Introduction Demo

Reverse EngineeringA Practical Approach Using IDA Pro

Federico Valentini

December 18th 2014

Federico Valentini — Reverse Engineering 1/13

Introduction Demo

Prerequisites & GoalsWhy Reversing?

Reverse engineering is a very important skill for informationsecurity researchers.In this talk I will explore the basic concepts of reverseengineering by reversing a simple application called crackme.

Federico Valentini — Reverse Engineering 2/13

Introduction Demo

Prerequisites & GoalsAll clear?

The crackme application is ok for this purpuse, nocopyright problems :)

I will use static approach to solve the problem as itclearly demonstrates the power of reverse engineering

A little bit knowledge of assembly and disassemblers,debuggers is required to understand this material

I will use IDA Disassembler as it is the most powerfuldisassembler exists in the market, Hexrays provide a demoversion of IDA

Federico Valentini — Reverse Engineering 3/13

Introduction Demo

Reverse EngineeringBasic steps

Reverse engineering can be easy and can be difficult, itdepends on your target. But the basic steps are:

Detect packer/encryptor: if present, then firstunpack/decrypt the file and fix imports etc.

Static Analysis: Understand the application logicwithout executing it in live environment.

Dynamic Analysis: Execute the binary and monitor theapplication activities.

Federico Valentini — Reverse Engineering 4/13

Introduction Demo

Reverse EngineeringSome Important Terms

API(Application Programming Interface):In windows world, code sharing is the core of communication andtrust.A user application can’t directly control hardware or can’t directlycommunicate with windows kernel.So how would application work if application can’t talk with thekernel ?Windows provide various DLLs(Dynamic Link Library) and theseDLLs exports various functions to provide services to userapplications and we call them API.So the understanding of APIs is necessary.

Eg: if you are using printf() function in your code and thelinker links the function call to the printf() function inmsvcrt.dll, so the printf() function is an API

Federico Valentini — Reverse Engineering 5/13

Introduction Demo

Reverse EngineeringSome Important Terms

Return Value in EAX: The second important thing isthat every function/API mostly returns to EAX register.

For eg: lets say we are using strlen() to calculate the length ofthe string, strlen() will return the value into EAX register.

Federico Valentini — Reverse Engineering 6/13

Introduction Demo

DEMO TIME!Reversing in action

Federico Valentini — Reverse Engineering 7/13

Introduction Demo

Hardcoded StringAssembly code

Federico Valentini — Reverse Engineering 8/13

Introduction Demo

Username computationAssembly code

Federico Valentini — Reverse Engineering 9/13

Introduction Demo

Username computationPseudo code

So now we can generate a pseudo code of these instructions let say:a[ ] = ”amit” is our source string,b[ ] is our destination

Federico Valentini — Reverse Engineering 10/13

Introduction Demo

Serial generationAssembly code

Now the result of this computation is stored into another array let say c[]; inthe next few instructions we have a loop in the application that will match thevalue of c[] with b[]. Notice that b[] hold the username where c[] hold the resultof serial computation.

As we can see in above code that application is only dividing the serial numberentered by user with 10 and comparing the result with the result of usernamecomputation, so we can say that if x is the result of username computation thenx * 11 is the value of serial.

Federico Valentini — Reverse Engineering 11/13

Introduction Demo

Did you say Keygen?

Federico Valentini — Reverse Engineering 12/13

Introduction Demo

Resources

IDA PROhttps://www.hex-rays.com/products/ida

A pratical approch using IDA PROhttp://securityxploded.com/reversing-basics-ida-pro.php

Federico Valentini — Reverse Engineering 13/13