reverse engineering - a practical approach using ida pro
TRANSCRIPT
Introduction Demo
Reverse EngineeringA Practical Approach Using IDA Pro
Federico Valentini
December 18th 2014
Federico Valentini — Reverse Engineering 1/13
Introduction Demo
Prerequisites & GoalsWhy Reversing?
Reverse engineering is a very important skill for informationsecurity researchers.In this talk I will explore the basic concepts of reverseengineering by reversing a simple application called crackme.
Federico Valentini — Reverse Engineering 2/13
Introduction Demo
Prerequisites & GoalsAll clear?
The crackme application is ok for this purpuse, nocopyright problems :)
I will use static approach to solve the problem as itclearly demonstrates the power of reverse engineering
A little bit knowledge of assembly and disassemblers,debuggers is required to understand this material
I will use IDA Disassembler as it is the most powerfuldisassembler exists in the market, Hexrays provide a demoversion of IDA
Federico Valentini — Reverse Engineering 3/13
Introduction Demo
Reverse EngineeringBasic steps
Reverse engineering can be easy and can be difficult, itdepends on your target. But the basic steps are:
Detect packer/encryptor: if present, then firstunpack/decrypt the file and fix imports etc.
Static Analysis: Understand the application logicwithout executing it in live environment.
Dynamic Analysis: Execute the binary and monitor theapplication activities.
Federico Valentini — Reverse Engineering 4/13
Introduction Demo
Reverse EngineeringSome Important Terms
API(Application Programming Interface):In windows world, code sharing is the core of communication andtrust.A user application can’t directly control hardware or can’t directlycommunicate with windows kernel.So how would application work if application can’t talk with thekernel ?Windows provide various DLLs(Dynamic Link Library) and theseDLLs exports various functions to provide services to userapplications and we call them API.So the understanding of APIs is necessary.
Eg: if you are using printf() function in your code and thelinker links the function call to the printf() function inmsvcrt.dll, so the printf() function is an API
Federico Valentini — Reverse Engineering 5/13
Introduction Demo
Reverse EngineeringSome Important Terms
Return Value in EAX: The second important thing isthat every function/API mostly returns to EAX register.
For eg: lets say we are using strlen() to calculate the length ofthe string, strlen() will return the value into EAX register.
Federico Valentini — Reverse Engineering 6/13
Introduction Demo
DEMO TIME!Reversing in action
Federico Valentini — Reverse Engineering 7/13
Introduction Demo
Hardcoded StringAssembly code
Federico Valentini — Reverse Engineering 8/13
Introduction Demo
Username computationAssembly code
Federico Valentini — Reverse Engineering 9/13
Introduction Demo
Username computationPseudo code
So now we can generate a pseudo code of these instructions let say:a[ ] = ”amit” is our source string,b[ ] is our destination
Federico Valentini — Reverse Engineering 10/13
Introduction Demo
Serial generationAssembly code
Now the result of this computation is stored into another array let say c[]; inthe next few instructions we have a loop in the application that will match thevalue of c[] with b[]. Notice that b[] hold the username where c[] hold the resultof serial computation.
As we can see in above code that application is only dividing the serial numberentered by user with 10 and comparing the result with the result of usernamecomputation, so we can say that if x is the result of username computation thenx * 11 is the value of serial.
Federico Valentini — Reverse Engineering 11/13
Introduction Demo
Did you say Keygen?
Federico Valentini — Reverse Engineering 12/13
Introduction Demo
Resources
IDA PROhttps://www.hex-rays.com/products/ida
A pratical approch using IDA PROhttp://securityxploded.com/reversing-basics-ida-pro.php
Federico Valentini — Reverse Engineering 13/13