Download - Reverse Engineering

Transcript
Page 1: Reverse Engineering

Reverse EngineeringGrant Curell

Page 2: Reverse Engineering

What is reverse engineering?

Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation

Page 3: Reverse Engineering

Why does the military care and more specifically, why should you?

Page 4: Reverse Engineering

General reversing

• What is the x86 architecture?• What is a computer?• What is the general structure of a computer?• What differentiates malicious instructions

from legitimate instructions?

Page 5: Reverse Engineering

Registers

• EAX - Accumulator Register• EBX - Base Register• ECX - Counter Register• EDX - Data Register• ESI - Source Index• EDI - Destination Index• EBP - Base Pointer• ESP - Stack Pointer

Page 6: Reverse Engineering

• EAX - All major calculations take place in EAX, making it similar to a dedicated accumulator register.

• EDX - The data register is the an extension to the accumulator. It is most useful for storing data related to the accumulator's current calculation.

• ECX - Like the variable i in high-level languages, the count register is the universal loop counter.

• EDI - Every loop must store its result somewhere, and the destination index points to that place. With a single-byte STOS instruction to write data out of the accumulator, this register makes data operations much more size-efficient.

• ESI - In loops that process data, the source index holds the location of the input data stream. Like the destination index, EDI had a convenient one-byte instruction for loading data out of memory into the accumulator.

• ESP - ESP is the sacred stack pointer. With the important PUSH, POP, CALL, and RET instructions requiring it's value, there is never a good reason to use the stack pointer for anything else.

• EBP - In functions that store parameters or variables on the stack, the base pointer holds the location of the current stack frame. In other situations, however, EBP is a free data-storage register.

• EBX - In 16-bit mode, the base register was useful as a pointer. Now it is completely free for extra storage space.

Page 7: Reverse Engineering

Commands

command operand1, operand2command reg1, op1/reg2command op1/reg1

Where an operator can be fixed number or a register

Page 8: Reverse Engineering

Commands – The basics

• sub dest, src - The source is subtracted from the destination and the result is stored in the destination. (dest-src=dest)

• add dest, src - Adds "src" to "dest" and replacing the original contents of "dest". Both operands are binary.

• mov dest, src - Copies byte or word from the source operand to the destination operand.

Page 9: Reverse Engineering

Commands – push and pop

• push src - Decrements SP by the size of the operand (two or four, byte values are sign extended) and transfers one word from source to the stack top (SS:SP).

• Transfers word at the current stack top (SS:SP) to the destination then increments SP by two to point to the new stack top. CS is not a valid destination.

Page 10: Reverse Engineering
Page 11: Reverse Engineering
Page 12: Reverse Engineering

commands – comparison operators

• xor dest, src - Performs a bitwise exclusive OR of the operands and returns the result in the destination.

• test dest, src - Performs a logical AND of the two operands updating the flags register without saving the result.

• cmp - Subtracts source from destination and updates the flags but does not save result. Flags can subsequently be checked for conditions.

Page 13: Reverse Engineering

Commands – call

• call - Pushes Instruction Pointer (and Code Segment for far calls) onto stack and loads Instruction Pointer with the address of proc-name. Code continues with execution at CS:IP.

Page 14: Reverse Engineering

Commands – leave and ret

• Leave –

Page 15: Reverse Engineering

commands - jumps

Details on Jumps

Page 16: Reverse Engineering

commands – pointers and lea

• lea dest, src - Transfers offset address of "src" to the destination register.

Question? Is the value of ESI the same or different after each of these instructions? What is its value(s)?

MOV ESI, [EBX + 8*EAX + 4]

and

LEA ESI, [EBX + 8*EAX + 4]

Page 17: Reverse Engineering

Example 1

We’ll talk about these later.

Page 18: Reverse Engineering

The original code...

Page 19: Reverse Engineering

Calling Conventions

The C Convention: pushes arguments onto the stack from right to left (i.e., the first argument of the function is placed on the stack last, and thus appears on top). Deleting arguments from the stack is entrusted not to the function, but to the code calling the function.

The Pascal convention pushes arguments on the stack from left to right (i.e., the first argument of the function is placed on the stack first, and thus appears on the bottom). The deletion of function arguments is entrusted to the function itself,

Page 20: Reverse Engineering

Example 1 – What’s happening here?

Page 21: Reverse Engineering

Example 2

Meow

Page 22: Reverse Engineering

Example 2 – Where was our string stored?

Page 23: Reverse Engineering

Example 3: Now you know enough to be dangerous

Hint: You’ll need this ASCII TABLE

Page 24: Reverse Engineering

Some review – Buffer Overflows

Page 25: Reverse Engineering

Where is data stored?

• Generally: All local variables are stored on the stack.

• Dynamically allocated variables are generally placed in the heap.

Page 26: Reverse Engineering

Example 4

-There are two flaws in this program. Can you spot them?

Page 27: Reverse Engineering

What is an access violation and why did it occur?(Pay close attention because the answer will help you with your assignment.)

Page 28: Reverse Engineering
Page 29: Reverse Engineering

As compiled with Dev C++

Page 30: Reverse Engineering
Page 31: Reverse Engineering

A quick comparison with what it looked like when compiled with Visual Studio

What’s happening here?

Page 32: Reverse Engineering

What do we expect the stack to look like when we reach this point?

What is this for?

What is this?

Page 33: Reverse Engineering

Stack after the sub esp, 68

Page 34: Reverse Engineering

Can you identify what is on the stack right now?

Page 35: Reverse Engineering

Assuming NO access violation occurred, what do you think happened?

Page 36: Reverse Engineering

So now what? We want control.

How do you think we should do it?

Page 37: Reverse Engineering

Time for some math.

Start of our buffer

Return address

0022FF60-22FF10 = 0x50 or 80 bytes first 76 bytes are buffer last 4 overwrite return address.

Page 38: Reverse Engineering

What it looks like after input – notice the return address overwritten by B instead of A.

Return address

Page 39: Reverse Engineering

So that’s great, but where are we gonna put our shell code?

Registers just before the return Stack just before the return

Page 40: Reverse Engineering

Finding a suitable jmp ecx

Page 41: Reverse Engineering

Now we write some shell code…

Page 42: Reverse Engineering

Let’s take a look… right before gets

Page 43: Reverse Engineering

Right after gets… looks good

Page 44: Reverse Engineering

It didn’t work… why?

Page 45: Reverse Engineering

This still won’t work. Why?

Page 46: Reverse Engineering

So we need a new exploitation technique.

Example 5

Page 47: Reverse Engineering

SEH… What is that?

Page 48: Reverse Engineering

Let’s get a better look…

Page 49: Reverse Engineering

What it looks like in Ollydbg… your target

This is the unfiltered exception handler. It is called if no other EH can handle the problem.

Page 50: Reverse Engineering

So here’s generally what to do…

See later slides for why step 4 is different.

Page 51: Reverse Engineering

What your malicious payload should look like…

NOPs Exploit Code Short JMP Address of Pop Pop Ret

16 NOPs Long Jump To NOP Sled Large amount of garbage

Page 52: Reverse Engineering

One difference conceptually…

• Because we do not have space after the SEH, we must put our shellcode before. This means we will have to jump to the nopsled above and let it “slide” down.

• The encoding you will want to use is:• \xE9\x14\xFD\xFF\xFF

Page 53: Reverse Engineering

Generating a Payload Using Backtrack

1) Open a console2) Type “msfconsole”3) Type “use payload/windows/messagebox”4) Type “show options” to see exploit options. Mess with these

as you wish.5) Type “generate” to generate the payload

Note: My payload code is in the notes if you wish to use that.

Page 54: Reverse Engineering

Let’s take a pictorial look

Page 55: Reverse Engineering

That questions slide

Insert a generic picture of question marks here


Top Related