Reverse Engineering - agz.esagz.es/Reverse-Engineering/Basic/Reverse Engineering [Security... · © 2008 Security Awareness Korea - i - Reverse Engineering Table of Content Module 1 ⎯ RCE 란? ...

<ul><li><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- i -</p><p>Reverse Engineering Table of Content </p><p>Module 1 RCE ?..................................................................................................................................1 1-1. RCE ? ............................................................................................................................................2 1-2. RCE .................................................................................................................................4 1-3. RCE ..................................................................................................................................6 </p><p>Module 2 RCE ...............................................................................................................................9 2-1. CPU ................................................................................................................................10 2-2. CPU ................................................................................................................................12 2-3. Assembly.........................................................................................................................................17 2-4. STACK ...................................................................................................................................21 2-5. (Calling Convention).............................................................................................23 2-6. SEH(Structured Exception Handling).............................................................................................26 2-7. C ........................................................................................34 2-8. API ..............................................................................................40 </p><p>Module 3 PE ........................................................................................................................43 3-1. PE ..................................................................................................................................44 3-2. DOS DOS Stub Code ........................................................................................................49 3-3. PE File Header ................................................................................................................................51 3-4. Optional Header ..............................................................................................................................54 3-5. Section Table...................................................................................................................................59 3-6. Import Table....................................................................................................................................62 3-7. Export Table....................................................................................................................................69 </p><p>Module 4 ..............................................................................................................................75 4-1. ...............................................................................................................................76 4-2. CrackMe ........................................................................................................................84 4-3. KeygenMe .....................................................................................................................94 </p><p>Module 5 MUP(Manual UnPack) .....................................................................................................101 5-1. Packing / Unpacking .....................................................................................................................102 5-2. Packing .................................................................................................................................103 5-3. MUP .....................................................................................................................................105 5-4. MUP Ollydbg script ...............................................................................................114 </p><p>Module 6 Anti-Reverse ..............................................................................................................121 6-1. .........................................................................................................................122 6-2. BreakPoint ...................................................................................................................133 6-3. TLS Callback ................................................................................................................................145 6-4. Process Attach ......................................................................................................................150 </p><p>Module 7 ............................................................................................................................155 7-1. ........................................................................................................156 7-2. - shadowbot .........................................................................................................173 </p></li><li><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- ii -</p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 1 -</p><p>Module 1 RCE ? </p><p>Objectives </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 2 -</p><p>1-1. RCE ? </p><p>Student Notes </p><p> . . </p><p> (EXE, DLL, SYS ) </p><p> C </p><p> . </p><p> . </p><p>RCE?</p><p>Reverse Code Engineering , </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 3 -</p><p> . </p><p> . PC , HEX </p><p> , </p><p>. </p><p> . , C </p><p> . </p><p> VC gcc </p><p> () . CPU </p><p> . VC, VB, </p><p>() C . </p><p> VB . </p><p>() . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 4 -</p><p>1-2. RCE </p><p>Student Notes </p><p> 12 2 () </p><p> . </p><p> 1 1 </p><p> . </p><p>1. 3 </p><p>2. </p><p> [ 2001.1.16][[ </p><p>2001.7.17]] </p><p>RCE </p><p> (Competition) (Copyrightlaw) The Digital Millennium Copyright Act (DMCA)</p><p> RIAA Felten ebook SunnComm CD </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 5 -</p><p> 2001 1 16 7 17 , </p><p> . </p><p> 2000 , 2001 </p><p> , . </p><p> . </p><p> . </p><p>DMCA(The Digital Millennium Copyright Act) </p><p>. DMCA HTML , , , , , </p><p>, , , . DMCA </p><p> . </p><p>DMCA Sony-BMG "" </p><p>Sony-BMG CD "(root kit)" </p><p>Secure Digital Music Initiative(SDMI) </p><p> , </p><p> . SDMI </p><p>. . </p><p>SunnComm CD </p><p> SunnComm </p><p> . SunnComm . </p><p> pdf </p><p> . </p><p>pdf . </p><p> . . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 6 -</p><p>1-3. RCE </p><p>Student Notes </p><p>. . </p><p> / . /</p><p> ( ) </p><p> . </p><p> exe PC </p><p> . PC </p><p> PC </p><p> . . </p><p>RCE </p><p> DRM </p><p>RCE </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 7 -</p><p> . </p><p> . </p><p> . </p><p> . </p><p>DRM </p><p> DRM . </p><p> . </p><p> . </p><p> API </p><p> . </p><p> . </p><p> . </p><p> . </p><p> . </p><p> . . </p><p> . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 8 -</p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 9 -</p><p>Module 2 RCE </p><p>Objectives </p><p> CPU </p><p> CPU </p><p> / </p><p> STACK </p><p> (Calling Convention) </p><p> SEH(Structured Exception Handling) </p><p> C </p><p> API </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 10 -</p><p>2-1. CPU </p><p>Student Notes </p><p>CPU , . </p><p>CPU . CPU </p><p> , , , . CPU </p><p> . , (ALU: arithmetic logic </p><p>unit), (control unit) . </p><p> . </p><p>. . </p><p> . - - </p><p>CPU </p><p>BUS Interface</p><p>ALU(Arithmetic Logic Unit)</p><p>Control Unit</p><p>Register Set</p><p>CPU (Central Processing Unit)</p><p>Memory</p><p>I/O BUS</p><p>Keyboard Monitor NIC HDDMonitor</p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 11 -</p><p> CPU </p><p> Control Unit ALU ALU . </p><p> ALU() : (, ) ( , , </p><p>) . </p><p> . </p><p> Register : . </p><p> . </p><p> - . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 12 -</p><p>2-2. CPU </p><p>Student Notes </p><p>CPU , , EFLAGS , CIP </p><p> . 32 (4 ) 16 8 </p><p> . </p><p>CPU Register</p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 13 -</p><p> 00000000 FFFFFFFF . </p><p> (General-Purpose Register) </p><p> , , </p><p>. </p><p> EAX(Extended Accumulator Register) : </p><p> EBX(Extended Base Register) : DS ( </p><p> ) </p><p> ECX(Extended Counter Register) : </p><p> EDX(Extended Data Register) : </p><p> ESI(Extended Source Index) : </p><p> EDI(Extended Destination Index) : </p><p> ESP(Extended Stack Pointer) : , TOP </p><p> EBP(Extended Base Pointer) : , </p><p> (Segment Register) </p><p> 16 . </p><p> . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 14 -</p><p> CS : </p><p>- </p><p> . </p><p> SS : </p><p>- </p><p> . </p><p> DS : </p><p> ES : , </p><p> FS/GS : , IA32 </p><p> . </p><p> Flat Segmented . </p><p> Segmented . </p><p>EFLAGS </p><p> EFLAGS , , 1, 3, 5, 15, 22 </p><p>~ 31 . </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 15 -</p><p>LAHF, SAHF, PUSHF, PUSHFD, POPF, POPPFD EAX </p><p> . EFLAGS (BT, BTS, BTR, BTC) </p><p> . </p><p> (Status Flags) : (ADD, SUB, MUL, DIV) . </p><p> CF(bit 0) Carry flag : </p><p>- 0 : </p><p>- 1 : </p><p> PF(bit 2) Parity flag </p><p> AF(bit 4) Adjust flag </p><p> ZF(bit 6) Zero flag : </p><p>- 0 : 0 </p><p>- 1 : 0 </p><p> SF(bit 7) Sign flag </p><p> OF(bit 11) Overflow flag : </p><p>- 0 : </p><p>- 1 : ( ) </p><p> (Control Flags) </p><p> DF(bit 10) Direction flag </p><p> (System Flags) </p><p> TF(bit 8) Trap flag </p><p> IF(bit 9) Interrupt enable flag </p><p> IOPL(bit 12, 13) I/O privilege level field </p><p> NT(bit 14) Nested task flag </p><p> RF(bit 16) Resume flag </p><p> VM(bit 17) Virtual-8086 mode flag </p><p> AC(bit 18) Alignment check flag </p><p> VIF(bit 19) Virtual interrupt flag </p><p> VIP(bit 20) Virtual interrupt pending flag </p><p> ID(bit 21) Identification flag </p><p> ZF, OF, CF . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 16 -</p><p>EIP </p><p> . </p><p> EIP . 16 </p><p>EIP( 16 0), 32 EIP . </p><p>EIP CALL, JMP, RET control-transfer </p><p> . </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 17 -</p><p>2-3. Assembly </p><p>Student Notes </p><p> . </p><p> . </p><p> . </p><p>Assembly</p><p> Arithmetic Instruction Data Transfer Instruction Logical Instruction String Instruction Control Transfer Instruction Processor Control Instruction</p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 18 -</p><p>Arithmetic Instruction </p><p> ADD SUB ADC SBB CMP INC 1 DEC 1 NEG 2 , AAA AL UNPACK 10 DAA AL PACK 10 AAS AL UNPCAK 10 DAS AL PCAK 10 MUL AX AX DX:AX IMUL AAM AX UNPACK 10 DIV AX DX:AX . AL, AX AH, DX IDIV AAD AX UNPACK 10 CBW AL AX CWD AX DX:AX </p><p>Data Transfer Instruction </p><p> MOV () PUSH POP XCHG XLAT BX:AL AL LEA LDS REG (MEM), DS (MEM+2) LES REG (MEM), ES (MEM+2) LAHF AH SAHF AH PUSHF POPF </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 19 -</p><p>Logical Instruction </p><p> NOT 1 , </p><p>SHL/SAL ( 0) SHR ( 0) SAR , </p><p>ROL/ROR / RCL/RCR / AND AND TEST AND OR OR XOR (OR) </p><p>String Instruction </p><p> REP REP CS 0 MOVS DS:DI ES:DI COMPS DS:DI ES:DI SCAS AL AX ES:DI LODS SI AL AX STOS AL AX ES:DI </p><p>Control Transfer Instruction </p><p> CALL JMP RET CALL PUSH JE/JZ 0 ZF=1 JL/JNGE ( ) SF != OF JB/JNAE ( ) CF=1 JLE/JNG ( ) ZF=1 or SF != OF JBE/JNA ( ) CF=1 or ZF=1 JP/JPE 1 PF=1 </p><p>JO OF=1 JS 1 SF=1 </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 20 -</p><p>JC CF=1 JNE/JNZ 0 ZF=0 JNL/JGE ( ) SF=OF JNB/JAE ( ) CF=0 JNLE/JG ( ) ZF=0 and SF=OF JNBE/JA ( ) CF=0 and ZF=0 JNP/JPO 0 PF=0 </p><p>JNO OF=0 JNS 0 SF=0 JNC CF=0 LOOP CX 1 , 0 </p><p>LOOPZ/LOOPE CX 0 ZF=1 LOOPNZ/LOOPNE CX 0 ZF=0 </p><p>JCXZ CX 0 CX=0 INT INTO IRET () </p><p>Processor Control Instruction </p><p> CLC CMC CLD CLI HLT STC NOP STD STI WAIT ESC </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 21 -</p><p>2-4. STACK </p><p>Student Notes </p><p> . PUSH </p><p> POP </p><p>. LIFO(Last In First Out) . </p><p> . </p><p> Full Stack : TOP PUSH </p><p> Empty Stack : TOP </p><p> Ascending Stack : </p><p> Descending Stack : </p><p>STACK </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 22 -</p><p> Full Descending Stack . , TOP </p><p>. </p><p> EBP, ESP, EIP . EBP </p><p> ESP ESP </p><p>. ESP TOP . </p><p>EIP </p><p> . </p><p> . </p><p> F1 func1 </p><p> . func1 </p><p> . func1 func1 </p><p> . </p><p> func1 func2 . </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 23 -</p><p>2-5. (Calling Convention) </p><p>Student Notes </p><p>. , . </p><p> , </p><p> , , </p><p> . </p><p> (Stack Frame) . </p><p> (Calling Convention)</p><p> Argument </p><p> Stack : C , cdecl, stdcall, Pascal Register : fastcall</p><p> Argument Right to Lest : cdecl, stdcall Left to Right</p><p> Stack Clearing Caller : cdecl Callee : stdcall</p><p> Return Value </p><p>__stdcall, __cdecl, __fastcall</p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 24 -</p><p> . </p><p> . </p><p> Fame Pointer( Base Pointer) </p><p> . </p><p> EBP . </p><p> 5 (stdcall, cdecl, thiscall, fastcall, naked) </p><p> stdcall cdecl . </p><p>__stdcall </p><p>stdcall API . stdcall </p><p> , </p><p> (Callee) , eax </p><p> . </p><p> . call ret n . </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 25 -</p><p>__cdecl </p><p>cdecl C C++ , </p><p> . cdecl </p><p> , (Caller) </p><p> , eax . cdecl </p><p> , </p><p> . call add esp, n . </p><p> stdcall cdecl </p><p>. </p><p>stdcall (Callee) (Caller) Callee </p><p> cdecl Caller </p><p> Callee . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 26 -</p><p>2-6. SEH(Structured Exception Handl...</p></li></ul>