers and Debuggers

(IDAPro, OllyDbg, Immunity Debugger, WinDbg)

Hypervisors

(VMWare Workstation/Player, VirtualBox,QUEMU)

System monitoring withSysInternals tools

Hex Editors and Other system utilities

Page 20: Reverse code engineering

Tools and Techniques Cont…

Page 21: Reverse code engineering

Tools and Techniques Cont…

Page 22: Reverse code engineering

Tools and Techniques Cont…

Page 23: Reverse code engineering

Tools and Techniques Cont…

Page 24: Reverse code engineering

RCE in various contextTime to understand field work!!!

Cracking (Illegal/Un-Ethical)

Malware analysis

Vulnerability analysis (exploit development)

Clean house RE (Chinese Wall)

Recovering lost source code (legacy)

Investigating and solving faults cause in released software. (Microsoft global escalation support team)

Page 25: Reverse code engineering

Cool Huh …

Lets play around some practical reversing lab exercise

Lets see some cool stuff

Page 26: Reverse code engineering

Lab – Cracking for serial. This is for purely demonstration and educational

purpose only.

Anything you do to obtain or provide fake registration key for software is considered cracking and a serious offense.

In lab we are going to study and recover serial key and defeat registration mechanism by various ways.

Page 27: Reverse code engineering

Defeating RE Lot of research has been done, many ways to make it

harden for reversing process.

… But no solution is 100% perfect and secure.

Page 28: Reverse code engineering

Defeating RE Cont…Software armoring

Obfuscation

“ deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for human to understand” -- Wikipedia

Page 29: Reverse code engineering

Defeating RE Cont…Some techniques for anti-analysis …

Packers (Compression)

Protectors (Encryption)

Anti-Debugging

Garbage Code and Code Permutation

Anti-Assembly

Hypervisor/Emulator detection

Page 30: Reverse code engineering

Defeating RE Cont…

Page 31: Reverse code engineering

Defeating RE Cont…Advanced technologies…

Mutation

Code Virtualization

Page 32: Reverse code engineering

Resources REVERSING – secrets of reverse engineering (By

Eldad Eilam)

Microsoft windows internals (By Mark Russinovich and David Solomon)

Reverseme.de – cool reverseme.exe collections

InfoSec Institute Resources. – cool articles on security

NtDebugging blog (Microsoft global escalation support team) - fine gain exposure in windows insides

And finally some good book on x86 assembly tut and reference.

Page 33: Reverse code engineering

Questions???

Still there anything struggling in your mind.

Page 34: Reverse code engineering

Hope you enjoyed it.

Thank you!!!


Top Related

Digital Forensics Lecture 4 - Reverse Engineering...Lecture 4 - Reverse Engineering Deciphering Code Structures Akbar S. Namin Texas Tech University Spring 2017 TTU-Spring2017 Reverse
Digital Forensics Lecture 4 - Reverse Engineering...Lecture 4 - Reverse Engineering Deciphering Code Structures Akbar S. Namin Texas Tech University Spring 2017 TTU-Spring2017 Reverse
Reverse Engineering Android: Disassembly & Code Injection
Reverse Engineering Android: Disassembly & Code Injection
Reverse Engineering Malware Part 1 - Exploit …...Also This Article is mainly to demonstrate Reverse Code Engineering ..I will try to Reverse Engineer Important parts of Malware
Reverse Engineering Malware Part 1 - Exploit …...Also This Article is mainly to demonstrate Reverse Code Engineering ..I will try to Reverse Engineer Important parts of Malware
Slide 1, Presentation: Reverse Engineering state diagrams from C/C++ code, 29-10-2008 | Dennie van Zeeland Masters Project Reverse Engineering state machine
Slide 1, Presentation: Reverse Engineering state diagrams from C/C++ code, 29-10-2008 | Dennie van Zeeland Masters Project Reverse Engineering state machine
Reverse Engineering and Code Annotations ITC-Irst - Software
Reverse Engineering and Code Annotations ITC-Irst - Software
Reverse Engineering of Object Oriented Code
Reverse Engineering of Object Oriented Code
AUTOMATIC DEOBFUSCATION AND REVERSE ENGINEERING OF ... · AUTOMATIC DEOBFUSCATION AND REVERSE ENGINEERING OF OBFUSCATED CODE by Babak Yadegari ... 4.5 E ects of obfuscation and deobfuscation
AUTOMATIC DEOBFUSCATION AND REVERSE ENGINEERING OF ... · AUTOMATIC DEOBFUSCATION AND REVERSE ENGINEERING OF OBFUSCATED CODE by Babak Yadegari ... 4.5 E ects of obfuscation and deobfuscation
Obfuscation & Reverse Engineering - Auckland...Understand code obfuscation Know reverse engineering Top right corner for field customer or partner logotypes. See Best practice for
Obfuscation & Reverse Engineering - Auckland...Understand code obfuscation Know reverse engineering Top right corner for field customer or partner logotypes. See Best practice for