Upload File

Reverse Engineering - agz.esagz.es/Reverse-Engineering/Basic/Reverse Engineering [Security... · © 2008 Security Awareness Korea - i - Reverse Engineering Table of Content Module 1 ⎯ RCE 란?

  • Home
  • Documents
  • Reverse Engineering - agz.esagz.es/Reverse-Engineering/Basic/Reverse Engineering [Security... · © 2008 Security Awareness Korea - i - Reverse Engineering Table of Content Module 1 ⎯ RCE 란?
Download Reverse Engineering - agz.esagz.es/Reverse-Engineering/Basic/Reverse Engineering [Security... · © 2008 Security Awareness Korea - i - Reverse Engineering Table of Content Module 1 ⎯ RCE 란?

Post on 31-Jan-2018

259 views

Category:

Documents

33 download

Report

Embed Size (px)

TRANSCRIPT

<ul><li><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- i -</p><p>Reverse Engineering Table of Content </p><p>Module 1 RCE ?..................................................................................................................................1 1-1. RCE ? ............................................................................................................................................2 1-2. RCE .................................................................................................................................4 1-3. RCE ..................................................................................................................................6 </p><p>Module 2 RCE ...............................................................................................................................9 2-1. CPU ................................................................................................................................10 2-2. CPU ................................................................................................................................12 2-3. Assembly.........................................................................................................................................17 2-4. STACK ...................................................................................................................................21 2-5. (Calling Convention).............................................................................................23 2-6. SEH(Structured Exception Handling).............................................................................................26 2-7. C ........................................................................................34 2-8. API ..............................................................................................40 </p><p>Module 3 PE ........................................................................................................................43 3-1. PE ..................................................................................................................................44 3-2. DOS DOS Stub Code ........................................................................................................49 3-3. PE File Header ................................................................................................................................51 3-4. Optional Header ..............................................................................................................................54 3-5. Section Table...................................................................................................................................59 3-6. Import Table....................................................................................................................................62 3-7. Export Table....................................................................................................................................69 </p><p>Module 4 ..............................................................................................................................75 4-1. ...............................................................................................................................76 4-2. CrackMe ........................................................................................................................84 4-3. KeygenMe .....................................................................................................................94 </p><p>Module 5 MUP(Manual UnPack) .....................................................................................................101 5-1. Packing / Unpacking .....................................................................................................................102 5-2. Packing .................................................................................................................................103 5-3. MUP .....................................................................................................................................105 5-4. MUP Ollydbg script ...............................................................................................114 </p><p>Module 6 Anti-Reverse ..............................................................................................................121 6-1. .........................................................................................................................122 6-2. BreakPoint ...................................................................................................................133 6-3. TLS Callback ................................................................................................................................145 6-4. Process Attach ......................................................................................................................150 </p><p>Module 7 ............................................................................................................................155 7-1. ........................................................................................................156 7-2. - shadowbot .........................................................................................................173 </p></li><li><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- ii -</p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 1 -</p><p>Module 1 RCE ? </p><p>Objectives </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 2 -</p><p>1-1. RCE ? </p><p>Student Notes </p><p> . . </p><p> (EXE, DLL, SYS ) </p><p> C </p><p> . </p><p> . </p><p>RCE?</p><p>Reverse Code Engineering , </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 3 -</p><p> . </p><p> . PC , HEX </p><p> , </p><p>. </p><p> . , C </p><p> . </p><p> VC gcc </p><p> () . CPU </p><p> . VC, VB, </p><p>() C . </p><p> VB . </p><p>() . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 4 -</p><p>1-2. RCE </p><p>Student Notes </p><p> 12 2 () </p><p> . </p><p> 1 1 </p><p> . </p><p>1. 3 </p><p>2. </p><p> [ 2001.1.16][[ </p><p>2001.7.17]] </p><p>RCE </p><p> (Competition) (Copyrightlaw) The Digital Millennium Copyright Act (DMCA)</p><p> RIAA Felten ebook SunnComm CD </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 5 -</p><p> 2001 1 16 7 17 , </p><p> . </p><p> 2000 , 2001 </p><p> , . </p><p> . </p><p> . </p><p>DMCA(The Digital Millennium Copyright Act) </p><p>. DMCA HTML , , , , , </p><p>, , , . DMCA </p><p> . </p><p>DMCA Sony-BMG "" </p><p>Sony-BMG CD "(root kit)" </p><p>Secure Digital Music Initiative(SDMI) </p><p> , </p><p> . SDMI </p><p>. . </p><p>SunnComm CD </p><p> SunnComm </p><p> . SunnComm . </p><p> pdf </p><p> . </p><p>pdf . </p><p> . . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 6 -</p><p>1-3. RCE </p><p>Student Notes </p><p>. . </p><p> / . /</p><p> ( ) </p><p> . </p><p> exe PC </p><p> . PC </p><p> PC </p><p> . . </p><p>RCE </p><p> DRM </p><p>RCE </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 7 -</p><p> . </p><p> . </p><p> . </p><p> . </p><p>DRM </p><p> DRM . </p><p> . </p><p> . </p><p> API </p><p> . </p><p> . </p><p> . </p><p> . </p><p> . </p><p> . . </p><p> . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 8 -</p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 9 -</p><p>Module 2 RCE </p><p>Objectives </p><p> CPU </p><p> CPU </p><p> / </p><p> STACK </p><p> (Calling Convention) </p><p> SEH(Structured Exception Handling) </p><p> C </p><p> API </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 10 -</p><p>2-1. CPU </p><p>Student Notes </p><p>CPU , . </p><p>CPU . CPU </p><p> , , , . CPU </p><p> . , (ALU: arithmetic logic </p><p>unit), (control unit) . </p><p> . </p><p>. . </p><p> . - - </p><p>CPU </p><p>BUS Interface</p><p>ALU(Arithmetic Logic Unit)</p><p>Control Unit</p><p>Register Set</p><p>CPU (Central Processing Unit)</p><p>Memory</p><p>I/O BUS</p><p>Keyboard Monitor NIC HDDMonitor</p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 11 -</p><p> CPU </p><p> Control Unit ALU ALU . </p><p> ALU() : (, ) ( , , </p><p>) . </p><p> . </p><p> Register : . </p><p> . </p><p> - . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 12 -</p><p>2-2. CPU </p><p>Student Notes </p><p>CPU , , EFLAGS , CIP </p><p> . 32 (4 ) 16 8 </p><p> . </p><p>CPU Register</p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 13 -</p><p> 00000000 FFFFFFFF . </p><p> (General-Purpose Register) </p><p> , , </p><p>. </p><p> EAX(Extended Accumulator Register) : </p><p> EBX(Extended Base Register) : DS ( </p><p> ) </p><p> ECX(Extended Counter Register) : </p><p> EDX(Extended Data Register) : </p><p> ESI(Extended Source Index) : </p><p> EDI(Extended Destination Index) : </p><p> ESP(Extended Stack Pointer) : , TOP </p><p> EBP(Extended Base Pointer) : , </p><p> (Segment Register) </p><p> 16 . </p><p> . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 14 -</p><p> CS : </p><p>- </p><p> . </p><p> SS : </p><p>- </p><p> . </p><p> DS : </p><p> ES : , </p><p> FS/GS : , IA32 </p><p> . </p><p> Flat Segmented . </p><p> Segmented . </p><p>EFLAGS </p><p> EFLAGS , , 1, 3, 5, 15, 22 </p><p>~ 31 . </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 15 -</p><p>LAHF, SAHF, PUSHF, PUSHFD, POPF, POPPFD EAX </p><p> . EFLAGS (BT, BTS, BTR, BTC) </p><p> . </p><p> (Status Flags) : (ADD, SUB, MUL, DIV) . </p><p> CF(bit 0) Carry flag : </p><p>- 0 : </p><p>- 1 : </p><p> PF(bit 2) Parity flag </p><p> AF(bit 4) Adjust flag </p><p> ZF(bit 6) Zero flag : </p><p>- 0 : 0 </p><p>- 1 : 0 </p><p> SF(bit 7) Sign flag </p><p> OF(bit 11) Overflow flag : </p><p>- 0 : </p><p>- 1 : ( ) </p><p> (Control Flags) </p><p> DF(bit 10) Direction flag </p><p> (System Flags) </p><p> TF(bit 8) Trap flag </p><p> IF(bit 9) Interrupt enable flag </p><p> IOPL(bit 12, 13) I/O privilege level field </p><p> NT(bit 14) Nested task flag </p><p> RF(bit 16) Resume flag </p><p> VM(bit 17) Virtual-8086 mode flag </p><p> AC(bit 18) Alignment check flag </p><p> VIF(bit 19) Virtual interrupt flag </p><p> VIP(bit 20) Virtual interrupt pending flag </p><p> ID(bit 21) Identification flag </p><p> ZF, OF, CF . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 16 -</p><p>EIP </p><p> . </p><p> EIP . 16 </p><p>EIP( 16 0), 32 EIP . </p><p>EIP CALL, JMP, RET control-transfer </p><p> . </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 17 -</p><p>2-3. Assembly </p><p>Student Notes </p><p> . </p><p> . </p><p> . </p><p>Assembly</p><p> Arithmetic Instruction Data Transfer Instruction Logical Instruction String Instruction Control Transfer Instruction Processor Control Instruction</p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 18 -</p><p>Arithmetic Instruction </p><p> ADD SUB ADC SBB CMP INC 1 DEC 1 NEG 2 , AAA AL UNPACK 10 DAA AL PACK 10 AAS AL UNPCAK 10 DAS AL PCAK 10 MUL AX AX DX:AX IMUL AAM AX UNPACK 10 DIV AX DX:AX . AL, AX AH, DX IDIV AAD AX UNPACK 10 CBW AL AX CWD AX DX:AX </p><p>Data Transfer Instruction </p><p> MOV () PUSH POP XCHG XLAT BX:AL AL LEA LDS REG (MEM), DS (MEM+2) LES REG (MEM), ES (MEM+2) LAHF AH SAHF AH PUSHF POPF </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 19 -</p><p>Logical Instruction </p><p> NOT 1 , </p><p>SHL/SAL ( 0) SHR ( 0) SAR , </p><p>ROL/ROR / RCL/RCR / AND AND TEST AND OR OR XOR (OR) </p><p>String Instruction </p><p> REP REP CS 0 MOVS DS:DI ES:DI COMPS DS:DI ES:DI SCAS AL AX ES:DI LODS SI AL AX STOS AL AX ES:DI </p><p>Control Transfer Instruction </p><p> CALL JMP RET CALL PUSH JE/JZ 0 ZF=1 JL/JNGE ( ) SF != OF JB/JNAE ( ) CF=1 JLE/JNG ( ) ZF=1 or SF != OF JBE/JNA ( ) CF=1 or ZF=1 JP/JPE 1 PF=1 </p><p>JO OF=1 JS 1 SF=1 </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 20 -</p><p>JC CF=1 JNE/JNZ 0 ZF=0 JNL/JGE ( ) SF=OF JNB/JAE ( ) CF=0 JNLE/JG ( ) ZF=0 and SF=OF JNBE/JA ( ) CF=0 and ZF=0 JNP/JPO 0 PF=0 </p><p>JNO OF=0 JNS 0 SF=0 JNC CF=0 LOOP CX 1 , 0 </p><p>LOOPZ/LOOPE CX 0 ZF=1 LOOPNZ/LOOPNE CX 0 ZF=0 </p><p>JCXZ CX 0 CX=0 INT INTO IRET () </p><p>Processor Control Instruction </p><p> CLC CMC CLD CLI HLT STC NOP STD STI WAIT ESC </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 21 -</p><p>2-4. STACK </p><p>Student Notes </p><p> . PUSH </p><p> POP </p><p>. LIFO(Last In First Out) . </p><p> . </p><p> Full Stack : TOP PUSH </p><p> Empty Stack : TOP </p><p> Ascending Stack : </p><p> Descending Stack : </p><p>STACK </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 22 -</p><p> Full Descending Stack . , TOP </p><p>. </p><p> EBP, ESP, EIP . EBP </p><p> ESP ESP </p><p>. ESP TOP . </p><p>EIP </p><p> . </p><p> . </p><p> F1 func1 </p><p> . func1 </p><p> . func1 func1 </p><p> . </p><p> func1 func2 . </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 23 -</p><p>2-5. (Calling Convention) </p><p>Student Notes </p><p>. , . </p><p> , </p><p> , , </p><p> . </p><p> (Stack Frame) . </p><p> (Calling Convention)</p><p> Argument </p><p> Stack : C , cdecl, stdcall, Pascal Register : fastcall</p><p> Argument Right to Lest : cdecl, stdcall Left to Right</p><p> Stack Clearing Caller : cdecl Callee : stdcall</p><p> Return Value </p><p>__stdcall, __cdecl, __fastcall</p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 24 -</p><p> . </p><p> . </p><p> Fame Pointer( Base Pointer) </p><p> . </p><p> EBP . </p><p> 5 (stdcall, cdecl, thiscall, fastcall, naked) </p><p> stdcall cdecl . </p><p>__stdcall </p><p>stdcall API . stdcall </p><p> , </p><p> (Callee) , eax </p><p> . </p><p> . call ret n . </p></li><li><p> Reverse Engineering </p><p>http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 25 -</p><p>__cdecl </p><p>cdecl C C++ , </p><p> . cdecl </p><p> , (Caller) </p><p> , eax . cdecl </p><p> , </p><p> . call add esp, n . </p><p> stdcall cdecl </p><p>. </p><p>stdcall (Callee) (Caller) Callee </p><p> cdecl Caller </p><p> Callee . </p></li><li><p> Reverse Engineering </p><p> http://www.securitya.kr 2008 Security Awareness Korea </p><p>- 26 -</p><p>2-6. SEH(Structured Exception Handl...</p></li></ul>

Recommended

REVERSE-ENGINEERING BANKS’ - Rutgers ?· REVERSE-ENGINEERING BANKS ... banks are developing internal…
REVERSE-ENGINEERING BANKS’ - Rutgers ?· REVERSE-ENGINEERING BANKS ... banks are developing internal…
Reverse Engineering a Disposable ?· Reverse Engineering a Disposable Camera . Module Overview . Reverse…
Reverse Engineering a Disposable ?· Reverse Engineering a Disposable Camera . Module Overview . Reverse…
Reverse Engineering Pneumatic Steel Strapping ?· Reverse Engineering Pneumatic Steel Strapping Machine…
Reverse Engineering Pneumatic Steel Strapping ?· Reverse Engineering Pneumatic Steel Strapping Machine…
Reverse engineering Java Enterprise Applications in ?· Reverse engineering Java Enterprise Applications…
Reverse engineering Java Enterprise Applications in ?· Reverse engineering Java Enterprise Applications…
Software reverse engineering pdf - reverse engineering pdf Software Reverse Engineering SRE is the practice of analyzing a software. Education, several peer-reviewed articles on software reverse
Software reverse engineering pdf - reverse engineering pdf Software Reverse Engineering SRE is the practice of analyzing a software. Education, several peer-reviewed articles on software reverse
Mainframe Application Reverse Engineering ?· Mainframe Application Reverse Engineering Key to Unlocking…
Mainframe Application Reverse Engineering ?· Mainframe Application Reverse Engineering Key to Unlocking…
Reverse Engineering Static Content and Dynamic Behaviour ... ?· Reverse Engineering Static Content…
Reverse Engineering Static Content and Dynamic Behaviour ... ?· Reverse Engineering Static Content…
REVERSE ENGINEERING METHOD USED FOR INSPECTION ?· REVERSE ENGINEERING METHOD USED FOR INSPECTION ...…
REVERSE ENGINEERING METHOD USED FOR INSPECTION ?· REVERSE ENGINEERING METHOD USED FOR INSPECTION ...…
Reverse-Engineering a Cryptographic RFID jkatz/security/downloads/Mifare1.pdf · Reverse-Engineering…
Reverse-Engineering a Cryptographic RFID jkatz/security/downloads/Mifare1.pdf · Reverse-Engineering…
Reverse engineering is reverse forward engineering
Reverse engineering is reverse forward engineering
Metodi e tecniche di Reverse Engineering - Reverse Engineering.pdf · Reverse Engineering ... matematica…
Metodi e tecniche di Reverse Engineering - Reverse Engineering.pdf · Reverse Engineering ... matematica…
Reverse Engineering Web Applications
Reverse Engineering Web Applications
Reverse Engineering CAPTCHAs - PLG UWplg. migod/papers/2008/wcre08-captcha.pdf · Reverse Engineering…
Reverse Engineering CAPTCHAs - PLG UWplg. migod/papers/2008/wcre08-captcha.pdf · Reverse Engineering…
X86/WIN32 reverse engineering Cheat ?· X86/WIN32 REVERSE ENGINEERING CHEAT­SHEET Registers Instructions…
X86/WIN32 reverse engineering Cheat ?· X86/WIN32 REVERSE ENGINEERING CHEAT­SHEET Registers Instructions…
Data Reverse Engineering: A Historical Survey - Reverse Engineering: A Historical Survey ... reverse engineering techniques consist of a more ... reverse engineering since many legacy systems do notPublished in: working conference on reverse engineering 2000Authors: Kathi Hogshead Davis P H AlkenAffiliation: Northern Illinois UniversityAbout: Software Engineering Data analysis Reverse engineering
Data Reverse Engineering: A Historical Survey - Reverse Engineering: A Historical Survey ... reverse engineering techniques consist of a more ... reverse engineering since many legacy systems do notPublished in: working conference on reverse engineering 2000Authors: Kathi Hogshead Davis P H AlkenAffiliation: Northern Illinois UniversityAbout: Software Engineering Data analysis Reverse engineering
[IEEE Comput. Soc Fourth Working Conference on Reverse Engineering - Amsterdam, Netherlands (6-8 Oct. 1997)] Proceedings of the Fourth Working Conference on Reverse Engineering - Reverse engineering is reverse forward engineering
[IEEE Comput. Soc Fourth Working Conference on Reverse Engineering - Amsterdam, Netherlands (6-8 Oct. 1997)] Proceedings of the Fourth Working Conference on Reverse Engineering - Reverse engineering is reverse forward engineering
사용자를 위한 효율적인 UI 란 ?
사용자를 위한 효율적인 UI 란 ?
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
Chemical respiratory allergy: Reverse engineering an ... ?· respiratory allergy: Reverse engineering…
Chemical respiratory allergy: Reverse engineering an ... ?· respiratory allergy: Reverse engineering…
Reverse Engineering Cheat Sheet
Reverse Engineering Cheat Sheet
View more >