reverse engineering - agz.esagz.es/reverse-engineering/basic/reverse engineering [security... · ©...
Embed Size (px)
TRANSCRIPT
-
http://www.securitya.kr 2008 Security Awareness Korea
- i -
Reverse Engineering Table of Content
Module 1 RCE ?..................................................................................................................................1 1-1. RCE ? ............................................................................................................................................2 1-2. RCE .................................................................................................................................4 1-3. RCE ..................................................................................................................................6
Module 2 RCE ...............................................................................................................................9 2-1. CPU ................................................................................................................................10 2-2. CPU ................................................................................................................................12 2-3. Assembly.........................................................................................................................................17 2-4. STACK ...................................................................................................................................21 2-5. (Calling Convention).............................................................................................23 2-6. SEH(Structured Exception Handling).............................................................................................26 2-7. C ........................................................................................34 2-8. API ..............................................................................................40
Module 3 PE ........................................................................................................................43 3-1. PE ..................................................................................................................................44 3-2. DOS DOS Stub Code ........................................................................................................49 3-3. PE File Header ................................................................................................................................51 3-4. Optional Header ..............................................................................................................................54 3-5. Section Table...................................................................................................................................59 3-6. Import Table....................................................................................................................................62 3-7. Export Table....................................................................................................................................69
Module 4 ..............................................................................................................................75 4-1. ...............................................................................................................................76 4-2. CrackMe ........................................................................................................................84 4-3. KeygenMe .....................................................................................................................94
Module 5 MUP(Manual UnPack) .....................................................................................................101 5-1. Packing / Unpacking .....................................................................................................................102 5-2. Packing .................................................................................................................................103 5-3. MUP .....................................................................................................................................105 5-4. MUP Ollydbg script ...............................................................................................114
Module 6 Anti-Reverse ..............................................................................................................121 6-1. .........................................................................................................................122 6-2. BreakPoint ...................................................................................................................133 6-3. TLS Callback ................................................................................................................................145 6-4. Process Attach ......................................................................................................................150
Module 7 ............................................................................................................................155 7-1. ........................................................................................................156 7-2. - shadowbot .........................................................................................................173
-
http://www.securitya.kr 2008 Security Awareness Korea
- ii -
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 1 -
Module 1 RCE ?
Objectives
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 2 -
1-1. RCE ?
Student Notes
. .
(EXE, DLL, SYS )
C
.
.
RCE?
Reverse Code Engineering ,
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 3 -
.
. PC , HEX
,
.
. , C
.
VC gcc
() . CPU
. VC, VB,
() C .
VB .
() .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 4 -
1-2. RCE
Student Notes
12 2 ()
.
1 1
.
1. 3
2.
[ 2001.1.16][[
2001.7.17]]
RCE
(Competition) (Copyrightlaw) The Digital Millennium Copyright Act (DMCA)
RIAA Felten ebook SunnComm CD
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 5 -
2001 1 16 7 17 ,
.
2000 , 2001
, .
.
.
DMCA(The Digital Millennium Copyright Act)
. DMCA HTML , , , , ,
, , , . DMCA
.
DMCA Sony-BMG ""
Sony-BMG CD "(root kit)"
Secure Digital Music Initiative(SDMI)
,
. SDMI
. .
SunnComm CD
SunnComm
. SunnComm .
pdf
.
pdf .
. .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 6 -
1-3. RCE
Student Notes
. .
/ . /
( )
.
exe PC
. PC
PC
. .
RCE
DRM
RCE
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 7 -
.
.
.
.
DRM
DRM .
.
.
API
.
.
.
.
.
. .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 8 -
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 9 -
Module 2 RCE
Objectives
CPU
CPU
/
STACK
(Calling Convention)
SEH(Structured Exception Handling)
C
API
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 10 -
2-1. CPU
Student Notes
CPU , .
CPU . CPU
, , , . CPU
. , (ALU: arithmetic logic
unit), (control unit) .
.
. .
. - -
CPU
BUS Interface
ALU(Arithmetic Logic Unit)
Control Unit
Register Set
CPU (Central Processing Unit)
Memory
I/O BUS
Keyboard Monitor NIC HDDMonitor
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 11 -
CPU
Control Unit ALU ALU .
ALU() : (, ) ( , ,
) .
.
Register : .
.
- .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 12 -
2-2. CPU
Student Notes
CPU , , EFLAGS , CIP
. 32 (4 ) 16 8
.
CPU Register
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 13 -
00000000 FFFFFFFF .
(General-Purpose Register)
, ,
.
EAX(Extended Accumulator Register) :
EBX(Extended Base Register) : DS (
)
ECX(Extended Counter Register) :
EDX(Extended Data Register) :
ESI(Extended Source Index) :
EDI(Extended Destination Index) :
ESP(Extended Stack Pointer) : , TOP
EBP(Extended Base Pointer) : ,
(Segment Register)
16 .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 14 -
CS :
-
.
SS :
-
.
DS :
ES : ,
FS/GS : , IA32
.
Flat Segmented .
Segmented .
EFLAGS
EFLAGS , , 1, 3, 5, 15, 22
~ 31 .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 15 -
LAHF, SAHF, PUSHF, PUSHFD, POPF, POPPFD EAX
. EFLAGS (BT, BTS, BTR, BTC)
.
(Status Flags) : (ADD, SUB, MUL, DIV) .
CF(bit 0) Carry flag :
- 0 :
- 1 :
PF(bit 2) Parity flag
AF(bit 4) Adjust flag
ZF(bit 6) Zero flag :
- 0 : 0
- 1 : 0
SF(bit 7) Sign flag
OF(bit 11) Overflow flag :
- 0 :
- 1 : ( )
(Control Flags)
DF(bit 10) Direction flag
(System Flags)
TF(bit 8) Trap flag
IF(bit 9) Interrupt enable flag
IOPL(bit 12, 13) I/O privilege level field
NT(bit 14) Nested task flag
RF(bit 16) Resume flag
VM(bit 17) Virtual-8086 mode flag
AC(bit 18) Alignment check flag
VIF(bit 19) Virtual interrupt flag
VIP(bit 20) Virtual interrupt pending flag
ID(bit 21) Identification flag
ZF, OF, CF .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 16 -
EIP
.
EIP . 16
EIP( 16 0), 32 EIP .
EIP CALL, JMP, RET control-transfer
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 17 -
2-3. Assembly
Student Notes
.
.
.
Assembly
Arithmetic Instruction Data Transfer Instruction Logical Instruction String Instruction Control Transfer Instruction Processor Control Instruction
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 18 -
Arithmetic Instruction
ADD SUB ADC SBB CMP INC 1 DEC 1 NEG 2 , AAA AL UNPACK 10 DAA AL PACK 10 AAS AL UNPCAK 10 DAS AL PCAK 10 MUL AX AX DX:AX IMUL AAM AX UNPACK 10 DIV AX DX:AX . AL, AX AH, DX IDIV AAD AX UNPACK 10 CBW AL AX CWD AX DX:AX
Data Transfer Instruction
MOV () PUSH POP XCHG XLAT BX:AL AL LEA LDS REG (MEM), DS (MEM+2) LES REG (MEM), ES (MEM+2) LAHF AH SAHF AH PUSHF POPF
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 19 -
Logical Instruction
NOT 1 ,
SHL/SAL ( 0) SHR ( 0) SAR ,
ROL/ROR / RCL/RCR / AND AND TEST AND OR OR XOR (OR)
String Instruction
REP REP CS 0 MOVS DS:DI ES:DI COMPS DS:DI ES:DI SCAS AL AX ES:DI LODS SI AL AX STOS AL AX ES:DI
Control Transfer Instruction
CALL JMP RET CALL PUSH JE/JZ 0 ZF=1 JL/JNGE ( ) SF != OF JB/JNAE ( ) CF=1 JLE/JNG ( ) ZF=1 or SF != OF JBE/JNA ( ) CF=1 or ZF=1 JP/JPE 1 PF=1
JO OF=1 JS 1 SF=1
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 20 -
JC CF=1 JNE/JNZ 0 ZF=0 JNL/JGE ( ) SF=OF JNB/JAE ( ) CF=0 JNLE/JG ( ) ZF=0 and SF=OF JNBE/JA ( ) CF=0 and ZF=0 JNP/JPO 0 PF=0
JNO OF=0 JNS 0 SF=0 JNC CF=0 LOOP CX 1 , 0
LOOPZ/LOOPE CX 0 ZF=1 LOOPNZ/LOOPNE CX 0 ZF=0
JCXZ CX 0 CX=0 INT INTO IRET ()
Processor Control Instruction
CLC CMC CLD CLI HLT STC NOP STD STI WAIT ESC
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 21 -
2-4. STACK
Student Notes
. PUSH
POP
. LIFO(Last In First Out) .
.
Full Stack : TOP PUSH
Empty Stack : TOP
Ascending Stack :
Descending Stack :
STACK
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 22 -
Full Descending Stack . , TOP
.
EBP, ESP, EIP . EBP
ESP ESP
. ESP TOP .
EIP
.
.
F1 func1
. func1
. func1 func1
.
func1 func2 .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 23 -
2-5. (Calling Convention)
Student Notes
. , .
,
, ,
.
(Stack Frame) .
(Calling Convention)
Argument
Stack : C , cdecl, stdcall, Pascal Register : fastcall
Argument Right to Lest : cdecl, stdcall Left to Right
Stack Clearing Caller : cdecl Callee : stdcall
Return Value
__stdcall, __cdecl, __fastcall
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 24 -
.
.
Fame Pointer( Base Pointer)
.
EBP .
5 (stdcall, cdecl, thiscall, fastcall, naked)
stdcall cdecl .
__stdcall
stdcall API . stdcall
,
(Callee) , eax
.
. call ret n .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 25 -
__cdecl
cdecl C C++ ,
. cdecl
, (Caller)
, eax . cdecl
,
. call add esp, n .
stdcall cdecl
.
stdcall (Callee) (Caller) Callee
cdecl Caller
Callee .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 26 -
2-6. SEH(Structured Exception Handling)
Student Notes
SEH(Structured Exception Handling) .
.
0 ,
.
TIB . TIB
TIB FS:[0] ERR(Exception Registration
Record) . ERR ERR Exception
Handler .
SEH (Structured Exception Handling)
TIB (Thread Information Block) : Thread
ERR Next ERR Exception Handler
FS:[1]FS:[2]
...
FS:[0]
SEH
NEXT
FS
TIB
ERR
SEH
FFFFFF
ERR
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 27 -
Exception Handler .
__cdecl _except_handler( struct _EXCEPTION_RECORD *ExceptionRecord, void * EstablisherFrame, struct _CONTEXT *ContextRecord, void * DispatcherContext );
_CONTEXT . EAX 0, ret .
+0 context
(GetThreadContext API ) +8C gs register +90 fs register +94 es register +98 ds register
+4 debug register #0 +8 debug register #1 +C debug register #2 +10 debug register #3 +14 debug register #6 +18 debug register #7
+9C edi register +A0 esi register +A4 ebx register +A8 edx register +AC ecx register +B0 eax register
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 28 -
FPU / MMX
+1C ControlWord +20 StatusWord +24 TagWord +28 ErrorOffset +2C ErrorSelector +30 DataOffset +34 DataSelector +38 FP registers * 8 ( 10 ) +88 Cr0NpxState
+B4 ebp register +B8 eip register +BC cs register +C0 eflags register +C4 esp register +C8 ss register
Winnt.h EXCEPTION_RECORD .
typedef struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD *ExceptionRecord;
PVOID ExceptionAddress; DWORD NumberParameters; UINT_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
} EXCEPTION_RECORD;
ExceptionCode :
C0000005h : Read/Write
C0000094h : 0
C0000095h : DIV
C00000FDh :
80000001h : Guard Page
C0000025h : Exception
C0000026h : ExceptionCode
80000003h : INT3
80000004h : Trap
ExceptionFlags :
0 : Exception
1 : Exception
2 : Unwinding
SEH .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 29 -
Ollydbg
.
. SEH chain Stack
.
ERR Next SEH 0007FFE0
00B13313 . 00B13313 SEH
. Shift + F9 .
Shift + F9 . 00B13313 .
. .
ExceptionRecord, EstablishedFrame, Context,
DispatchContext .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 30 -
0007FBC8 7C968752 RETURN to ntdll.7C968752 // Return 0007FBCC 0007FCA8 // ExceptionRecord, 0007FBD0 0007FF90 // Frame, ERR 0007FBD4 0007FCC4 // Context 0007FBD8 0007FC84 // DispatchContext
.
00B13321 JMP SHORT 00B13324 00B13324 00B13324
.
NOP(0x90) .
( CTRL + E) .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 31 -
.
.
SEH .
/*B13313*/ PUSH 0B1331C /*B13318*/ INC DWORD PTR SS:[ESP] /*B1331B*/ RETN /*B1331C*/ NOP
0B1331C ESP 1 . JMP 0B1331D .
/*B1331D*/ MOV EAX,DWORD PTR SS:[ESP+C]
ESP+C EAX . ESP+C 0007FD4
0007FCC4 . CONTEXT .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 32 -
/*B13321*/ JMP SHORT 00B13324 /*B13324*/ ADD DWORD PTR DS:[EAX+B8],2
EAX+B8 CONTEXT EIP . , EIP 2 .
/*B1332B*/ JMP SHORT 00B13347
00B13347
/*B1332D*/ MOV ESP,EBE817EB /*B13332*/ ADC AL,0E8 /*B13334*/ JMP SHORT 00B13347 /*B13336*/ CALL EC994226 /*B1333B*/ OR EBP,EAX /*B1333D*/ JMP SHORT 00B13347 /*B1333F*/ INT 20 /*B13341*/ JMP SHORT 00B13347
00B13347
/*B13347*/ XOR EAX,EAX
/*B13349*/ RETN
EAX SEH . SEH
SEH .
SEH SEH . F9 .
SEH .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 33 -
EIP SEH
.
SEH SEH .
SEH EIP 2 SEH
. XOR EAX, EAX EAX 0 SEH
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 34 -
2-7. C
Student Notes
C
.
.
.
C
.
C
for, while, if String
strcpy strcmp strlen
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 35 -
Example #1. for
#include
main(int argc, char *argv[])
{
int i=0;
int sum=0;
for(i=0; i . 0040103D
00401048 (CMP ) 00401059
00401057 0040103F .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 36 -
Example #2. if, strcpy, strcmp, strlen
if (strcpy, strcmp, strlen) .
#include void main( int argc, char *argv[] ) { char src[] = "ForEducationbydemantos"; char *dst=(char *)malloc( 30 * sizeof(char)); int cnt=0; printf("Input the password : "); fgets(dst, 30, stdin); dst[strlen(dst)-1] = '\0'; if( strlen(dst) != strlen(src) ) { printf("Not match!!\n"); exit(0); } else { if( !strcmp(dst, src) ) { printf("Good\n"); exit(0); } else printf("Not match!!\n"); exit(0); } }
.
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 37 -
4 . EAX F8
EAX .
.
0040109E 004010B9
Not match!! .
.(004010B9)
EAX EDX strcmp
. strcmp (F7 ) . 4
.
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 38 -
.
SHR . 0x10 10 16
16 . , 2 4
.
4 ECX EDX 4 4 .
F8 . RETN
CTRL+F8 4
.
. .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 39 -
Example #3. while
#include #include int main(void) { char ch; ch = getche(); while(ch!='q') { ch=getche(); } printf("found the q"); return 0; }
getche q found the q
. while .
00401034 00401043
. Hex dump v ^ , > .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 40 -
2-8. API
Student Notes
exe API .
API
.
API
.
, , , ,
.
API
CreateFile, ReadFile, WriteFile, SetFilePointer, CopyFile, GetFileAttribute, SetFileAttribute, FindFirstFile, FindNextFile, GetModuleFileName, GetSystemDirectory, GetWindowsDirectory, GetCommandLine, SetCurrentDirectory
RegCreateKey, RegOpenKeyEx, RegSetValueEx, RegQueryValueEx
WSAStartup, WSAAPI socket, recv, send, listen, accept, gethostbyname, ntohs, inet_addr, WNetOpenEnum, WNetEnumResource, InternetGetConnectedState, ioctlsocket
RtlZeroMemory, GlobalAlloc
ShellExecute, GetProcAddress, CreateThread
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 41 -
CreateFile : .
ReadFile : .
WriteFile : .
SetFilePointer : .
CopyFile : .
GetFileAttribute : .
SetFileAttribute : .
FindFirstFile : .
FindNextFile : . FindFirstFile .
GetModuleFileName : .
GetSystemDirectory : .
GetWindowsDirectory : .
GetCommandLine : commandline .
SetCurrentDirectory : .
RegCreateKey : .
RegOpenKeyEx : .
RegSetValueEx : .
RegQueryValueEx : .
WSAStartup : WS2_32.DLL .
socket : .
recv : .
send : .
listen : .
accept : .
gethostbyname : .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 42 -
ntohs : network byte order host byte order .
inet_addr : IN_ADDR .
WNetOpenEnum : .
WNetEnumResource : WNetOpenEnum .
InternetGetConnectedState : .
ioctlsocket : .
RtlZeroMemory : 0 .
GlobalAlloc : Heap .
ShellExecute : .
GetProcAddress : SLL
CreateThread : .
WIN32.HLP
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 43 -
Module 3 PE
Objectives
PE
DOS DOS Stub Code
PE File Header
Optional Header
Section Tables
Import Table
Export Table
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 44 -
3-1. PE
Student Notes
PE (Portable Executable File Format) (File) (Portable)
(Executable) (Format) . Win32
PE .
EXE EXE PE .
DLL PE .
PE Win32 . , CPU
Win32 PE .
Win32 Platform SDK Winnt.h PE .
PE
PE Header
Section #n
...
Section #2
Section #1
Section Table
DOS Stub Code
DOS Header
PE Header
Section #n
...
Section #2
Section #1
Section Table
DOS Stub Code
DOS Header
DISK MEMORY
40byte x
248byte
24 + optional header( 224)
ImageBase
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 45 -
(Image) PE
.
PE .
PE
DOS Header
DOS Stub Code
PE Header
Section Table
Section
DOS Header PE DOS . ImageBase DOS
ImageBase . Stub_PE .
ImageBase 0x01000000
.
DOS 4D 5A(MZ) . MZ DOS Mark Zbikowski DOS
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 46 -
PE Header
PE PE . , optional
ImageBase, , , , PE
, .
PE DOS e_lfanew . e_lfanew DOS
4byte .
Section Table
, , ,
. PE PE
PE . PE 248bytes
.
40bytes . 4
40bytes * 4 = 160bytes .
Section
.
. VirtualAddress PointerToRawData . offset
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 47 -
.
.
.text offset 0x400 .text 0x400
. Winhex 0x400 .
PointerToRawData .
.
.text VirtualAddress . VirtualAddress 0x1000
ImageBase offset . offset RVA(Relative Virtual
Address) . .text ImageBase VirtualAddress
0x01001000 . 0x01001000 HEX .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 48 -
.text 493AD377 .text
FAF4F377 .
.
PE .
SectionAlignment FileAlignment .
.
Optional Header .
FileAlignment
SectionAlignment
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 49 -
3-2. DOS DOS Stub Code
Student Notes
DOS DOS . PE DOS DOS
64bytes . 2byte e_magic
4byte e_lfanew . Winnt.h IMAGE_DOS_HEADER .
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed
DOS DOS Stub Code
PE signature
PE File Header
Section #n
...
Section #2
Section #1
Section Table
Optional Header
DOS Stub Code
DOS Header
PE signature
DOS Stub Code
DOS Header
e_lfanew
IMAGE_DOS_HEADER(64byte)
MZ
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 50 -
WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
e_magic DOS 4D 5A(MZ) . e_lfanew PE
.
DOS Stub Code .
. This
program cannot be run in DOS mode .
STUB
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 51 -
3-3. PE File Header
Student Notes
Winnt.h IMAGE_NT_HEADERS .
typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
IMAGE_NT_HEADERS PE IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER
. PE 50 45 00 00
IMAGE_FILE_HEADER 20bytes .
IMAGE_OPTIONAL_HEADER 224bytes .
PE File Header
PE signature
PE File Header
Section #n
...
Section #2
Section #1
Section Table
Optional Header
DOS Stub Code
DOS Header
Machine
NumberOfSections
TimeDateStamp
PointerToSymbolTable
NumberOfSymbols
SizeOfOptionalHeader
Characteristics
PE\0\0
IMAGE_FILE_HEADER(20byte)
4byte
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 52 -
Data Directory Data Directory Optional .
Winnt.h IMAGE_FILE_HEADER .
typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader;
WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
Winhex .
PE DOS e_lfanew .
File 4 .
Machine : CPU ID . IA32 0x14C IA64 0x200 .
NumberOfSections : .
SizeOfOptionalHeader : optional .
224bytes data directory 96bytes .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 53 -
Characteristics : . 0x10F
. Winnt.h .
#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004
#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 #define IMAGE_FILE_32BIT_MACHINE 0x0100 #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 #define IMAGE_FILE_SYSTEM 0x1000 #define IMAGE_FILE_DLL 0x2000 #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000
0x10F IMAGE_FILE_RELOCS_STRIPPED(0x0001),
IMAGE_FILE_EXECUTABLE_IMAGE(0x0002), IMAGE_FILE_LINE_NUMS_STRIPPED(0x0004),
IMAGE_FILE_LOCAL_SYMS_STRIPPED(0x0008), IMAGE_FILE_32BIT_MACHINE(0x0100)
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 54 -
3-4. Optional Header
Student Notes
Optional PE .
. optional 30 1
. .
. Winnt.h IMAGE_OPTIONAL_HEADER .
typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData;
Optional Header
PE signature
PE File Header
Section #n
...
Section #2
Section #1
Section Table
Optional Header
DOS Stub Code
DOS Header
...
IMAGE_DATA_DIRECTORY #1
IMAGE_DATA_DIRECTORY #0
IMAGE_DATA_DIRECTORY #15
MagicAddressOfEntryPointImageBaseSectionAlignmentFileAlignmentSizeOfImageSizeOfHeaderNumberOfRvaAndSizes...
IMAGE_OPTIONAL_HEADER(224byte)
Data Directory(128byte)
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 55 -
DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion;
WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
Winhex .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 56 -
Machine : optional optional
. 0x10B .
AddressOfEntryPoint : PE
. RVA . ,
ImageBase .
ImageBase : PE . EXE
ImageBase DLL ImageBase
. DLL
. EXE 0x00400000
, DLL 0x10000000 .
SectionAlignment : .
SectionAlignment .
0x1000(4096byte).
FileAlignment : .
FileAlignment . 0x200(512byte) 2 n
.
SizeOfImage : PE SectionAlignment
.
SizeOfHeader : : FileAlignment
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 57 -
Data Directory Optional 128bytes IMAGE_DATA_DIRECTORY
. Winnt.h .
typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
Optional NumberOfRvaAndSize
16 .
Export table, Import table PE (VirtualAddresS)
(Size) .
16 15 0x00
. 15 .
IMAGE_DIRECTORY_ENTRY_EXPORT : EXPORT
. EXPORT DLL .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 58 -
IMAGE_DIRECTORY_ENTRY_IMPORT : IMPORT
.
IMAGE_DIRECTORY_ENTRY_BASERELOC : .
.
IMAGE_DIRECTORY_ENTRY_TLS : Thread Local Storage .
TLS Callback .
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT : DLL .
IMAGE_DIRECTORY_ENTRY_IAT : (IAT) .
DLL IAT .
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT : .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 59 -
3-5. Section Table
Student Notes
IMAGE_SECTION_HEADER .
.
.
access violation
. , , ,
.
.
Section Table
PE signature
PE File Header
Section #n
...
Section #2
Section #1
Section Table
Optional Header
DOS Stub Code
DOS Header
...
NameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristics
NameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristics
NameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristics
Section #1
Section #2
Section #n
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 60 -
,
.
Winnt.h IMAGE_SECTION_HEADER .
typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations;
DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
Winhex .
Name : . 8byte NULL 8byte
. 8byte 8byte .
VirtualAddress : (RVA ).
SizeOfRawData : . FileAlignment .
PointerToRawData : .
Characteristics : .
PointerToRawData SizeOfRawData VirtualAddress
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 61 -
Characteristics .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 62 -
3-6. Import Table
Student Notes
Import PE (DLL)
. USER32.DLL KERNEL32.DLL .
DLL EXE DLL .
DLL
DLL Import Table .
PE .idata .
IMAGE_IMPORT_DESCRIPTOR DLL
NULL .
Import Table
OriginalFirstThunk
TimeDateStamp
ForwarderChain
Name
FirstThunk
ForwarderChain
Name
NULL
FirstThunk
TimeDateStamp
OriginalFirstThunk
IMAGE_DIRECTORY_ENTRY_IMPORT
Size
VirtualAddress
IMAGE_THUNK_DATA
IMAGE_THUNK_DATA
hint func1
IMAGE_IMPORT_BY_NAMEILT #1
IAT #1
func1
USER32.DLL
ILT #2
IAT #2
KERNEL32.DLL
IMAGE_IMPORT_DESCRIPTOR
IMPORT TABLE
Binding
Binding
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 63 -
Winnt.h IMAGE_IMPORT_DESCRIPTOR .
typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; DWORD OriginalFirstThunk; }; DWORD TimeDateStamp; DWORD ForwarderChain; DWORD Name; DWORD FirstThunk; } IMAGE_IMPORT_DESCRIPTOR;
OriginalFirstThunk : ILT(Import Lookup Table) RVA .
ILT IMAGE_THUNK_DATA . IMAGE_THUNK_DATA
IMAGE_IMPORT_BY_NAME
.
TimeDateStamp : 0 -1 .
ForwarderChain : 0 -1 .
Name : DLL RVA .
FirstThunk : IAT(Import Address Table) RVA . IAT ILT
IMAGE_THUNK_DATA ILT . PE
DLL . IAT
.
IMAGE_THUNK_DATA .
typedef struct _IMAGE_THUNK_DATA32 { union { PBYTE ForwarderString; PDWORD Function; DWORD Ordinal; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA32;
IMAGE_THUNK_DATA ILT, IAT .
ILT
- OriginalFirstThunk .
- .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 64 -
- IMAGE_IMPORT_BY_NAME Ordinal .
- Ordinal
IMAGE_IMPRT_BY_NAME RVA .
- .
IAT
- FirstThunk .
- AddressOfData Ordinal .
- IMAGE_THUNK_DATA IMAGE_IMPORT_BY_NAME AddressOfData
. IMAGE_IMPORT_BY_NAME
.
- 1 ordinal , 0 AddressOfData .
- .
IMAGE_THUNK_DATA AddressOfData .
IMAGE_THUNK_DATA Ordinal .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 65 -
Winhex .
NULL . 6 DLL
.
Import Table
IMAGE_DIRECTORY_ENTRY_IMPORT
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 66 -
VirtualAddress . ,
PE . Stud_PE
.
PE . Import Table Raw
. PE
RVA VirtualAddress Size .
RVA 0x12FD4 .text . .text RawOffset
0x400 0x123D4 .
( RVA) ( VirtualOffset) + RawOffset
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 67 -
. calc.exe
.text .
.
PE IAT(Import Address Table) .
IMAGE_DIRECTORY_ENTRY_IMPORT .
DLL
IMAGE_IMPORT_DESCRIPTOR DLL .
.
RVA 0x12FD4 .text .
, ( 0x12FD4 0x1000 ) + 0x400 = 0x123D4 . Winhex .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 68 -
calc.exe DLL RVA 0x134D6.
RVA
. Stud_PE 0x134D6 .text
. Name 0x134D6 0x1000 + 0x400 = 0x128D6 .
KERNEL32.dll .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 69 -
3-7. Export Table
Student Notes
Import Export
. Export Data Directory
0 IMAGE_DIRECTORY_ENTRY_EXPORT VirtualAddress Size .
Export Import . Winnt.h
.
typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion;
Export Table
Name
Base
NumberOfFunctions
NumberOfNames
AddressOfFunctions
AddressOfNames
AddressOfNameOrdinals
...
AddressOfNames
AddressOfNameOrdinals
...
NumberOfFunctions
NumberOfNames
AddressOfFunctions
Base
Name
IMAGE_DIRECTORY_ENTRY_EXPORT
Size
VirtualAddress
RVA
RVA
RVA
EXPORT TABLEMYDLL.DLL
RVA
RVA
ordinal
ordinal
code
code
Kernel32.OpenProcess
Myfunc2
MyFunc1
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 70 -
DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
Name : DLL ASCII RVA
Base :
NumberOfFunctions : AddressOfFunctions RVA
NumberOfNames : AddressOfNames RVA
AddressOfFunctions : (RVA )
AddressOfNames : (RVA )
AddressOfNameOrdinals : . Base
.
DLL
(RVA ), .
Export Table
.
1. IMAGE_DIRECTORY_ENTRY_EXPORT VirtualAddress
VirtualAddress 0x00016A1C Size 0x00004B9A.
2. VirtualAddress RawOffset
( RVA) ( VirtualOffset) + RawOffset
0x00016A1C 0x00001000 + 0x00000400 = 0x00015E1C
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 71 -
RVA 0x16A1C .text . .text
RawOffset 0x400 0x15E1C . Winhex .
.
Name : 0x000186D2
Base : 1
NumberOfFuntions : 0x000002DB
NumberOfNames : 0x000002DB
AddressOfFunctions : 0x00016A44
AddressOfNames : 0x000175B0
AddressOfNameOrdinals : 0x0001811C
offset RVA
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 72 -
Name : 0x000186D2 0x1000 + 0x400 = 0x00017AD2
USER32.dll . NULL ( \0 ) .
1 (Base : 1), 731 (NumberOfFuntions : 0x2DB),
731 . (NumberOfNames : 0x2DB)
AddressOfNames .
AddressOfNames : 0x000175B0 0x1000 + 0x400 = 0x000169B0
0x000186DD RVA offset 0x00017ADD.
ActivateKeyboardLayout .
AddressOfFunctions 0x00016A44 0x1000 + 0x400 = 0x00015E44
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 73 -
AddressOfNameOrdinals : 0x0001811C 0x1000 + 0x400 = 0x0001751C
0x1751C NumberOfNameOrdinals .
1 Base
. USER32.dll 731(0x2DB)
AddressOfNameOrdinals 731(0x2DB) .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 74 -
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 75 -
Module 4
Objectives
CrackMe / KeygenMe
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 76 -
4-1.
Student Notes
, , , .
. .
Debugger Ollydbg
Disassembler IDA W32DASM
File Analyzer Stud PE PEiD ImportREConstruction
HEX Editor WinHex
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 77 -
Ollydbg
http://www.ollydbg.de/ , .
File : .
View : .
Debug : .
Plugins : .
Options : .
Window, Help : () .
restart, close, run .
.
.
E : Executable modules,
M : Memory map,
H : Handles,
C : CPU main htread,
/ : Patches,
K : Call stack of main thread
B : Breakpoints,
R : References,
... : Run trace
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 78 -
.
A OP .
, OP , , .
.
B . A offset ,
.
C .
.
D CPU . .
E Stack .
Ollydbg .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 79 -
Option Appearance udd plugins .
Option Debugging Option CPU : jump .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 80 -
Exception .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 81 -
Stud PE
PE http://www.cgsoftlabs.ro/studpe.html
.
PEiD
PE Stud PE .
http://www.peid.info/ .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 82 -
ImportREC
IAT . IAT
IAT . ImportREC .
http://vault.reversers.org/ImpRECDef .
IAT . IAT
. 0000 0000
IAT 0000 0000
ImportREC . IAT
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 83 -
Winhex
HEX . .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 84 -
4-2. CrackMe
Student Notes
Crackme
. Crackme
, . Keygen
Keygen
.
.
CrackMe
Key Keyfile
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 85 -
Crackme #1
.
Invalid Password
.
Invalid Password . .
Search for All reference text strings
.
The password is %s .
The password is xxxxxxxxxx
Invalid Password . Invalid Password
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 86 -
Invalid Password 004010DA
. 004010DA 0040109C The password is %s
. JNB
004010DC The password is %s . ,
. .
PUSH Crackme#.00407030 Please enter the password:
CALL . CALL
. .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 87 -
.
/*40102C*/ ADD ESP,4 //
/*40102F*/ PUSH 10 // 10
/*401031*/ PUSH 0 // 0
/*401033*/ LEA EAX,DWORD PTR SS:[EBP-34] // EBP-34 () EAX
/*401036*/ PUSH EAX // EAX
/*401037*/ CALL Crackme#.00401150 // 00401150
/*40103C*/ ADD ESP,0C //
/*40103F*/ MOV DWORD PTR SS:[EBP-1C],0 // EBP-1C 0
/*401046*/ MOV DWORD PTR SS:[EBP-20],0 // EBP-20 0
/*40104D*/ MOV DWORD PTR SS:[EBP-24],0 // EBP-24 0
.
.
.
00401054 00401140 .
. EAX .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 88 -
Disassembly . ,
00401054 00401084 .
.
/*401059*/ MOV BYTE PTR SS:[EBP-4],AL // AL EBP-4 1
/*40105C*/ MOV ECX,DWORD PTR SS:[EBP-1C] // EBP-1C ECX
/*40105F*/ MOV DL,BYTE PTR SS:[EBP-4] // EBP-4 DL
/*401062*/ MOV BYTE PTR SS:[EBP+ECX-34],DL // DL EBP+ECX-34
/*401066*/ MOV EAX,DWORD PTR SS:[EBP-1C] // EBP-1C EAX
/*401069*/ ADD EAX,1 // EAX 1
/*40106C*/ MOV DWORD PTR SS:[EBP-1C],EAX // EAX EBP-1C
/*40106F*/ MOVSX ECX,BYTE PTR SS:[EBP-4] // EBP-4 ECX
/*401073*/ CMP ECX,0A // ECX 0x0A
/*401076*/ JE SHORT Crackme#.00401086 // 00401086
/*401078*/ MOVSX EDX,BYTE PTR SS:[EBP-4] // EBP-4 EDX
/*40107C*/ TEST EDX,EDX // EDX EDX AND
/*40107E*/ JE SHORT Crackme#.00401086 // 00401086
/*401080*/ CMP DWORD PTR SS:[EBP-1C],10 // EBP-1C 0x10
/*401084*/ JB SHORT Crackme#.00401054 // EBP-1C 0x10 00401054
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 89 -
. 4
.
CALL 00401140 EAX .
[EBP-1C] [EBP+ECX-34]
. [EBP-4] . BYTE PTR SS
(1 ) .
ECX [EBP-4] 0x0A . [EBP-4]
0x72( r ) 0x0A . 0x0A LF(Line Feed)
.
[EBP-1C] 0x10 [EBP-1C]
16 (0x10) . 16
00401054 . , 16
.
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 90 -
.
EAX (0x0B) ESP
.
Crackme#1 16 EAX
. EAX .
EAX .
.
EBP-34 EAX EAX [EBP-8] . [EBP-20]
[EBP-24] 0 3 . .
[EBP-34] 0013FF4C .
004010AE . 004010AE .
[EBP-20] 0x0D [EBP-20] 0x0D 004010DC
. , [EBP-20] 0x0D .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 91 -
[EBP-20] 0 .
004010B4 .
/*4010B4*/ MOV EAX,DWORD PTR SS:[EBP-20] // EBP-20 EAX
/*4010B7*/ SHR EAX,2 // EAX 2
/*4010BA*/ MOV ECX,DWORD PTR SS:[EBP-8] // EBP-8 ECX
/*4010BD*/ MOV EDX,DWORD PTR SS:[EBP-24] // EBP-24 EDX
/*4010C0*/ MOV EAX,DWORD PTR DS:[ECX+EAX*4] // ECX+EAX*4 EAX
/*4010C3*/ CMP EAX,DWORD PTR SS:[EBP+EDX*4-18] // EBP+EDX*4-18 EAX
4
. .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 92 -
004010B4 004010C3 ECX
EAX 0 .([EBP-20] 0 )
EDX [EBP-24] 3 .
, EBP+EDX*4-18 0013FF80 + 3 * 4 18 = 0x0013FF80 + 0xC 0x18 = 0x0013FF74 . ,
qwer powe . 004010DA
004010C9 . 004010C9 Invalid Password
. 4 powe
.
.
. 4 004010DA
0040109C .
/*40109C*/ MOV ECX,DWORD PTR SS:[EBP-20] // EBP-20 ECX
/*40109F*/ ADD ECX,4 // ECX 4
/*4010A2*/ MOV DWORD PTR SS:[EBP-20],ECX // ECX EBP-20
/*4010A5*/ MOV EDX,DWORD PTR SS:[EBP-24] // EBP-24 EDX
/*4010A8*/ SUB EDX,1 // EDX 1
/*4010AB*/ MOV DWORD PTR SS:[EBP-24],EDX // EDX EBP-24
/*4010AE*/ CMP DWORD PTR SS:[EBP-20],0D // EBP-20 0x0D
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 93 -
[EBP-20] 0 ECX 0 4
[EBP-20] . [EBP-24] EDX 1
[EBP-24] . [EBP-20] ECX 4 [EBP-24] EDX 2
. [EBP-20] 4 0x0D
13 0x0D(13) 004010DC .
004010B4 004010C3 [EBP-20] 4 EAX
SHR 1 . [EBP-8] ECX [EBP-24]
EDX .
.
ECX + EAX*4 = 0x0013FF4C + 1 * 4 = 0x0013FF50
EBP + EDX*4 18 = 0x0013FF80 + 2 * 4 0x18 = 0x0013FF80 + 0x08 0x18 = 0x0013FF70
.
4
4 .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 94 -
4-3. KeygenMe
Student Notes
Keygenme
. keygenme C C++
.
.
KeygenMe
Key Key Key Keygen
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 95 -
keygenme#1
.
.
.
. .
Nope, thats not it! Try again
. .
. Search for All referenced text strings .
(Good boy...) .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 96 -
0040128A OR EAX, EAX. lstrcmpA
( )
.
. .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 97 -
00401248 F9 .
Check It 00401248 . F8
00401252 .
/*401252*/ PUSH keygenme.00406584
. .
.
. 00401285 lstrcmp
1234567890 JXCS-USIQ-XNUI-
CPRU . OR EAX, EAX
. 0040128E 004012A8 .
.
.
? Nope, thats not it! Try
again .
MessageBoxA 4 . API .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 98 -
int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box );
. .
/*4012A8*/ PUSH 10 /*4012AA*/ PUSH keygenme.00406337 /*4012AF*/ PUSH keygenme.00406318 /*4012B4*/ PUSH DWORD PTR SS:[EBP+8] /*4012B7*/ CALL
00406337 00406318 . 00406318
.
lstrcmpA .
00406B84 . .
.
/*4012AA*/ PUSH keygenme.00406337
/*4012AF*/ PUSH keygenme.00406318
/*4012AA*/ PUSH keygenme.0040630C
/*4012AF*/ PUSH keygenme.00406B84
Copy to executable All modifications
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 99 -
. Copy all .
Save file
.
.
.
.
C .
URL .
http://dual5651.hacktizen.com/new/87
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 100 -
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 101 -
Module 5 MUP(Manual UnPack)
Objectives
Packgin / Unpacking
Packing
MUP
MUP Ollydbg script
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 102 -
5-1. Packing / Unpacking
Student Notes
Pack , .
.
.
. Entry Point
Entry
Point(OEP) .
Packing / Unpacking
Packing
(EXE, DLL) Unpacking
( )
Unpack Stub
PE Header
...
...
Code Section
PE Header
Entry Point
OEP
Entry Point
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 103 -
5-2. Packing
Student Notes
( ) .
.
PEiD EXEInfo
. 100% .
.
.
Packing
UPX, ASPack, FSG Packer Packer .
() ()
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 104 -
EXEInfo SVK-Protector v1.32 demo
PEiD yodas cryptor 1.x / modified . Stud_PE yodas
cryptor 1.x / modified .
yodas cryptor .
A B
A . B
.
() OEP
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 105 -
5-3. MUP
Student Notes
MUP OEP IAT .
.
IAT . IAT .
UPX .
MUP
1. Packing PEiD EXEInfo
2. OEP .3.
unpack 4. IAT
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 106 -
.
Compressed code? .
.
PUSHAD .
. .
OEP
POPAD .
PUSHAD
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 107 -
POPAD JMP
.
JMP F8 OEP .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 108 -
.
OEP . Dump debugged process
. Olly Dump .
. Entry Point 20C40 12475
. OEP . Rebuild Import .
IAT
. IAT IAT
IAT ? . IAT ImportREConstructor
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 109 -
ImportREC Attach to an Active Process MUP .
calc_upx.exe IAT .
IAT IAT
.
OEP 1 AuthoSearch Get Imports
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 110 -
Fix Dump IAT .
calc_dump_.exe IAT .
. calc_dump.exe IAT
.
IAT
PE . NULL (00000000) .
. ImportREC IAT 00000000
IAT 00000000 .
?
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 111 -
IAT IAT
.
IAT read .
IAT .
ImportREC IAT RVA Size
.
RVA 00025190 00425190 .
.
. ImportREC 0xCC .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 112 -
0xCC .
00000000 . .
. IAT . ImportREC IAT
. IAT 0x425190
0x4252C0 0x130 .
OEP Get Import IAT .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 113 -
Fix Dump IAT
.
(OEP) . IAT
ImportREC
. .
Before Packing
After Packing
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 114 -
5-4. MUP Ollydbg script
Student Notes
MUP .
. MUP
. MUP
.
Olly Script .
.
MUP .
MUP Ollydbg script
MUP Ollydbg script
, 16 (10 . ex. 10=16.)
[] ! #
DWORD +, -, *, /, &, |, ^, >,
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 115 -
Olly Script
$result
EAX
$version
Ollyscript
ex) cmp, $version, 1.47 //1.47 ?
# INC filename
ex) # INC text.txt
# LOG
LOG
OllyDbg Log
ADD dst, src
dst
ex) add y, Times
Alloc size
size $result
ex) alloc 1000, free $result 1000
AI / AO
Animate into / animate over
STI / STO
Step into / step over
ESTI / ESTO
Shift + F7 / Shift + F8
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 116 -
TI / TO
Trace into / trace over
TC
Close Run Trace
TICND / TOCND
Trace into / trace over
ex) TICND eip>40100A
BC Address / BP Address
Breakpoint Clear / BreakPoint
BPCND Address, Condition
BP
ex) bpcnd 40100A, EAX==1
BPHWC Address / BPHWCALL
BP HW Clear / BP HW Clear All
BPHWS Address, pattern
BP HW Set r() w() x() /BPHWS Address
ex) BPHWS 40100A, r
BPL Address, Expression
BP of Logging
ex) bpl 40100A, EAX
BPLCND Address, Expression, Condition
BP of Logging Condition
ex) bplcnd 40100A, EAX, ECX==0
BPMC
BP Memory Clear
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 117 -
BPRM Address, size / BPWM Address, size
BP on Read Memory / BP on Write Memory
ex) BRPM 40100A, FF
ex) BPWM 40100A, FF
AN Address
Ollydbg analyse
ASM Address, Instruction
Ollydbg assemble
$result
ex) asm 40100A, xor eax, eax
CMT address, comment(string of character)
Ollydbg
ex) cmt eip,
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 118 -
OR dst, src / XOR dst, src
Or/xor
EOB Label / EOE Label
Excute On Breakpoint / Excute On Exception
ex) EOB Label / EOE Label1
FILL Address, Length, Value
ex) fill 40100A,10,90
Find Address, Content
$result , 0
ex) find eip, # 6A??E8 #
FINDOP Address, Content
$result
ex) findop 401000, #61# // find next POPAD
findop 401000, #6A??# // find next PUSH
FINDMEM what [, Start Address]
$result , 0
ex) findmem #6A00E8#
findmem #6A00E8#, 00400000
REPL Address, Find, Replace, Length
find ( )
ex) repl eip, #??00 #, #??01 #, 10
RET
REV val
Val $result
ex) rev 01020304 // $result == 04030201
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 119 -
EXEC/ENDE
EXECute / END Excute, {}
ex) var x
var y
mov x, "eax
mov y, "0DEADBEEF
exec
mov {x}, {y}
mov ecx, {x}
ende
ex) exec
push 0
call ExitProcess
ende
ret
JA LABEL / JAE LABEL
Cmp , ja / jae
JB LABEL / JNB LABEL
Cmp , ja / jae
JE LABEL / JNE LABEL
Cmp , ja / jae
JMP LABEL
JMP
LEN str
Str
ex) len NiceJump
msg $RESULT
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 120 -
MUP
.
UPX . PUSHAD POPAD
OEP .
OEP . OEP
Step Over(F8) OEP . OEP
?
ESP .
OEP .
.
STI // Step into(F7), PUSHAD .
BPHWS esp, r // PUSHAD POPAD BP
RUN // (F9)
BPHWC // BP BP
STO // Step over(F8), OEP
CMT eip,
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 121 -
Module 6 Anti-Reverse
Objectives
Breakpoint
TLS Callback
Process Attach
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 122 -
6-1.
Student Notes
.
.
.
.
.
.
.
kernel32!OutputDebugStringACtrl-CRogue Int3"Ice" BreakpointInterrupt 2DhTimestamp countersPopf and the trap flagStack Segment registerDebug registers manipulationContext modificationTLS-callbackCC scanningEntryPoint RVA set to 0
kernel32!IsDebuggerPresentPEB!IsDebuggedPEB!NtGlobalFlagsHeap flagsVista anti-debug (no name)NtQueryInformationProcesskernel32!CheckRemoteDebuggerPresentUnhandledExceptionFilterNtSetInformationThreadkernel32!CloseHandle and NtCloseSelf-debuggingKernel-mode timersUser-mode timers
: http://www.securityfocus.com/infocus/1893
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 123 -
kernel32!IsDebuggerPresent
PEB(Process Environment Block) BeingDebugged
. IsDebuggerPresent()
.
IsDebuggerPresent Debugger not found!
. Debugger found!
.
.
IsDebuggerPresent() EAX .
IsDebuggerPresent() 1 0 . CMP
. (IsDebugg.0040101F)
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 124 -
call IsDebuggerPresent test eax, eax jne @DebuggerDetected
CALL F7 .
TEB(Thread Environment Block) PEB PEB PEB + 2
BeingDebugged . BeingDebugged 0
IsDebuggerPresent .
F9 Debugger not found! .
PEB!IsDebugged
PEB . IsDebuggerPresent
. .
mov eax, fs:[30h] mov eax, byte [eax+2] test eax, eax jne @DebuggerDetected
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 125 -
PEB!NtGlobalFlags
PEB 68 NtGlobalFlags .
NtGlobalFlags 0x70 0x00 .
ntdll . Heap
.
FLG_HEAP_ENABLE_TAIL_CHECK (Heap Tail Checking) : 0x10
FLG_HEAP_ENABLE_FREE_CHECK (Heap Free Checking) : 0x20
FLG_HEAP_VALIDATE_PARAMETERS (Heap Parameter Checking) : 0x40
NtGlobalFlags .
FS:[30] PEB . PEB 0x68 NtGlobalFlags .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 126 -
PEB 0x68 70 .
70 .
NtQueryInformationProcess
.
NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess( IN HANDLE ProcessHandle, IN PROCESS_INFORMATION_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength
);
ProcessDebugPort 7 ProcessInformationClass
ProcessInformation -1 . ,
ProcessInformation 0 -1 .
NtQueryInformationProcess .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 127 -
NtQueryInformationProcess CALL DWORD PTR
DS:[40306C] NtQueryInformationProcess .
.
eax .
0 TEST 0
. 0x00401035 Step into(F7)
. .
0x7FFE0300 .
0x0013FFC0 ProcessInformation FFFFFFFF .
ProcessInformation .
. POP EAX
FFFFFFFF .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 128 -
NtQueryinformationProcess ProcessInformation 0
.
7 . 9 . RETN 14
.
ESP+C ProcessInformation 0 .
.
00000000 . TEST
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 129 -
kernel32!CheckRemoteDebuggerPresent
CheckRemoteDebuggerPresent
.
BOOL CheckDebugger(HANDLE hProcess) { BOOL Retval = 0; CheckRemoteDebuggerPresent(hProcess,&Retval); return Retval; }
NtQueryInformationProcess . .
CALL EAX Step into(F7) .
EBP+8 0 NtQueryInformationProcess
NtQueryInformationProcess .
NtQueryInformationProcess ProcessInformation 0 .
NtQueryInformationProcess .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 130 -
0, 4, 7 PUSH EAX EBP+8
PUSH NtQueryInformationProcess . ProcessInformation
NtQueryInformationProcess
.
/*7C85C09C*/ CMP DWORD PTR SS:[EBP+8],0 EBP+8
.
F9 Debugger not found! .
ProcessInformation NtQueryInformationProcess
.
Timing Check
.
. RDTSC(Read Time
Stamp Counter) . .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 131 -
.
.
GetTickCount .
Olly Advanced
.
Olly Advanced .
1. 4 (CR4) TSD(Time Stamp Disable) bit
1 . TSD bit 1 Ring0
RDTSC GP(General Protection)
.
2. GP GPF . GPF
0xD GPF IDT
0xD * 4byte .
3. Olly Advanced IDT GPF
GPF RDTSC
RDTSC
timing check .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 132 -
kernel32!OutputDebugStringA
ASCII OutputDebugStringA .
. 1
.
Ollydbg .
1.10 .
.
. Olly Advanced .
HideDebugger Olly Invisible, IsDebuggerPresent .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 133 -
6-2. BreakPoint
Student Notes
. .
.
.
.
Break Point
Hardware Breakpoint DR0 ~ DR3 DR7
Software Breakpoint
0xCC (INT 3) Instruction Breakpoint
Memory Breakpoint
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 134 -
Hardware Breakpoint
DR0 ~ DR3 DR7 . .
Software Breakpoint . 0xCC(INT 3) .
Instruction Breakpoint . / .
Memory Breakpoint . /
Hardware Breakpoint
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 135 -
IA32 . DR0 ~ DR7
8 .
DR0 ~ DR3 :
DR4 ~ DR5 :
DR6 : ,
.
DR7 : ,
.
R/W0 ~ R/W3 . 00
01 11 .
DR7 .
. IA32
Ring0 .
SEH Ring3 .
2-6 SEH ContextRecord
.
_CONTEXT . ,
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 136 -
Ring3 .
.
1. SEH
2.
3. SEH
4. ContextRecord
.
. SEH
.
.
Debug Hardware breakpoints
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 137 -
F9 .
.
Access violation . Shift + F7/F8/F9
. Shift + F9 Shift + F8
. Shift + F9 .
.
Shift + F9 Shift + F7 .
.
F7 . Shift + F7
SEH Chain . View SEH chain SEH
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 138 -
0x0040103E .
.
F9 .
! DR0 ~ DR3
. 0 0x0040109A .
0x0040109A
.
SEH DR0 ~ DR3
0 .
.
CMP DWORD PTR DS:[EAX+4h],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+8h],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+0Ch],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+10h],0 JNE @hardware_bpx_found
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 139 -
MOV 0
.
MOV DWORD PTR DS:[EAX+4h],0 MOV DWORD PTR DS:[EAX+8h],0 MOV DWORD PTR DS:[EAX+0Ch],0 MOV DWORD PTR DS:[EAX+10h],0
?
NOP .
.
NOP
.
.
.
SEH .
EBP+0x10 ContextRecord .
ContextRecord .
ESP+0x0C ContextRecord .
SEH chain .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 140 -
Software Breakpoint
1 0xCC(INT 3)
. .
1byte 0xCC .
.
.
.
good job
.
Step over(F8) .
(CALL softbp.exit) (ADD ESP, 0C) .
00401005 .
. ProtectedFunc F2
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 141 -
.
0xCC . 0xCC
. code permutation .
ECX . EAX 0x660 . SHR
EAX 3 0xCC . 0x660
0110 0110 0000 3 000011001100
. 16 0xCC . (4 1100
10 12 . , 16 C )
, 0xCC(INT 3)
.
EDI EAX .
0xCC ECX 0 0 . TEST ECX, ECX
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 142 -
ECX 0 004010A4 .
RETN . RETN
.
RETN POP EIP . POP EIP
.
B58C7BB6
. RETN
.
.
.
.
ProtectedFunc
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 143 -
ProtectedFunc F9
.
. 0xCC F8
.
Import . ,
.
F9 .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 144 -
.( CTRL+N)
MessageBoxA .
F9 .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 145 -
6-3. TLS Callback
Student Notes
TLS Callback
. TLS Callback . ,
.
TLS Callback . TLS Callback
, OEP
.
TLS Callback
TLS (Thread Local Storage) Callback
TLS Callback .
PE Data Directory 10IMAGE_DIRECTORY_ENTRY_TLS .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 146 -
.
.
. TLS TLS Callback . ,
TLS Callback .
PE Data Directory TLS . TLS
10 . Stud_PE .
Data Dir IMAGE_DIR_ENTRY_TLS TLS .
RVA, Size, Raw . PE Raw Stud-PE
PE . RVA .
TLS RVA TLS VirtualOffset + RawOffset = 3060 3000 + 800 = 860
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 147 -
TLS 0x860 . Winnt.h IMAGE_TLS_DIRECTORY
.
typedef struct _IMAGE_TLS_DIRECTORY32 { DWORD StartAddressOfRawData; DWORD EndAddressOfRawData; PDWORD AddressOfIndex; PIMAGE_TLS_CALLBACK *AddressOfCallBacks; DWORD SizeOfZeroFill; DWORD Characteristics; } IMAGE_TLS_DIRECTORY32;
AddressOfCallBacks TLS Callback . Winhex .
TLS Callback 0x00403084 . RVA . TLS
Callback . 0x00403084 RVA
ImageBase 0x3084 . (3084 3000 + 800 = 884)
TLS 884 . Winhex .
TLS Callback 0040101B . Entry Point
System breakpoint .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 148 -
System breakpoint .
TLS Callback 0040101B . CTRL+G . 0040101B
.
0040101B F9 . IsDebuggerPresent
.
TLS Callback
,
.
TLS Callback IMAGE_DIRECTORY_ENTRY_TLS
TLS AddressOfCallbacks 00000000 .
TLS Callback IDA
. IDA CTRL+E .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 149 -
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 150 -
6-4. Process Attach
Student Notes
DLL OCX
. DLL
.
DLL Injection dll
DLL attach .
.
Process Attach
dll ocx
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 151 -
File Attach .
Attach
.
explorer.exe .
Pause . Start .
.
Executable modules . dll
. dll dll View
names .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 152 -
.
Conditioinal log breakpoint on import
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 153 -
dll . View Log .
Log .
. ntdll.dll
ZwContinue CALL . Anti-Attach ZwContinue (Anti-
Debugging )
.
Ollydbg AttachAnyway
ZwContinue
. ZwContinue .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 154 -
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 155 -
Module 7
Objectives
- shadowbot
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 156 -
7-1.
Student Notes
KISA
. 2007 4 8
.
8
8 :
. .
ID: stage8, PASSWORD:
KISA 4 Unpacking Steganography
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 157 -
.
.
.
. PEiD Nothing found
.
?
Hardcore Scan .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 158 -
nSPack 2.2 North Star/Liu Xing Ping . PEiD
userdb.txt nSPack .
.
.
. !packed by [email protected]
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 159 -
nspack .
.
Memory map . View Memory ALT+M
.
PE 006E0000 ImageBase .
. F9
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 160 -
ImageBase 00400000 .
.
.
CTRL+F2 VirtualAlloc
00400000
. VirtualAlloc .
LPVOID VirtualAlloc( LPVOID lpAddress, // address of region to reserve or commit DWORD dwSize, // size of region DWORD flAllocationType, // type of allocation DWORD flProtect // type of access protection );
. . Command bar
.
VirtualAlloc 7C8245A9 .
F9 00400000
. F9 VirtualAlloc
.
Address NULL . Address 00400000 . F9
Address 00400000 .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 161 -
F8 VirtualAlloc
.
. CTRL+A
.
.
.
. write .
(write) .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 162 -
F9 .
00400000 . write
. RETN
. ( )
F9 . RETN 0C F8 .
F8 0045972C .
PUSHAD
POPAD .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 163 -
POPAD POP JMP EAX
0045972C . OEP .
OEP ImportREC IAT .
IAT .
IAT .
Dump debugged process
OEP .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 164 -
IAT . 00459737
00406120 CALL 00406050 .
.
Follow in Dump Memory address
.
Long Address IAT .
, IAT . 0000 0000
. 0000 0000
. ImportREC IAT 0000 0000
IAT .
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 165 -
IAT 0045D118 0045D6D0 . IAT
OEP OEP 0045972C .
IAT CTRL+F2
VirtualAlloc .
.
IAT .
. IAT 0045D118
. (Breakpoint Hardware, on write DWROD) F9 .
.
-
Reverse Engineering
http://www.securitya.kr 2008 Security Awareness Korea
- 166 -
F8 IAT .
IAT . IAT . 0045D118 0045D6D0 .
0045D6D0 0045D730 .
IAT . 0045D730
. ( Binary B