reverse engineering - agz.esagz.es/reverse-engineering/basic/reverse engineering [security... · ©...

of 198 /198

Click here to load reader

Author: trinhkien

Post on 31-Jan-2018

328 views

Category:

Documents


34 download

Embed Size (px)

TRANSCRIPT

  • http://www.securitya.kr 2008 Security Awareness Korea

    - i -

    Reverse Engineering Table of Content

    Module 1 RCE ?..................................................................................................................................1 1-1. RCE ? ............................................................................................................................................2 1-2. RCE .................................................................................................................................4 1-3. RCE ..................................................................................................................................6

    Module 2 RCE ...............................................................................................................................9 2-1. CPU ................................................................................................................................10 2-2. CPU ................................................................................................................................12 2-3. Assembly.........................................................................................................................................17 2-4. STACK ...................................................................................................................................21 2-5. (Calling Convention).............................................................................................23 2-6. SEH(Structured Exception Handling).............................................................................................26 2-7. C ........................................................................................34 2-8. API ..............................................................................................40

    Module 3 PE ........................................................................................................................43 3-1. PE ..................................................................................................................................44 3-2. DOS DOS Stub Code ........................................................................................................49 3-3. PE File Header ................................................................................................................................51 3-4. Optional Header ..............................................................................................................................54 3-5. Section Table...................................................................................................................................59 3-6. Import Table....................................................................................................................................62 3-7. Export Table....................................................................................................................................69

    Module 4 ..............................................................................................................................75 4-1. ...............................................................................................................................76 4-2. CrackMe ........................................................................................................................84 4-3. KeygenMe .....................................................................................................................94

    Module 5 MUP(Manual UnPack) .....................................................................................................101 5-1. Packing / Unpacking .....................................................................................................................102 5-2. Packing .................................................................................................................................103 5-3. MUP .....................................................................................................................................105 5-4. MUP Ollydbg script ...............................................................................................114

    Module 6 Anti-Reverse ..............................................................................................................121 6-1. .........................................................................................................................122 6-2. BreakPoint ...................................................................................................................133 6-3. TLS Callback ................................................................................................................................145 6-4. Process Attach ......................................................................................................................150

    Module 7 ............................................................................................................................155 7-1. ........................................................................................................156 7-2. - shadowbot .........................................................................................................173

  • http://www.securitya.kr 2008 Security Awareness Korea

    - ii -

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 1 -

    Module 1 RCE ?

    Objectives

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 2 -

    1-1. RCE ?

    Student Notes

    . .

    (EXE, DLL, SYS )

    C

    .

    .

    RCE?

    Reverse Code Engineering ,

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 3 -

    .

    . PC , HEX

    ,

    .

    . , C

    .

    VC gcc

    () . CPU

    . VC, VB,

    () C .

    VB .

    () .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 4 -

    1-2. RCE

    Student Notes

    12 2 ()

    .

    1 1

    .

    1. 3

    2.

    [ 2001.1.16][[

    2001.7.17]]

    RCE

    (Competition) (Copyrightlaw) The Digital Millennium Copyright Act (DMCA)

    RIAA Felten ebook SunnComm CD

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 5 -

    2001 1 16 7 17 ,

    .

    2000 , 2001

    , .

    .

    .

    DMCA(The Digital Millennium Copyright Act)

    . DMCA HTML , , , , ,

    , , , . DMCA

    .

    DMCA Sony-BMG ""

    Sony-BMG CD "(root kit)"

    Secure Digital Music Initiative(SDMI)

    ,

    . SDMI

    . .

    SunnComm CD

    SunnComm

    . SunnComm .

    pdf

    .

    pdf .

    . .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 6 -

    1-3. RCE

    Student Notes

    . .

    / . /

    ( )

    .

    exe PC

    . PC

    PC

    . .

    RCE

    DRM

    RCE

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 7 -

    .

    .

    .

    .

    DRM

    DRM .

    .

    .

    API

    .

    .

    .

    .

    .

    . .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 8 -

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 9 -

    Module 2 RCE

    Objectives

    CPU

    CPU

    /

    STACK

    (Calling Convention)

    SEH(Structured Exception Handling)

    C

    API

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 10 -

    2-1. CPU

    Student Notes

    CPU , .

    CPU . CPU

    , , , . CPU

    . , (ALU: arithmetic logic

    unit), (control unit) .

    .

    . .

    . - -

    CPU

    BUS Interface

    ALU(Arithmetic Logic Unit)

    Control Unit

    Register Set

    CPU (Central Processing Unit)

    Memory

    I/O BUS

    Keyboard Monitor NIC HDDMonitor

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 11 -

    CPU

    Control Unit ALU ALU .

    ALU() : (, ) ( , ,

    ) .

    .

    Register : .

    .

    - .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 12 -

    2-2. CPU

    Student Notes

    CPU , , EFLAGS , CIP

    . 32 (4 ) 16 8

    .

    CPU Register

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 13 -

    00000000 FFFFFFFF .

    (General-Purpose Register)

    , ,

    .

    EAX(Extended Accumulator Register) :

    EBX(Extended Base Register) : DS (

    )

    ECX(Extended Counter Register) :

    EDX(Extended Data Register) :

    ESI(Extended Source Index) :

    EDI(Extended Destination Index) :

    ESP(Extended Stack Pointer) : , TOP

    EBP(Extended Base Pointer) : ,

    (Segment Register)

    16 .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 14 -

    CS :

    -

    .

    SS :

    -

    .

    DS :

    ES : ,

    FS/GS : , IA32

    .

    Flat Segmented .

    Segmented .

    EFLAGS

    EFLAGS , , 1, 3, 5, 15, 22

    ~ 31 .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 15 -

    LAHF, SAHF, PUSHF, PUSHFD, POPF, POPPFD EAX

    . EFLAGS (BT, BTS, BTR, BTC)

    .

    (Status Flags) : (ADD, SUB, MUL, DIV) .

    CF(bit 0) Carry flag :

    - 0 :

    - 1 :

    PF(bit 2) Parity flag

    AF(bit 4) Adjust flag

    ZF(bit 6) Zero flag :

    - 0 : 0

    - 1 : 0

    SF(bit 7) Sign flag

    OF(bit 11) Overflow flag :

    - 0 :

    - 1 : ( )

    (Control Flags)

    DF(bit 10) Direction flag

    (System Flags)

    TF(bit 8) Trap flag

    IF(bit 9) Interrupt enable flag

    IOPL(bit 12, 13) I/O privilege level field

    NT(bit 14) Nested task flag

    RF(bit 16) Resume flag

    VM(bit 17) Virtual-8086 mode flag

    AC(bit 18) Alignment check flag

    VIF(bit 19) Virtual interrupt flag

    VIP(bit 20) Virtual interrupt pending flag

    ID(bit 21) Identification flag

    ZF, OF, CF .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 16 -

    EIP

    .

    EIP . 16

    EIP( 16 0), 32 EIP .

    EIP CALL, JMP, RET control-transfer

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 17 -

    2-3. Assembly

    Student Notes

    .

    .

    .

    Assembly

    Arithmetic Instruction Data Transfer Instruction Logical Instruction String Instruction Control Transfer Instruction Processor Control Instruction

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 18 -

    Arithmetic Instruction

    ADD SUB ADC SBB CMP INC 1 DEC 1 NEG 2 , AAA AL UNPACK 10 DAA AL PACK 10 AAS AL UNPCAK 10 DAS AL PCAK 10 MUL AX AX DX:AX IMUL AAM AX UNPACK 10 DIV AX DX:AX . AL, AX AH, DX IDIV AAD AX UNPACK 10 CBW AL AX CWD AX DX:AX

    Data Transfer Instruction

    MOV () PUSH POP XCHG XLAT BX:AL AL LEA LDS REG (MEM), DS (MEM+2) LES REG (MEM), ES (MEM+2) LAHF AH SAHF AH PUSHF POPF

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 19 -

    Logical Instruction

    NOT 1 ,

    SHL/SAL ( 0) SHR ( 0) SAR ,

    ROL/ROR / RCL/RCR / AND AND TEST AND OR OR XOR (OR)

    String Instruction

    REP REP CS 0 MOVS DS:DI ES:DI COMPS DS:DI ES:DI SCAS AL AX ES:DI LODS SI AL AX STOS AL AX ES:DI

    Control Transfer Instruction

    CALL JMP RET CALL PUSH JE/JZ 0 ZF=1 JL/JNGE ( ) SF != OF JB/JNAE ( ) CF=1 JLE/JNG ( ) ZF=1 or SF != OF JBE/JNA ( ) CF=1 or ZF=1 JP/JPE 1 PF=1

    JO OF=1 JS 1 SF=1

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 20 -

    JC CF=1 JNE/JNZ 0 ZF=0 JNL/JGE ( ) SF=OF JNB/JAE ( ) CF=0 JNLE/JG ( ) ZF=0 and SF=OF JNBE/JA ( ) CF=0 and ZF=0 JNP/JPO 0 PF=0

    JNO OF=0 JNS 0 SF=0 JNC CF=0 LOOP CX 1 , 0

    LOOPZ/LOOPE CX 0 ZF=1 LOOPNZ/LOOPNE CX 0 ZF=0

    JCXZ CX 0 CX=0 INT INTO IRET ()

    Processor Control Instruction

    CLC CMC CLD CLI HLT STC NOP STD STI WAIT ESC

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 21 -

    2-4. STACK

    Student Notes

    . PUSH

    POP

    . LIFO(Last In First Out) .

    .

    Full Stack : TOP PUSH

    Empty Stack : TOP

    Ascending Stack :

    Descending Stack :

    STACK

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 22 -

    Full Descending Stack . , TOP

    .

    EBP, ESP, EIP . EBP

    ESP ESP

    . ESP TOP .

    EIP

    .

    .

    F1 func1

    . func1

    . func1 func1

    .

    func1 func2 .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 23 -

    2-5. (Calling Convention)

    Student Notes

    . , .

    ,

    , ,

    .

    (Stack Frame) .

    (Calling Convention)

    Argument

    Stack : C , cdecl, stdcall, Pascal Register : fastcall

    Argument Right to Lest : cdecl, stdcall Left to Right

    Stack Clearing Caller : cdecl Callee : stdcall

    Return Value

    __stdcall, __cdecl, __fastcall

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 24 -

    .

    .

    Fame Pointer( Base Pointer)

    .

    EBP .

    5 (stdcall, cdecl, thiscall, fastcall, naked)

    stdcall cdecl .

    __stdcall

    stdcall API . stdcall

    ,

    (Callee) , eax

    .

    . call ret n .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 25 -

    __cdecl

    cdecl C C++ ,

    . cdecl

    , (Caller)

    , eax . cdecl

    ,

    . call add esp, n .

    stdcall cdecl

    .

    stdcall (Callee) (Caller) Callee

    cdecl Caller

    Callee .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 26 -

    2-6. SEH(Structured Exception Handling)

    Student Notes

    SEH(Structured Exception Handling) .

    .

    0 ,

    .

    TIB . TIB

    TIB FS:[0] ERR(Exception Registration

    Record) . ERR ERR Exception

    Handler .

    SEH (Structured Exception Handling)

    TIB (Thread Information Block) : Thread

    ERR Next ERR Exception Handler

    FS:[1]FS:[2]

    ...

    FS:[0]

    SEH

    NEXT

    FS

    TIB

    ERR

    SEH

    FFFFFF

    ERR

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 27 -

    Exception Handler .

    __cdecl _except_handler( struct _EXCEPTION_RECORD *ExceptionRecord, void * EstablisherFrame, struct _CONTEXT *ContextRecord, void * DispatcherContext );

    _CONTEXT . EAX 0, ret .

    +0 context

    (GetThreadContext API ) +8C gs register +90 fs register +94 es register +98 ds register

    +4 debug register #0 +8 debug register #1 +C debug register #2 +10 debug register #3 +14 debug register #6 +18 debug register #7

    +9C edi register +A0 esi register +A4 ebx register +A8 edx register +AC ecx register +B0 eax register

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 28 -

    FPU / MMX

    +1C ControlWord +20 StatusWord +24 TagWord +28 ErrorOffset +2C ErrorSelector +30 DataOffset +34 DataSelector +38 FP registers * 8 ( 10 ) +88 Cr0NpxState

    +B4 ebp register +B8 eip register +BC cs register +C0 eflags register +C4 esp register +C8 ss register

    Winnt.h EXCEPTION_RECORD .

    typedef struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD *ExceptionRecord;

    PVOID ExceptionAddress; DWORD NumberParameters; UINT_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];

    } EXCEPTION_RECORD;

    ExceptionCode :

    C0000005h : Read/Write

    C0000094h : 0

    C0000095h : DIV

    C00000FDh :

    80000001h : Guard Page

    C0000025h : Exception

    C0000026h : ExceptionCode

    80000003h : INT3

    80000004h : Trap

    ExceptionFlags :

    0 : Exception

    1 : Exception

    2 : Unwinding

    SEH .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 29 -

    Ollydbg

    .

    . SEH chain Stack

    .

    ERR Next SEH 0007FFE0

    00B13313 . 00B13313 SEH

    . Shift + F9 .

    Shift + F9 . 00B13313 .

    . .

    ExceptionRecord, EstablishedFrame, Context,

    DispatchContext .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 30 -

    0007FBC8 7C968752 RETURN to ntdll.7C968752 // Return 0007FBCC 0007FCA8 // ExceptionRecord, 0007FBD0 0007FF90 // Frame, ERR 0007FBD4 0007FCC4 // Context 0007FBD8 0007FC84 // DispatchContext

    .

    00B13321 JMP SHORT 00B13324 00B13324 00B13324

    .

    NOP(0x90) .

    ( CTRL + E) .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 31 -

    .

    .

    SEH .

    /*B13313*/ PUSH 0B1331C /*B13318*/ INC DWORD PTR SS:[ESP] /*B1331B*/ RETN /*B1331C*/ NOP

    0B1331C ESP 1 . JMP 0B1331D .

    /*B1331D*/ MOV EAX,DWORD PTR SS:[ESP+C]

    ESP+C EAX . ESP+C 0007FD4

    0007FCC4 . CONTEXT .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 32 -

    /*B13321*/ JMP SHORT 00B13324 /*B13324*/ ADD DWORD PTR DS:[EAX+B8],2

    EAX+B8 CONTEXT EIP . , EIP 2 .

    /*B1332B*/ JMP SHORT 00B13347

    00B13347

    /*B1332D*/ MOV ESP,EBE817EB /*B13332*/ ADC AL,0E8 /*B13334*/ JMP SHORT 00B13347 /*B13336*/ CALL EC994226 /*B1333B*/ OR EBP,EAX /*B1333D*/ JMP SHORT 00B13347 /*B1333F*/ INT 20 /*B13341*/ JMP SHORT 00B13347

    00B13347

    /*B13347*/ XOR EAX,EAX

    /*B13349*/ RETN

    EAX SEH . SEH

    SEH .

    SEH SEH . F9 .

    SEH .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 33 -

    EIP SEH

    .

    SEH SEH .

    SEH EIP 2 SEH

    . XOR EAX, EAX EAX 0 SEH

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 34 -

    2-7. C

    Student Notes

    C

    .

    .

    .

    C

    .

    C

    for, while, if String

    strcpy strcmp strlen

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 35 -

    Example #1. for

    #include

    main(int argc, char *argv[])

    {

    int i=0;

    int sum=0;

    for(i=0; i . 0040103D

    00401048 (CMP ) 00401059

    00401057 0040103F .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 36 -

    Example #2. if, strcpy, strcmp, strlen

    if (strcpy, strcmp, strlen) .

    #include void main( int argc, char *argv[] ) { char src[] = "ForEducationbydemantos"; char *dst=(char *)malloc( 30 * sizeof(char)); int cnt=0; printf("Input the password : "); fgets(dst, 30, stdin); dst[strlen(dst)-1] = '\0'; if( strlen(dst) != strlen(src) ) { printf("Not match!!\n"); exit(0); } else { if( !strcmp(dst, src) ) { printf("Good\n"); exit(0); } else printf("Not match!!\n"); exit(0); } }

    .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 37 -

    4 . EAX F8

    EAX .

    .

    0040109E 004010B9

    Not match!! .

    .(004010B9)

    EAX EDX strcmp

    . strcmp (F7 ) . 4

    .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 38 -

    .

    SHR . 0x10 10 16

    16 . , 2 4

    .

    4 ECX EDX 4 4 .

    F8 . RETN

    CTRL+F8 4

    .

    . .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 39 -

    Example #3. while

    #include #include int main(void) { char ch; ch = getche(); while(ch!='q') { ch=getche(); } printf("found the q"); return 0; }

    getche q found the q

    . while .

    00401034 00401043

    . Hex dump v ^ , > .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 40 -

    2-8. API

    Student Notes

    exe API .

    API

    .

    API

    .

    , , , ,

    .

    API

    CreateFile, ReadFile, WriteFile, SetFilePointer, CopyFile, GetFileAttribute, SetFileAttribute, FindFirstFile, FindNextFile, GetModuleFileName, GetSystemDirectory, GetWindowsDirectory, GetCommandLine, SetCurrentDirectory

    RegCreateKey, RegOpenKeyEx, RegSetValueEx, RegQueryValueEx

    WSAStartup, WSAAPI socket, recv, send, listen, accept, gethostbyname, ntohs, inet_addr, WNetOpenEnum, WNetEnumResource, InternetGetConnectedState, ioctlsocket

    RtlZeroMemory, GlobalAlloc

    ShellExecute, GetProcAddress, CreateThread

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 41 -

    CreateFile : .

    ReadFile : .

    WriteFile : .

    SetFilePointer : .

    CopyFile : .

    GetFileAttribute : .

    SetFileAttribute : .

    FindFirstFile : .

    FindNextFile : . FindFirstFile .

    GetModuleFileName : .

    GetSystemDirectory : .

    GetWindowsDirectory : .

    GetCommandLine : commandline .

    SetCurrentDirectory : .

    RegCreateKey : .

    RegOpenKeyEx : .

    RegSetValueEx : .

    RegQueryValueEx : .

    WSAStartup : WS2_32.DLL .

    socket : .

    recv : .

    send : .

    listen : .

    accept : .

    gethostbyname : .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 42 -

    ntohs : network byte order host byte order .

    inet_addr : IN_ADDR .

    WNetOpenEnum : .

    WNetEnumResource : WNetOpenEnum .

    InternetGetConnectedState : .

    ioctlsocket : .

    RtlZeroMemory : 0 .

    GlobalAlloc : Heap .

    ShellExecute : .

    GetProcAddress : SLL

    CreateThread : .

    WIN32.HLP

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 43 -

    Module 3 PE

    Objectives

    PE

    DOS DOS Stub Code

    PE File Header

    Optional Header

    Section Tables

    Import Table

    Export Table

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 44 -

    3-1. PE

    Student Notes

    PE (Portable Executable File Format) (File) (Portable)

    (Executable) (Format) . Win32

    PE .

    EXE EXE PE .

    DLL PE .

    PE Win32 . , CPU

    Win32 PE .

    Win32 Platform SDK Winnt.h PE .

    PE

    PE Header

    Section #n

    ...

    Section #2

    Section #1

    Section Table

    DOS Stub Code

    DOS Header

    PE Header

    Section #n

    ...

    Section #2

    Section #1

    Section Table

    DOS Stub Code

    DOS Header

    DISK MEMORY

    40byte x

    248byte

    24 + optional header( 224)

    ImageBase

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 45 -

    (Image) PE

    .

    PE .

    PE

    DOS Header

    DOS Stub Code

    PE Header

    Section Table

    Section

    DOS Header PE DOS . ImageBase DOS

    ImageBase . Stub_PE .

    ImageBase 0x01000000

    .

    DOS 4D 5A(MZ) . MZ DOS Mark Zbikowski DOS

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 46 -

    PE Header

    PE PE . , optional

    ImageBase, , , , PE

    , .

    PE DOS e_lfanew . e_lfanew DOS

    4byte .

    Section Table

    , , ,

    . PE PE

    PE . PE 248bytes

    .

    40bytes . 4

    40bytes * 4 = 160bytes .

    Section

    .

    . VirtualAddress PointerToRawData . offset

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 47 -

    .

    .

    .text offset 0x400 .text 0x400

    . Winhex 0x400 .

    PointerToRawData .

    .

    .text VirtualAddress . VirtualAddress 0x1000

    ImageBase offset . offset RVA(Relative Virtual

    Address) . .text ImageBase VirtualAddress

    0x01001000 . 0x01001000 HEX .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 48 -

    .text 493AD377 .text

    FAF4F377 .

    .

    PE .

    SectionAlignment FileAlignment .

    .

    Optional Header .

    FileAlignment

    SectionAlignment

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 49 -

    3-2. DOS DOS Stub Code

    Student Notes

    DOS DOS . PE DOS DOS

    64bytes . 2byte e_magic

    4byte e_lfanew . Winnt.h IMAGE_DOS_HEADER .

    typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations

    WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed

    DOS DOS Stub Code

    PE signature

    PE File Header

    Section #n

    ...

    Section #2

    Section #1

    Section Table

    Optional Header

    DOS Stub Code

    DOS Header

    PE signature

    DOS Stub Code

    DOS Header

    e_lfanew

    IMAGE_DOS_HEADER(64byte)

    MZ

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 50 -

    WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words

    LONG e_lfanew; // File address of new exe header } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

    e_magic DOS 4D 5A(MZ) . e_lfanew PE

    .

    DOS Stub Code .

    . This

    program cannot be run in DOS mode .

    STUB

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 51 -

    3-3. PE File Header

    Student Notes

    Winnt.h IMAGE_NT_HEADERS .

    typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader;

    } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

    IMAGE_NT_HEADERS PE IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER

    . PE 50 45 00 00

    IMAGE_FILE_HEADER 20bytes .

    IMAGE_OPTIONAL_HEADER 224bytes .

    PE File Header

    PE signature

    PE File Header

    Section #n

    ...

    Section #2

    Section #1

    Section Table

    Optional Header

    DOS Stub Code

    DOS Header

    Machine

    NumberOfSections

    TimeDateStamp

    PointerToSymbolTable

    NumberOfSymbols

    SizeOfOptionalHeader

    Characteristics

    PE\0\0

    IMAGE_FILE_HEADER(20byte)

    4byte

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 52 -

    Data Directory Data Directory Optional .

    Winnt.h IMAGE_FILE_HEADER .

    typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader;

    WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

    Winhex .

    PE DOS e_lfanew .

    File 4 .

    Machine : CPU ID . IA32 0x14C IA64 0x200 .

    NumberOfSections : .

    SizeOfOptionalHeader : optional .

    224bytes data directory 96bytes .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 53 -

    Characteristics : . 0x10F

    . Winnt.h .

    #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004

    #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 #define IMAGE_FILE_32BIT_MACHINE 0x0100 #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 #define IMAGE_FILE_SYSTEM 0x1000 #define IMAGE_FILE_DLL 0x2000 #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000

    0x10F IMAGE_FILE_RELOCS_STRIPPED(0x0001),

    IMAGE_FILE_EXECUTABLE_IMAGE(0x0002), IMAGE_FILE_LINE_NUMS_STRIPPED(0x0004),

    IMAGE_FILE_LOCAL_SYMS_STRIPPED(0x0008), IMAGE_FILE_32BIT_MACHINE(0x0100)

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 54 -

    3-4. Optional Header

    Student Notes

    Optional PE .

    . optional 30 1

    . .

    . Winnt.h IMAGE_OPTIONAL_HEADER .

    typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData;

    Optional Header

    PE signature

    PE File Header

    Section #n

    ...

    Section #2

    Section #1

    Section Table

    Optional Header

    DOS Stub Code

    DOS Header

    ...

    IMAGE_DATA_DIRECTORY #1

    IMAGE_DATA_DIRECTORY #0

    IMAGE_DATA_DIRECTORY #15

    MagicAddressOfEntryPointImageBaseSectionAlignmentFileAlignmentSizeOfImageSizeOfHeaderNumberOfRvaAndSizes...

    IMAGE_OPTIONAL_HEADER(224byte)

    Data Directory(128byte)

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 55 -

    DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion;

    WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];

    } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;

    Winhex .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 56 -

    Machine : optional optional

    . 0x10B .

    AddressOfEntryPoint : PE

    . RVA . ,

    ImageBase .

    ImageBase : PE . EXE

    ImageBase DLL ImageBase

    . DLL

    . EXE 0x00400000

    , DLL 0x10000000 .

    SectionAlignment : .

    SectionAlignment .

    0x1000(4096byte).

    FileAlignment : .

    FileAlignment . 0x200(512byte) 2 n

    .

    SizeOfImage : PE SectionAlignment

    .

    SizeOfHeader : : FileAlignment

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 57 -

    Data Directory Optional 128bytes IMAGE_DATA_DIRECTORY

    . Winnt.h .

    typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

    #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16

    Optional NumberOfRvaAndSize

    16 .

    Export table, Import table PE (VirtualAddresS)

    (Size) .

    16 15 0x00

    . 15 .

    IMAGE_DIRECTORY_ENTRY_EXPORT : EXPORT

    . EXPORT DLL .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 58 -

    IMAGE_DIRECTORY_ENTRY_IMPORT : IMPORT

    .

    IMAGE_DIRECTORY_ENTRY_BASERELOC : .

    .

    IMAGE_DIRECTORY_ENTRY_TLS : Thread Local Storage .

    TLS Callback .

    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT : DLL .

    IMAGE_DIRECTORY_ENTRY_IAT : (IAT) .

    DLL IAT .

    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT : .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 59 -

    3-5. Section Table

    Student Notes

    IMAGE_SECTION_HEADER .

    .

    .

    access violation

    . , , ,

    .

    .

    Section Table

    PE signature

    PE File Header

    Section #n

    ...

    Section #2

    Section #1

    Section Table

    Optional Header

    DOS Stub Code

    DOS Header

    ...

    NameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristics

    NameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristics

    NameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristics

    Section #1

    Section #2

    Section #n

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 60 -

    ,

    .

    Winnt.h IMAGE_SECTION_HEADER .

    typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations;

    DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

    Winhex .

    Name : . 8byte NULL 8byte

    . 8byte 8byte .

    VirtualAddress : (RVA ).

    SizeOfRawData : . FileAlignment .

    PointerToRawData : .

    Characteristics : .

    PointerToRawData SizeOfRawData VirtualAddress

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 61 -

    Characteristics .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 62 -

    3-6. Import Table

    Student Notes

    Import PE (DLL)

    . USER32.DLL KERNEL32.DLL .

    DLL EXE DLL .

    DLL

    DLL Import Table .

    PE .idata .

    IMAGE_IMPORT_DESCRIPTOR DLL

    NULL .

    Import Table

    OriginalFirstThunk

    TimeDateStamp

    ForwarderChain

    Name

    FirstThunk

    ForwarderChain

    Name

    NULL

    FirstThunk

    TimeDateStamp

    OriginalFirstThunk

    IMAGE_DIRECTORY_ENTRY_IMPORT

    Size

    VirtualAddress

    IMAGE_THUNK_DATA

    IMAGE_THUNK_DATA

    hint func1

    IMAGE_IMPORT_BY_NAMEILT #1

    IAT #1

    func1

    USER32.DLL

    ILT #2

    IAT #2

    KERNEL32.DLL

    IMAGE_IMPORT_DESCRIPTOR

    IMPORT TABLE

    Binding

    Binding

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 63 -

    Winnt.h IMAGE_IMPORT_DESCRIPTOR .

    typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; DWORD OriginalFirstThunk; }; DWORD TimeDateStamp; DWORD ForwarderChain; DWORD Name; DWORD FirstThunk; } IMAGE_IMPORT_DESCRIPTOR;

    OriginalFirstThunk : ILT(Import Lookup Table) RVA .

    ILT IMAGE_THUNK_DATA . IMAGE_THUNK_DATA

    IMAGE_IMPORT_BY_NAME

    .

    TimeDateStamp : 0 -1 .

    ForwarderChain : 0 -1 .

    Name : DLL RVA .

    FirstThunk : IAT(Import Address Table) RVA . IAT ILT

    IMAGE_THUNK_DATA ILT . PE

    DLL . IAT

    .

    IMAGE_THUNK_DATA .

    typedef struct _IMAGE_THUNK_DATA32 { union { PBYTE ForwarderString; PDWORD Function; DWORD Ordinal; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA32;

    IMAGE_THUNK_DATA ILT, IAT .

    ILT

    - OriginalFirstThunk .

    - .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 64 -

    - IMAGE_IMPORT_BY_NAME Ordinal .

    - Ordinal

    IMAGE_IMPRT_BY_NAME RVA .

    - .

    IAT

    - FirstThunk .

    - AddressOfData Ordinal .

    - IMAGE_THUNK_DATA IMAGE_IMPORT_BY_NAME AddressOfData

    . IMAGE_IMPORT_BY_NAME

    .

    - 1 ordinal , 0 AddressOfData .

    - .

    IMAGE_THUNK_DATA AddressOfData .

    IMAGE_THUNK_DATA Ordinal .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 65 -

    Winhex .

    NULL . 6 DLL

    .

    Import Table

    IMAGE_DIRECTORY_ENTRY_IMPORT

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 66 -

    VirtualAddress . ,

    PE . Stud_PE

    .

    PE . Import Table Raw

    . PE

    RVA VirtualAddress Size .

    RVA 0x12FD4 .text . .text RawOffset

    0x400 0x123D4 .

    ( RVA) ( VirtualOffset) + RawOffset

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 67 -

    . calc.exe

    .text .

    .

    PE IAT(Import Address Table) .

    IMAGE_DIRECTORY_ENTRY_IMPORT .

    DLL

    IMAGE_IMPORT_DESCRIPTOR DLL .

    .

    RVA 0x12FD4 .text .

    , ( 0x12FD4 0x1000 ) + 0x400 = 0x123D4 . Winhex .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 68 -

    calc.exe DLL RVA 0x134D6.

    RVA

    . Stud_PE 0x134D6 .text

    . Name 0x134D6 0x1000 + 0x400 = 0x128D6 .

    KERNEL32.dll .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 69 -

    3-7. Export Table

    Student Notes

    Import Export

    . Export Data Directory

    0 IMAGE_DIRECTORY_ENTRY_EXPORT VirtualAddress Size .

    Export Import . Winnt.h

    .

    typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion;

    Export Table

    Name

    Base

    NumberOfFunctions

    NumberOfNames

    AddressOfFunctions

    AddressOfNames

    AddressOfNameOrdinals

    ...

    AddressOfNames

    AddressOfNameOrdinals

    ...

    NumberOfFunctions

    NumberOfNames

    AddressOfFunctions

    Base

    Name

    IMAGE_DIRECTORY_ENTRY_EXPORT

    Size

    VirtualAddress

    RVA

    RVA

    RVA

    EXPORT TABLEMYDLL.DLL

    RVA

    RVA

    ordinal

    ordinal

    code

    code

    Kernel32.OpenProcess

    Myfunc2

    MyFunc1

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 70 -

    DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;

    Name : DLL ASCII RVA

    Base :

    NumberOfFunctions : AddressOfFunctions RVA

    NumberOfNames : AddressOfNames RVA

    AddressOfFunctions : (RVA )

    AddressOfNames : (RVA )

    AddressOfNameOrdinals : . Base

    .

    DLL

    (RVA ), .

    Export Table

    .

    1. IMAGE_DIRECTORY_ENTRY_EXPORT VirtualAddress

    VirtualAddress 0x00016A1C Size 0x00004B9A.

    2. VirtualAddress RawOffset

    ( RVA) ( VirtualOffset) + RawOffset

    0x00016A1C 0x00001000 + 0x00000400 = 0x00015E1C

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 71 -

    RVA 0x16A1C .text . .text

    RawOffset 0x400 0x15E1C . Winhex .

    .

    Name : 0x000186D2

    Base : 1

    NumberOfFuntions : 0x000002DB

    NumberOfNames : 0x000002DB

    AddressOfFunctions : 0x00016A44

    AddressOfNames : 0x000175B0

    AddressOfNameOrdinals : 0x0001811C

    offset RVA

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 72 -

    Name : 0x000186D2 0x1000 + 0x400 = 0x00017AD2

    USER32.dll . NULL ( \0 ) .

    1 (Base : 1), 731 (NumberOfFuntions : 0x2DB),

    731 . (NumberOfNames : 0x2DB)

    AddressOfNames .

    AddressOfNames : 0x000175B0 0x1000 + 0x400 = 0x000169B0

    0x000186DD RVA offset 0x00017ADD.

    ActivateKeyboardLayout .

    AddressOfFunctions 0x00016A44 0x1000 + 0x400 = 0x00015E44

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 73 -

    AddressOfNameOrdinals : 0x0001811C 0x1000 + 0x400 = 0x0001751C

    0x1751C NumberOfNameOrdinals .

    1 Base

    . USER32.dll 731(0x2DB)

    AddressOfNameOrdinals 731(0x2DB) .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 74 -

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 75 -

    Module 4

    Objectives

    CrackMe / KeygenMe

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 76 -

    4-1.

    Student Notes

    , , , .

    . .

    Debugger Ollydbg

    Disassembler IDA W32DASM

    File Analyzer Stud PE PEiD ImportREConstruction

    HEX Editor WinHex

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 77 -

    Ollydbg

    http://www.ollydbg.de/ , .

    File : .

    View : .

    Debug : .

    Plugins : .

    Options : .

    Window, Help : () .

    restart, close, run .

    .

    .

    E : Executable modules,

    M : Memory map,

    H : Handles,

    C : CPU main htread,

    / : Patches,

    K : Call stack of main thread

    B : Breakpoints,

    R : References,

    ... : Run trace

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 78 -

    .

    A OP .

    , OP , , .

    .

    B . A offset ,

    .

    C .

    .

    D CPU . .

    E Stack .

    Ollydbg .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 79 -

    Option Appearance udd plugins .

    Option Debugging Option CPU : jump .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 80 -

    Exception .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 81 -

    Stud PE

    PE http://www.cgsoftlabs.ro/studpe.html

    .

    PEiD

    PE Stud PE .

    http://www.peid.info/ .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 82 -

    ImportREC

    IAT . IAT

    IAT . ImportREC .

    http://vault.reversers.org/ImpRECDef .

    IAT . IAT

    . 0000 0000

    IAT 0000 0000

    ImportREC . IAT

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 83 -

    Winhex

    HEX . .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 84 -

    4-2. CrackMe

    Student Notes

    Crackme

    . Crackme

    , . Keygen

    Keygen

    .

    .

    CrackMe

    Key Keyfile

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 85 -

    Crackme #1

    .

    Invalid Password

    .

    Invalid Password . .

    Search for All reference text strings

    .

    The password is %s .

    The password is xxxxxxxxxx

    Invalid Password . Invalid Password

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 86 -

    Invalid Password 004010DA

    . 004010DA 0040109C The password is %s

    . JNB

    004010DC The password is %s . ,

    . .

    PUSH Crackme#.00407030 Please enter the password:

    CALL . CALL

    . .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 87 -

    .

    /*40102C*/ ADD ESP,4 //

    /*40102F*/ PUSH 10 // 10

    /*401031*/ PUSH 0 // 0

    /*401033*/ LEA EAX,DWORD PTR SS:[EBP-34] // EBP-34 () EAX

    /*401036*/ PUSH EAX // EAX

    /*401037*/ CALL Crackme#.00401150 // 00401150

    /*40103C*/ ADD ESP,0C //

    /*40103F*/ MOV DWORD PTR SS:[EBP-1C],0 // EBP-1C 0

    /*401046*/ MOV DWORD PTR SS:[EBP-20],0 // EBP-20 0

    /*40104D*/ MOV DWORD PTR SS:[EBP-24],0 // EBP-24 0

    .

    .

    .

    00401054 00401140 .

    . EAX .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 88 -

    Disassembly . ,

    00401054 00401084 .

    .

    /*401059*/ MOV BYTE PTR SS:[EBP-4],AL // AL EBP-4 1

    /*40105C*/ MOV ECX,DWORD PTR SS:[EBP-1C] // EBP-1C ECX

    /*40105F*/ MOV DL,BYTE PTR SS:[EBP-4] // EBP-4 DL

    /*401062*/ MOV BYTE PTR SS:[EBP+ECX-34],DL // DL EBP+ECX-34

    /*401066*/ MOV EAX,DWORD PTR SS:[EBP-1C] // EBP-1C EAX

    /*401069*/ ADD EAX,1 // EAX 1

    /*40106C*/ MOV DWORD PTR SS:[EBP-1C],EAX // EAX EBP-1C

    /*40106F*/ MOVSX ECX,BYTE PTR SS:[EBP-4] // EBP-4 ECX

    /*401073*/ CMP ECX,0A // ECX 0x0A

    /*401076*/ JE SHORT Crackme#.00401086 // 00401086

    /*401078*/ MOVSX EDX,BYTE PTR SS:[EBP-4] // EBP-4 EDX

    /*40107C*/ TEST EDX,EDX // EDX EDX AND

    /*40107E*/ JE SHORT Crackme#.00401086 // 00401086

    /*401080*/ CMP DWORD PTR SS:[EBP-1C],10 // EBP-1C 0x10

    /*401084*/ JB SHORT Crackme#.00401054 // EBP-1C 0x10 00401054

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 89 -

    . 4

    .

    CALL 00401140 EAX .

    [EBP-1C] [EBP+ECX-34]

    . [EBP-4] . BYTE PTR SS

    (1 ) .

    ECX [EBP-4] 0x0A . [EBP-4]

    0x72( r ) 0x0A . 0x0A LF(Line Feed)

    .

    [EBP-1C] 0x10 [EBP-1C]

    16 (0x10) . 16

    00401054 . , 16

    .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 90 -

    .

    EAX (0x0B) ESP

    .

    Crackme#1 16 EAX

    . EAX .

    EAX .

    .

    EBP-34 EAX EAX [EBP-8] . [EBP-20]

    [EBP-24] 0 3 . .

    [EBP-34] 0013FF4C .

    004010AE . 004010AE .

    [EBP-20] 0x0D [EBP-20] 0x0D 004010DC

    . , [EBP-20] 0x0D .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 91 -

    [EBP-20] 0 .

    004010B4 .

    /*4010B4*/ MOV EAX,DWORD PTR SS:[EBP-20] // EBP-20 EAX

    /*4010B7*/ SHR EAX,2 // EAX 2

    /*4010BA*/ MOV ECX,DWORD PTR SS:[EBP-8] // EBP-8 ECX

    /*4010BD*/ MOV EDX,DWORD PTR SS:[EBP-24] // EBP-24 EDX

    /*4010C0*/ MOV EAX,DWORD PTR DS:[ECX+EAX*4] // ECX+EAX*4 EAX

    /*4010C3*/ CMP EAX,DWORD PTR SS:[EBP+EDX*4-18] // EBP+EDX*4-18 EAX

    4

    . .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 92 -

    004010B4 004010C3 ECX

    EAX 0 .([EBP-20] 0 )

    EDX [EBP-24] 3 .

    , EBP+EDX*4-18 0013FF80 + 3 * 4 18 = 0x0013FF80 + 0xC 0x18 = 0x0013FF74 . ,

    qwer powe . 004010DA

    004010C9 . 004010C9 Invalid Password

    . 4 powe

    .

    .

    . 4 004010DA

    0040109C .

    /*40109C*/ MOV ECX,DWORD PTR SS:[EBP-20] // EBP-20 ECX

    /*40109F*/ ADD ECX,4 // ECX 4

    /*4010A2*/ MOV DWORD PTR SS:[EBP-20],ECX // ECX EBP-20

    /*4010A5*/ MOV EDX,DWORD PTR SS:[EBP-24] // EBP-24 EDX

    /*4010A8*/ SUB EDX,1 // EDX 1

    /*4010AB*/ MOV DWORD PTR SS:[EBP-24],EDX // EDX EBP-24

    /*4010AE*/ CMP DWORD PTR SS:[EBP-20],0D // EBP-20 0x0D

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 93 -

    [EBP-20] 0 ECX 0 4

    [EBP-20] . [EBP-24] EDX 1

    [EBP-24] . [EBP-20] ECX 4 [EBP-24] EDX 2

    . [EBP-20] 4 0x0D

    13 0x0D(13) 004010DC .

    004010B4 004010C3 [EBP-20] 4 EAX

    SHR 1 . [EBP-8] ECX [EBP-24]

    EDX .

    .

    ECX + EAX*4 = 0x0013FF4C + 1 * 4 = 0x0013FF50

    EBP + EDX*4 18 = 0x0013FF80 + 2 * 4 0x18 = 0x0013FF80 + 0x08 0x18 = 0x0013FF70

    .

    4

    4 .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 94 -

    4-3. KeygenMe

    Student Notes

    Keygenme

    . keygenme C C++

    .

    .

    KeygenMe

    Key Key Key Keygen

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 95 -

    keygenme#1

    .

    .

    .

    . .

    Nope, thats not it! Try again

    . .

    . Search for All referenced text strings .

    (Good boy...) .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 96 -

    0040128A OR EAX, EAX. lstrcmpA

    ( )

    .

    . .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 97 -

    00401248 F9 .

    Check It 00401248 . F8

    00401252 .

    /*401252*/ PUSH keygenme.00406584

    . .

    .

    . 00401285 lstrcmp

    1234567890 JXCS-USIQ-XNUI-

    CPRU . OR EAX, EAX

    . 0040128E 004012A8 .

    .

    .

    ? Nope, thats not it! Try

    again .

    MessageBoxA 4 . API .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 98 -

    int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box );

    . .

    /*4012A8*/ PUSH 10 /*4012AA*/ PUSH keygenme.00406337 /*4012AF*/ PUSH keygenme.00406318 /*4012B4*/ PUSH DWORD PTR SS:[EBP+8] /*4012B7*/ CALL

    00406337 00406318 . 00406318

    .

    lstrcmpA .

    00406B84 . .

    .

    /*4012AA*/ PUSH keygenme.00406337

    /*4012AF*/ PUSH keygenme.00406318

    /*4012AA*/ PUSH keygenme.0040630C

    /*4012AF*/ PUSH keygenme.00406B84

    Copy to executable All modifications

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 99 -

    . Copy all .

    Save file

    .

    .

    .

    .

    C .

    URL .

    http://dual5651.hacktizen.com/new/87

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 100 -

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 101 -

    Module 5 MUP(Manual UnPack)

    Objectives

    Packgin / Unpacking

    Packing

    MUP

    MUP Ollydbg script

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 102 -

    5-1. Packing / Unpacking

    Student Notes

    Pack , .

    .

    .

    . Entry Point

    Entry

    Point(OEP) .

    Packing / Unpacking

    Packing

    (EXE, DLL) Unpacking

    ( )

    Unpack Stub

    PE Header

    ...

    ...

    Code Section

    PE Header

    Entry Point

    OEP

    Entry Point

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 103 -

    5-2. Packing

    Student Notes

    ( ) .

    .

    PEiD EXEInfo

    . 100% .

    .

    .

    Packing

    UPX, ASPack, FSG Packer Packer .

    () ()

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 104 -

    EXEInfo SVK-Protector v1.32 demo

    PEiD yodas cryptor 1.x / modified . Stud_PE yodas

    cryptor 1.x / modified .

    yodas cryptor .

    A B

    A . B

    .

    () OEP

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 105 -

    5-3. MUP

    Student Notes

    MUP OEP IAT .

    .

    IAT . IAT .

    UPX .

    MUP

    1. Packing PEiD EXEInfo

    2. OEP .3.

    unpack 4. IAT

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 106 -

    .

    Compressed code? .

    .

    PUSHAD .

    . .

    OEP

    POPAD .

    PUSHAD

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 107 -

    POPAD JMP

    .

    JMP F8 OEP .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 108 -

    .

    OEP . Dump debugged process

    . Olly Dump .

    . Entry Point 20C40 12475

    . OEP . Rebuild Import .

    IAT

    . IAT IAT

    IAT ? . IAT ImportREConstructor

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 109 -

    ImportREC Attach to an Active Process MUP .

    calc_upx.exe IAT .

    IAT IAT

    .

    OEP 1 AuthoSearch Get Imports

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 110 -

    Fix Dump IAT .

    calc_dump_.exe IAT .

    . calc_dump.exe IAT

    .

    IAT

    PE . NULL (00000000) .

    . ImportREC IAT 00000000

    IAT 00000000 .

    ?

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 111 -

    IAT IAT

    .

    IAT read .

    IAT .

    ImportREC IAT RVA Size

    .

    RVA 00025190 00425190 .

    .

    . ImportREC 0xCC .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 112 -

    0xCC .

    00000000 . .

    . IAT . ImportREC IAT

    . IAT 0x425190

    0x4252C0 0x130 .

    OEP Get Import IAT .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 113 -

    Fix Dump IAT

    .

    (OEP) . IAT

    ImportREC

    . .

    Before Packing

    After Packing

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 114 -

    5-4. MUP Ollydbg script

    Student Notes

    MUP .

    . MUP

    . MUP

    .

    Olly Script .

    .

    MUP .

    MUP Ollydbg script

    MUP Ollydbg script

    , 16 (10 . ex. 10=16.)

    [] ! #

    DWORD +, -, *, /, &, |, ^, >,

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 115 -

    Olly Script

    $result

    EAX

    $version

    Ollyscript

    ex) cmp, $version, 1.47 //1.47 ?

    # INC filename

    ex) # INC text.txt

    # LOG

    LOG

    OllyDbg Log

    ADD dst, src

    dst

    ex) add y, Times

    Alloc size

    size $result

    ex) alloc 1000, free $result 1000

    AI / AO

    Animate into / animate over

    STI / STO

    Step into / step over

    ESTI / ESTO

    Shift + F7 / Shift + F8

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 116 -

    TI / TO

    Trace into / trace over

    TC

    Close Run Trace

    TICND / TOCND

    Trace into / trace over

    ex) TICND eip>40100A

    BC Address / BP Address

    Breakpoint Clear / BreakPoint

    BPCND Address, Condition

    BP

    ex) bpcnd 40100A, EAX==1

    BPHWC Address / BPHWCALL

    BP HW Clear / BP HW Clear All

    BPHWS Address, pattern

    BP HW Set r() w() x() /BPHWS Address

    ex) BPHWS 40100A, r

    BPL Address, Expression

    BP of Logging

    ex) bpl 40100A, EAX

    BPLCND Address, Expression, Condition

    BP of Logging Condition

    ex) bplcnd 40100A, EAX, ECX==0

    BPMC

    BP Memory Clear

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 117 -

    BPRM Address, size / BPWM Address, size

    BP on Read Memory / BP on Write Memory

    ex) BRPM 40100A, FF

    ex) BPWM 40100A, FF

    AN Address

    Ollydbg analyse

    ASM Address, Instruction

    Ollydbg assemble

    $result

    ex) asm 40100A, xor eax, eax

    CMT address, comment(string of character)

    Ollydbg

    ex) cmt eip,

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 118 -

    OR dst, src / XOR dst, src

    Or/xor

    EOB Label / EOE Label

    Excute On Breakpoint / Excute On Exception

    ex) EOB Label / EOE Label1

    FILL Address, Length, Value

    ex) fill 40100A,10,90

    Find Address, Content

    $result , 0

    ex) find eip, # 6A??E8 #

    FINDOP Address, Content

    $result

    ex) findop 401000, #61# // find next POPAD

    findop 401000, #6A??# // find next PUSH

    FINDMEM what [, Start Address]

    $result , 0

    ex) findmem #6A00E8#

    findmem #6A00E8#, 00400000

    REPL Address, Find, Replace, Length

    find ( )

    ex) repl eip, #??00 #, #??01 #, 10

    RET

    REV val

    Val $result

    ex) rev 01020304 // $result == 04030201

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 119 -

    EXEC/ENDE

    EXECute / END Excute, {}

    ex) var x

    var y

    mov x, "eax

    mov y, "0DEADBEEF

    exec

    mov {x}, {y}

    mov ecx, {x}

    ende

    ex) exec

    push 0

    call ExitProcess

    ende

    ret

    JA LABEL / JAE LABEL

    Cmp , ja / jae

    JB LABEL / JNB LABEL

    Cmp , ja / jae

    JE LABEL / JNE LABEL

    Cmp , ja / jae

    JMP LABEL

    JMP

    LEN str

    Str

    ex) len NiceJump

    msg $RESULT

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 120 -

    MUP

    .

    UPX . PUSHAD POPAD

    OEP .

    OEP . OEP

    Step Over(F8) OEP . OEP

    ?

    ESP .

    OEP .

    .

    STI // Step into(F7), PUSHAD .

    BPHWS esp, r // PUSHAD POPAD BP

    RUN // (F9)

    BPHWC // BP BP

    STO // Step over(F8), OEP

    CMT eip,

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 121 -

    Module 6 Anti-Reverse

    Objectives

    Breakpoint

    TLS Callback

    Process Attach

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 122 -

    6-1.

    Student Notes

    .

    .

    .

    .

    .

    .

    .

    kernel32!OutputDebugStringACtrl-CRogue Int3"Ice" BreakpointInterrupt 2DhTimestamp countersPopf and the trap flagStack Segment registerDebug registers manipulationContext modificationTLS-callbackCC scanningEntryPoint RVA set to 0

    kernel32!IsDebuggerPresentPEB!IsDebuggedPEB!NtGlobalFlagsHeap flagsVista anti-debug (no name)NtQueryInformationProcesskernel32!CheckRemoteDebuggerPresentUnhandledExceptionFilterNtSetInformationThreadkernel32!CloseHandle and NtCloseSelf-debuggingKernel-mode timersUser-mode timers

    : http://www.securityfocus.com/infocus/1893

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 123 -

    kernel32!IsDebuggerPresent

    PEB(Process Environment Block) BeingDebugged

    . IsDebuggerPresent()

    .

    IsDebuggerPresent Debugger not found!

    . Debugger found!

    .

    .

    IsDebuggerPresent() EAX .

    IsDebuggerPresent() 1 0 . CMP

    . (IsDebugg.0040101F)

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 124 -

    call IsDebuggerPresent test eax, eax jne @DebuggerDetected

    CALL F7 .

    TEB(Thread Environment Block) PEB PEB PEB + 2

    BeingDebugged . BeingDebugged 0

    IsDebuggerPresent .

    F9 Debugger not found! .

    PEB!IsDebugged

    PEB . IsDebuggerPresent

    . .

    mov eax, fs:[30h] mov eax, byte [eax+2] test eax, eax jne @DebuggerDetected

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 125 -

    PEB!NtGlobalFlags

    PEB 68 NtGlobalFlags .

    NtGlobalFlags 0x70 0x00 .

    ntdll . Heap

    .

    FLG_HEAP_ENABLE_TAIL_CHECK (Heap Tail Checking) : 0x10

    FLG_HEAP_ENABLE_FREE_CHECK (Heap Free Checking) : 0x20

    FLG_HEAP_VALIDATE_PARAMETERS (Heap Parameter Checking) : 0x40

    NtGlobalFlags .

    FS:[30] PEB . PEB 0x68 NtGlobalFlags .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 126 -

    PEB 0x68 70 .

    70 .

    NtQueryInformationProcess

    .

    NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess( IN HANDLE ProcessHandle, IN PROCESS_INFORMATION_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength

    );

    ProcessDebugPort 7 ProcessInformationClass

    ProcessInformation -1 . ,

    ProcessInformation 0 -1 .

    NtQueryInformationProcess .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 127 -

    NtQueryInformationProcess CALL DWORD PTR

    DS:[40306C] NtQueryInformationProcess .

    .

    eax .

    0 TEST 0

    . 0x00401035 Step into(F7)

    . .

    0x7FFE0300 .

    0x0013FFC0 ProcessInformation FFFFFFFF .

    ProcessInformation .

    . POP EAX

    FFFFFFFF .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 128 -

    NtQueryinformationProcess ProcessInformation 0

    .

    7 . 9 . RETN 14

    .

    ESP+C ProcessInformation 0 .

    .

    00000000 . TEST

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 129 -

    kernel32!CheckRemoteDebuggerPresent

    CheckRemoteDebuggerPresent

    .

    BOOL CheckDebugger(HANDLE hProcess) { BOOL Retval = 0; CheckRemoteDebuggerPresent(hProcess,&Retval); return Retval; }

    NtQueryInformationProcess . .

    CALL EAX Step into(F7) .

    EBP+8 0 NtQueryInformationProcess

    NtQueryInformationProcess .

    NtQueryInformationProcess ProcessInformation 0 .

    NtQueryInformationProcess .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 130 -

    0, 4, 7 PUSH EAX EBP+8

    PUSH NtQueryInformationProcess . ProcessInformation

    NtQueryInformationProcess

    .

    /*7C85C09C*/ CMP DWORD PTR SS:[EBP+8],0 EBP+8

    .

    F9 Debugger not found! .

    ProcessInformation NtQueryInformationProcess

    .

    Timing Check

    .

    . RDTSC(Read Time

    Stamp Counter) . .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 131 -

    .

    .

    GetTickCount .

    Olly Advanced

    .

    Olly Advanced .

    1. 4 (CR4) TSD(Time Stamp Disable) bit

    1 . TSD bit 1 Ring0

    RDTSC GP(General Protection)

    .

    2. GP GPF . GPF

    0xD GPF IDT

    0xD * 4byte .

    3. Olly Advanced IDT GPF

    GPF RDTSC

    RDTSC

    timing check .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 132 -

    kernel32!OutputDebugStringA

    ASCII OutputDebugStringA .

    . 1

    .

    Ollydbg .

    1.10 .

    .

    . Olly Advanced .

    HideDebugger Olly Invisible, IsDebuggerPresent .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 133 -

    6-2. BreakPoint

    Student Notes

    . .

    .

    .

    .

    Break Point

    Hardware Breakpoint DR0 ~ DR3 DR7

    Software Breakpoint

    0xCC (INT 3) Instruction Breakpoint

    Memory Breakpoint

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 134 -

    Hardware Breakpoint

    DR0 ~ DR3 DR7 . .

    Software Breakpoint . 0xCC(INT 3) .

    Instruction Breakpoint . / .

    Memory Breakpoint . /

    Hardware Breakpoint

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 135 -

    IA32 . DR0 ~ DR7

    8 .

    DR0 ~ DR3 :

    DR4 ~ DR5 :

    DR6 : ,

    .

    DR7 : ,

    .

    R/W0 ~ R/W3 . 00

    01 11 .

    DR7 .

    . IA32

    Ring0 .

    SEH Ring3 .

    2-6 SEH ContextRecord

    .

    _CONTEXT . ,

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 136 -

    Ring3 .

    .

    1. SEH

    2.

    3. SEH

    4. ContextRecord

    .

    . SEH

    .

    .

    Debug Hardware breakpoints

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 137 -

    F9 .

    .

    Access violation . Shift + F7/F8/F9

    . Shift + F9 Shift + F8

    . Shift + F9 .

    .

    Shift + F9 Shift + F7 .

    .

    F7 . Shift + F7

    SEH Chain . View SEH chain SEH

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 138 -

    0x0040103E .

    .

    F9 .

    ! DR0 ~ DR3

    . 0 0x0040109A .

    0x0040109A

    .

    SEH DR0 ~ DR3

    0 .

    .

    CMP DWORD PTR DS:[EAX+4h],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+8h],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+0Ch],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+10h],0 JNE @hardware_bpx_found

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 139 -

    MOV 0

    .

    MOV DWORD PTR DS:[EAX+4h],0 MOV DWORD PTR DS:[EAX+8h],0 MOV DWORD PTR DS:[EAX+0Ch],0 MOV DWORD PTR DS:[EAX+10h],0

    ?

    NOP .

    .

    NOP

    .

    .

    .

    SEH .

    EBP+0x10 ContextRecord .

    ContextRecord .

    ESP+0x0C ContextRecord .

    SEH chain .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 140 -

    Software Breakpoint

    1 0xCC(INT 3)

    . .

    1byte 0xCC .

    .

    .

    .

    good job

    .

    Step over(F8) .

    (CALL softbp.exit) (ADD ESP, 0C) .

    00401005 .

    . ProtectedFunc F2

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 141 -

    .

    0xCC . 0xCC

    . code permutation .

    ECX . EAX 0x660 . SHR

    EAX 3 0xCC . 0x660

    0110 0110 0000 3 000011001100

    . 16 0xCC . (4 1100

    10 12 . , 16 C )

    , 0xCC(INT 3)

    .

    EDI EAX .

    0xCC ECX 0 0 . TEST ECX, ECX

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 142 -

    ECX 0 004010A4 .

    RETN . RETN

    .

    RETN POP EIP . POP EIP

    .

    B58C7BB6

    . RETN

    .

    .

    .

    .

    ProtectedFunc

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 143 -

    ProtectedFunc F9

    .

    . 0xCC F8

    .

    Import . ,

    .

    F9 .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 144 -

    .( CTRL+N)

    MessageBoxA .

    F9 .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 145 -

    6-3. TLS Callback

    Student Notes

    TLS Callback

    . TLS Callback . ,

    .

    TLS Callback . TLS Callback

    , OEP

    .

    TLS Callback

    TLS (Thread Local Storage) Callback

    TLS Callback .

    PE Data Directory 10IMAGE_DIRECTORY_ENTRY_TLS .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 146 -

    .

    .

    . TLS TLS Callback . ,

    TLS Callback .

    PE Data Directory TLS . TLS

    10 . Stud_PE .

    Data Dir IMAGE_DIR_ENTRY_TLS TLS .

    RVA, Size, Raw . PE Raw Stud-PE

    PE . RVA .

    TLS RVA TLS VirtualOffset + RawOffset = 3060 3000 + 800 = 860

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 147 -

    TLS 0x860 . Winnt.h IMAGE_TLS_DIRECTORY

    .

    typedef struct _IMAGE_TLS_DIRECTORY32 { DWORD StartAddressOfRawData; DWORD EndAddressOfRawData; PDWORD AddressOfIndex; PIMAGE_TLS_CALLBACK *AddressOfCallBacks; DWORD SizeOfZeroFill; DWORD Characteristics; } IMAGE_TLS_DIRECTORY32;

    AddressOfCallBacks TLS Callback . Winhex .

    TLS Callback 0x00403084 . RVA . TLS

    Callback . 0x00403084 RVA

    ImageBase 0x3084 . (3084 3000 + 800 = 884)

    TLS 884 . Winhex .

    TLS Callback 0040101B . Entry Point

    System breakpoint .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 148 -

    System breakpoint .

    TLS Callback 0040101B . CTRL+G . 0040101B

    .

    0040101B F9 . IsDebuggerPresent

    .

    TLS Callback

    ,

    .

    TLS Callback IMAGE_DIRECTORY_ENTRY_TLS

    TLS AddressOfCallbacks 00000000 .

    TLS Callback IDA

    . IDA CTRL+E .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 149 -

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 150 -

    6-4. Process Attach

    Student Notes

    DLL OCX

    . DLL

    .

    DLL Injection dll

    DLL attach .

    .

    Process Attach

    dll ocx

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 151 -

    File Attach .

    Attach

    .

    explorer.exe .

    Pause . Start .

    .

    Executable modules . dll

    . dll dll View

    names .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 152 -

    .

    Conditioinal log breakpoint on import

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 153 -

    dll . View Log .

    Log .

    . ntdll.dll

    ZwContinue CALL . Anti-Attach ZwContinue (Anti-

    Debugging )

    .

    Ollydbg AttachAnyway

    ZwContinue

    . ZwContinue .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 154 -

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 155 -

    Module 7

    Objectives

    - shadowbot

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 156 -

    7-1.

    Student Notes

    KISA

    . 2007 4 8

    .

    8

    8 :

    . .

    ID: stage8, PASSWORD:

    KISA 4 Unpacking Steganography

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 157 -

    .

    .

    .

    . PEiD Nothing found

    .

    ?

    Hardcore Scan .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 158 -

    nSPack 2.2 North Star/Liu Xing Ping . PEiD

    userdb.txt nSPack .

    .

    .

    . !packed by [email protected]

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 159 -

    nspack .

    .

    Memory map . View Memory ALT+M

    .

    PE 006E0000 ImageBase .

    . F9

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 160 -

    ImageBase 00400000 .

    .

    .

    CTRL+F2 VirtualAlloc

    00400000

    . VirtualAlloc .

    LPVOID VirtualAlloc( LPVOID lpAddress, // address of region to reserve or commit DWORD dwSize, // size of region DWORD flAllocationType, // type of allocation DWORD flProtect // type of access protection );

    . . Command bar

    .

    VirtualAlloc 7C8245A9 .

    F9 00400000

    . F9 VirtualAlloc

    .

    Address NULL . Address 00400000 . F9

    Address 00400000 .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 161 -

    F8 VirtualAlloc

    .

    . CTRL+A

    .

    .

    .

    . write .

    (write) .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 162 -

    F9 .

    00400000 . write

    . RETN

    . ( )

    F9 . RETN 0C F8 .

    F8 0045972C .

    PUSHAD

    POPAD .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 163 -

    POPAD POP JMP EAX

    0045972C . OEP .

    OEP ImportREC IAT .

    IAT .

    IAT .

    Dump debugged process

    OEP .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 164 -

    IAT . 00459737

    00406120 CALL 00406050 .

    .

    Follow in Dump Memory address

    .

    Long Address IAT .

    , IAT . 0000 0000

    . 0000 0000

    . ImportREC IAT 0000 0000

    IAT .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 165 -

    IAT 0045D118 0045D6D0 . IAT

    OEP OEP 0045972C .

    IAT CTRL+F2

    VirtualAlloc .

    .

    IAT .

    . IAT 0045D118

    . (Breakpoint Hardware, on write DWROD) F9 .

    .

  • Reverse Engineering

    http://www.securitya.kr 2008 Security Awareness Korea

    - 166 -

    F8 IAT .

    IAT . IAT . 0045D118 0045D6D0 .

    0045D6D0 0045D730 .

    IAT . 0045D730

    . ( Binary B