intro reverse engineering

Download Intro reverse engineering

Post on 25-May-2015




4 download

Embed Size (px)


  • 1. Intro to Reverse Engineering INF0ANUThe world of possibilities

2. Intro INF0ANUThe world of possibilities 3. Why do we reverse engineer? Closed source software Vulnerability Research Product verification Proprietary formats Interoperability SMB on UNIX Word compatible editors Virus research 4. Why should you give a fuck? Basis of computing Reverse engineering teaches the inner workings of any processor Learning how the processor handles data helps in understanding many other aspects of computer security All the cool kids are doing it (not really) 5. Real Time RCE (Debugging) Debuggers that disassemble OllyDbg WinDbg SoftIce Code actually runs The application actually executes all instructions as if it was ran normally Uses interrupts to control execution of the program Swaps out the current instruction with an interrupt instruction code Swaps it back when the execution is continued 6. Static Analysis (Dead Listing) Traditional disassemblers IDA Pro W32Dasm objdump Code does not execute The disassembler parses the file format and related code sections Good disassemblers do deep recursive analysis to ensure proper instruction disassembly Allows the user the ability to look at what code will do withoutactually running it Does not allow the ease of live disassembly/debugging Viewing registers Inspecting the contents of memory 7. File Formats INF0ANUThe world of possibilities 8. What are file formats? Files that adhere to a specific format oftenbeing executable by an operating system Executable files are created from source codeand libraries by a compiler Data files can be created by anything from atext editor to an mp3 encoder 9. Executable Contents Machine code Instructions the program will run Memory locations code addresses function addresses Program data Static variables Strings Loader data Imports Exports 10. Sections Allows the loader to find various information Not finite, executables can have user definedsections 11. Executable Formats ELF Executable and Linker Format HistoryOriginally published by UNIX system laboratories as a dynamic,linkable format to be used in various UNIX platforms What uses ELF Linux Solaris Most modern BSD based unixs Dissection Header Sections 12. ELF Header The header contains various information the operating system loadingneedse_ident Contains various identification fields including Endianess, ELFversion, Operating Systeme_type Identifies the object file type including relocatable, executable,or core filee_machine Contains the processor type including Intel 80386, HPPA,PowerPCe_version Contains the file version informatione_entry - Contains the entry point for the executablee_phoff Contains the program files header offset in bytese_shoff Contains the section header offsete_flags Contains the processor specific flagse_ehsize Contains the ELF header size in bytes 13. ELF Sections Each section of an ELF executable contain various informationneeded to execute.bss - This section holds uninitialized data that contributes to the programs memory image. By definition, the system initializes the data with zeros when the program begins to run..comment - This section holds version control information..ctors - This section holds initialized pointers to the C++ constructor This section holds initialized data that contribute to the programs memory image..data1 - This section holds initialized data that contribute to the programs memory image..debug - This section holds information for symbolic debugging. The contents are unspecified..dtors - This section holds initialized pointers to the C++ destructor functions..dynamic - This section holds dynamic linking information. 14. ELF Sections Cont.dynstr - This section holds strings needed for dynamic linking, most commonly thestrings that represent the names associated with symbol table entries..dynsym - This section holds the dynamic linking symbol table..fini - This section holds executable instructions that contribute to the processtermination code. When a program exits normally the system arranges toexecute the code in this This section holds the global offset table..hash - This section holds a symbol hash table..init - This section holds executable instructions that contribute to the processinitialization code. When a program starts to run the system arranges toexecute the code in this section before calling the main program entrypoint..interp - This section holds the pathname of a program interpreter. If the file has aloadable segment that includes the section, the sections attributes willinclude the SHF_ALLOC bit. Otherwise, that bit will be off..line - This section holds line number information for symbolic debugging, whichdescribes the correspondence between the program source and themachine code. The contents are unspecified. 15. ELF Sections Cont.note- This section holds information in the ``Note Section format described below..plt - This section holds the procedure linkage table..relNAME - This section holds relocation information. By convention, ``NAME issupplied by the section to which the relocations apply. Thus a relocationsection for .text normally would have the name .rel.text.rodata - This section holds read-only data that typically contributes to a non-writable segment in the process image..rodata1 - This section holds read-only data that typically contributes to a non-writable segment in the process image..shstrtab - This section holds section names..strtab - This section holds strings, most commonly the strings that represent thenames associated with symbol table entries..symtab - This section holds a symbol table. If the file has a loadable segment thatincludes the symbol table, the sections attributes will include theSHF_ALLOC bit. Otherwise the bit will be off..text - This section holds the ``text or executable instructions, of a program. 16. Executable Formats Cont PE Portable Executable History Microsoft migrated to the PE format with the introduction of the Windows NT 3.1 operating system. It is based of a modified form of the UNIX COFF format What uses PE Windows NT Window 2000 Windows XP Windows 2003 Windows CE Dissection DOS Stub The DOS stub contains a message that the executable will not run in DOS mode Optional Header (Not optional] RVA Relative virtual addressing Sections 17. Optional Header The optional header in a PE executable contains various information regarding theexecutable contents needed for the OS loaderSizeOfCode- Size of the code (text) section, or the sum of all code sectionsif there are multiple sections.AddressOfEntryPoint Address of the entry function to start execution fromBaseOfCode- RVA of the start of the code relative to the base addressBaseOfData RVA of the start of the data relative to the base addressSectionAlignment Alignment of sections when loaded into memoryFileAlignment Alignment of section on diskSizeOfImage - Size, in bytes, of image, including all headers; must be a multiple of Section AlignmentSizeOfHeaders - Combined size of MS-DOS stub, PE Header, and section headers rounded up to a multiple of FileAlignment.NumberOfRvaAndSizes - Number of data-dictionary entries in the remainder of the Optional Header. Each describes a location and size. 18. Sections The sections in a PE file contain various pieces of theexecutable needed to run including various RVAs and offsets.text Contains all executable code.idata Contains imported data such as dll addresses.edata Contains any exported Contains initialized data like global variables and string literals.bss Contains un-initialized data.rsrc Contains all module resources.reloc Contains relocation data for the OS loader 19. Data Formats Different than executable formats Doesnt usually contain machine code Has structure but not always defined sections A reverser often needs to reverse how a file formatfunctions Proprietary formats are not always published Reversing allows compatibility (i.e. Microsoft doc) Data rights management Often the only way to get what you pay for is to take action 20. Assembly Language INF0ANUThe world of possibilities 21. What is it Lowest level of programming (besidesmicrocode) Direct processor register access utilizingarchitecture defined instructions Output of most compilers 22. How is it used Directly using an assembler NASM ml as Output by a high level compiler GCC cl 23. What does it looks like Depends on the instruction set IA32 mov eax, 0x1 PA-RISC copy %r14,%r25 ARM LDR r0,[r8] 24. Instruction Sets The mneumonics for the opcodes handled bythe processor Minimal set of commands that achieve aprogramming goal 25. Different Instruction Set Architectures RISC - Reduced Instruction Set Computing Fixed length 32 bit instructions 32 general purpose registers Vendors IBM (PowerPC) HP (PA-RISC) Apple (PowerPC) CISC - Complex Instruction Set Computing Multibyte instructions Multiple synonymous opcodes 16 registers Vendors Intel (IA-32) DEC [PDP-11] Motorola (m68K) 26. Registers and the Stack INF0ANUThe world of possibilities 27. Overview Purpose Registers are used to store temporary data Pointers Computations The stack is used to manage data Variables Data 28. Stack Layout Stack is dynamic but builds as it goes Addresses start at a higher address and builds tolower addresses The stack is generally allocated in 4 byte chunks 29. Register sizes Register sizes depend on the supportedarchitecture 32 bit 64 bit IA32 16 registers 32 bits (4 bytes) each RISC 32 general purpose registers 64 bits [8 bytes]each 30. IA32 Registers EBP Stack frame base pointer Points to the start of the functions stack frame ESP Stack source pointer Points to the current (top) location on the stack EIP Instruction pointer Points to the next executable instruction 31. IA32 Registers Cont General Purpose registers U