reverse engineering

http://www.securitya.kr 2008 Security Awareness Korea

- i -

Reverse Engineering Table of Content

Module 1 RCE ?..................................................................................................................................1 1-1. RCE ? ............................................................................................................................................2 1-2. RCE .................................................................................................................................4 1-3. RCE ..................................................................................................................................6

Module 2 RCE ...............................................................................................................................9 2-1. CPU ................................................................................................................................10 2-2. CPU ................................................................................................................................12 2-3. Assembly.........................................................................................................................................17 2-4. STACK ...................................................................................................................................21 2-5. (Calling Convention).............................................................................................23 2-6. SEH(Structured Exception Handling).............................................................................................26 2-7. C ........................................................................................34 2-8. API ..............................................................................................40

Module 3 PE ........................................................................................................................43 3-1. PE ..................................................................................................................................44 3-2. DOS DOS Stub Code ........................................................................................................49 3-3. PE File Header ................................................................................................................................51 3-4. Optional Header ..............................................................................................................................54 3-5. Section Table...................................................................................................................................59 3-6. Import Table....................................................................................................................................62 3-7. Export Table....................................................................................................................................69

Module 4 ..............................................................................................................................75 4-1. ...............................................................................................................................76 4-2. CrackMe ........................................................................................................................84 4-3. KeygenMe .....................................................................................................................94

Module 5 MUP(Manual UnPack) .....................................................................................................101 5-1. Packing / Unpacking .....................................................................................................................102 5-2. Packing .................................................................................................................................103 5-3. MUP .....................................................................................................................................105 5-4. MUP Ollydbg script ...............................................................................................114

Module 6 Anti-Reverse ..............................................................................................................121 6-1. .........................................................................................................................122 6-2. BreakPoint ...................................................................................................................133 6-3. TLS Callback ................................................................................................................................145 6-4. Process Attach ......................................................................................................................150

Module 7 ............................................................................................................................155 7-1. ........................................................................................................156 7-2. - shadowbot .........................................................................................................173


- ii -

Reverse Engineering


- 1 -

Module 1 RCE ?

Objectives

Reverse Engineering


- 2 -

1-1. RCE ?

Student Notes

. .

(EXE, DLL, SYS )

C

.

.

RCE?

Reverse Code Engineering ,

Reverse Engineering


- 3 -

.

. PC , HEX

,

.

. , C

.

VC gcc

() . CPU

. VC, VB,

() C .

VB .

() .

Reverse Engineering


- 4 -

1-2. RCE

Student Notes

12 2 ()

.

1 1

.

1. 3

2.

[ 2001.1.16][[

2001.7.17]]

RCE

(Competition) (Copyrightlaw) The Digital Millennium Copyright Act (DMCA)

RIAA Felten ebook SunnComm CD

Reverse Engineering


- 5 -

2001 1 16 7 17 ,

.

2000 , 2001

, .

.

.

DMCA(The Digital Millennium Copyright Act)

. DMCA HTML , , , , ,

, , , . DMCA

.

DMCA Sony-BMG ""

Sony-BMG CD "(root kit)"

Secure Digital Music Initiative(SDMI)

,

. SDMI

. .

SunnComm CD

SunnComm

. SunnComm .

pdf

.

pdf .

. .

Reverse Engineering


- 6 -

1-3. RCE

Student Notes

. .

/ . /

( )

.

exe PC

. PC

PC

. .

RCE

DRM

RCE

Reverse Engineering


- 7 -

.

.

.

.

DRM

DRM .

.

.

API

.

.

.

.

.

. .

.

Reverse Engineering


- 8 -

Reverse Engineering


- 9 -

Module 2 RCE

Objectives

CPU

CPU

/

STACK

(Calling Convention)

SEH(Structured Exception Handling)

C

API

Reverse Engineering


- 10 -

2-1. CPU

Student Notes

CPU , .

CPU . CPU

, , , . CPU

. , (ALU: arithmetic logic

unit), (control unit) .

.

. .

. - -

CPU

BUS Interface

ALU(Arithmetic Logic Unit)

Control Unit

Register Set

CPU (Central Processing Unit)

Memory

I/O BUS

Keyboard Monitor NIC HDDMonitor

Reverse Engineering


- 11 -

CPU

Control Unit ALU ALU .

ALU() : (, ) ( , ,

) .

.

Register : .

.

- .

Reverse Engineering


- 12 -

2-2. CPU

Student Notes

CPU , , EFLAGS , CIP

. 32 (4 ) 16 8

.

CPU Register

Reverse Engineering


- 13 -

00000000 FFFFFFFF .

(General-Purpose Register)

, ,

.

EAX(Extended Accumulator Register) :

EBX(Extended Base Register) : DS (

)

ECX(Extended Counter Register) :

EDX(Extended Data Register) :

ESI(Extended Source Index) :

EDI(Extended Destination Index) :

ESP(Extended Stack Pointer) : , TOP

EBP(Extended Base Pointer) : ,

(Segment Register)

16 .

.

Reverse Engineering


- 14 -

CS :

-

.

SS :

-

.

DS :

ES : ,

FS/GS : , IA32

.

Flat Segmented .

Segmented .

EFLAGS

EFLAGS , , 1, 3, 5, 15, 22

~ 31 .

Reverse Engineering


- 15 -

LAHF, SAHF, PUSHF, PUSHFD, POPF, POPPFD EAX

. EFLAGS (BT, BTS, BTR, BTC)

.

(Status Flags) : (ADD, SUB, MUL, DIV) .

CF(bit 0) Carry flag :

- 0 :

- 1 :

PF(bit 2) Parity flag

AF(bit 4) Adjust flag

ZF(bit 6) Zero flag :

- 0 : 0

- 1 : 0

SF(bit 7) Sign flag

OF(bit 11) Overflow flag :

- 0 :

- 1 : ( )

(Control Flags)

DF(bit 10) Direction flag

(System Flags)

TF(bit 8) Trap flag

IF(bit 9) Interrupt enable flag

IOPL(bit 12, 13) I/O privilege level field

NT(bit 14) Nested task flag

RF(bit 16) Resume flag

VM(bit 17) Virtual-8086 mode flag

AC(bit 18) Alignment check flag

VIF(bit 19) Virtual interrupt flag

VIP(bit 20) Virtual interrupt pending flag

ID(bit 21) Identification flag

ZF, OF, CF .

Reverse Engineering


- 16 -

EIP

.

EIP . 16

EIP( 16 0), 32 EIP .

EIP CALL, JMP, RET control-transfer

.

Reverse Engineering


- 17 -

2-3. Assembly

Student Notes

.

.

.

Assembly

Arithmetic Instruction Data Transfer Instruction Logical Instruction String Instruction Control Transfer Instruction Processor Control Instruction

Reverse Engineering


- 18 -

Arithmetic Instruction

ADD SUB ADC SBB CMP INC 1 DEC 1 NEG 2 , AAA AL UNPACK 10 DAA AL PACK 10 AAS AL UNPCAK 10 DAS AL PCAK 10 MUL AX AX DX:AX IMUL AAM AX UNPACK 10 DIV AX DX:AX . AL, AX AH, DX IDIV AAD AX UNPACK 10 CBW AL AX CWD AX DX:AX

Data Transfer Instruction

MOV () PUSH POP XCHG XLAT BX:AL AL LEA LDS REG (MEM), DS (MEM+2) LES REG (MEM), ES (MEM+2) LAHF AH SAHF AH PUSHF POPF

Reverse Engineering


- 19 -

Logical Instruction

NOT 1 ,

SHL/SAL ( 0) SHR ( 0) SAR ,

ROL/ROR / RCL/RCR / AND AND TEST AND OR OR XOR (OR)

String Instruction

REP REP CS 0 MOVS DS:DI ES:DI COMPS DS:DI ES:DI SCAS AL AX ES:DI LODS SI AL AX STOS AL AX ES:DI

Control Transfer Instruction

CALL JMP RET CALL PUSH JE/JZ 0 ZF=1 JL/JNGE ( ) SF != OF JB/JNAE ( ) CF=1 JLE/JNG ( ) ZF=1 or SF != OF JBE/JNA ( ) CF=1 or ZF=1 JP/JPE 1 PF=1

JO OF=1 JS 1 SF=1

Reverse Engineering


- 20 -

JC CF=1 JNE/JNZ 0 ZF=0 JNL/JGE ( ) SF=OF JNB/JAE ( ) CF=0 JNLE/JG ( ) ZF=0 and SF=OF JNBE/JA ( ) CF=0 and ZF=0 JNP/JPO 0 PF=0

JNO OF=0 JNS 0 SF=0 JNC CF=0 LOOP CX 1 , 0

LOOPZ/LOOPE CX 0 ZF=1 LOOPNZ/LOOPNE CX 0 ZF=0

JCXZ CX 0 CX=0 INT INTO IRET ()

Processor Control Instruction

CLC CMC CLD CLI HLT STC NOP STD STI WAIT ESC

Reverse Engineering


- 21 -

2-4. STACK

Student Notes

. PUSH

POP

. LIFO(Last In First Out) .

.

Full Stack : TOP PUSH

Empty Stack : TOP

Ascending Stack :

Descending Stack :

STACK

Reverse Engineering


- 22 -

Full Descending Stack . , TOP

.

EBP, ESP, EIP . EBP

ESP ESP

. ESP TOP .

EIP

.

.

F1 func1

. func1

. func1 func1

.

func1 func2 .

Reverse Engineering


- 23 -

2-5. (Calling Convention)

Student Notes

. , .

,

, ,

.

(Stack Frame) .

(Calling Convention)

Argument

Stack : C , cdecl, stdcall, Pascal Register : fastcall

Argument Right to Lest : cdecl, stdcall Left to Right

Stack Clearing Caller : cdecl Callee : stdcall

Return Value

__stdcall, __cdecl, __fastcall

Reverse Engineering


- 24 -

.

.

Fame Pointer( Base Pointer)

.

EBP .

5 (stdcall, cdecl, thiscall, fastcall, naked)

stdcall cdecl .

__stdcall

stdcall API . stdcall

,

(Callee) , eax

.

. call ret n .

Reverse Engineering


- 25 -

__cdecl

cdecl C C++ ,

. cdecl

, (Caller)

, eax . cdecl

,

. call add esp, n .

stdcall cdecl

.

stdcall (Callee) (Caller) Callee

cdecl Caller

Callee .

Reverse Engineering


- 26 -

2-6. SEH(Structured Exception Handling)

Student Notes

SEH(Structured Exception Handling) .

.

0 ,

.

TIB . TIB

TIB FS:[0] ERR(Exception Registration

Record) . ERR ERR Exception

Handler .

SEH (Structured Exception Handling)

TIB (Thread Information Block) : Thread

ERR Next ERR Exception Handler

FS:[1]FS:[2]

...

FS:[0]

SEH

NEXT

FS

TIB

ERR

SEH

FFFFFF

ERR

Reverse Engineering


- 27 -

Exception Handler .

__cdecl _except_handler( struct _EXCEPTION_RECORD *ExceptionRecord, void * EstablisherFrame, struct _CONTEXT *ContextRecord, void * DispatcherContext );

_CONTEXT . EAX 0, ret .

+0 context

(GetThreadContext API ) +8C gs register +90 fs register +94 es register +98 ds register

+4 debug register #0 +8 debug register #1 +C debug register #2 +10 debug register #3 +14 debug register #6 +18 debug register #7

+9C edi register +A0 esi register +A4 ebx register +A8 edx register +AC ecx register +B0 eax register

Reverse Engineering


- 28 -

FPU / MMX

+1C ControlWord +20 StatusWord +24 TagWord +28 ErrorOffset +2C ErrorSelector +30 DataOffset +34 DataSelector +38 FP registers * 8 ( 10 ) +88 Cr0NpxState

+B4 ebp register +B8 eip register +BC cs register +C0 eflags register +C4 esp register +C8 ss register

Winnt.h EXCEPTION_RECORD .

typedef struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD *ExceptionRecord;

PVOID ExceptionAddress; DWORD NumberParameters; UINT_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];

} EXCEPTION_RECORD;

ExceptionCode :

C0000005h : Read/Write

C0000094h : 0

C0000095h : DIV

C00000FDh :

80000001h : Guard Page

C0000025h : Exception

C0000026h : ExceptionCode

80000003h : INT3

80000004h : Trap

ExceptionFlags :

0 : Exception

1 : Exception

2 : Unwinding

SEH .

Reverse Engineering


- 29 -

Ollydbg

.

. SEH chain Stack

.

ERR Next SEH 0007FFE0

00B13313 . 00B13313 SEH

. Shift + F9 .

Shift + F9 . 00B13313 .

. .

ExceptionRecord, EstablishedFrame, Context,

DispatchContext .

Reverse Engineering


- 30 -

0007FBC8 7C968752 RETURN to ntdll.7C968752 // Return 0007FBCC 0007FCA8 // ExceptionRecord, 0007FBD0 0007FF90 // Frame, ERR 0007FBD4 0007FCC4 // Context 0007FBD8 0007FC84 // DispatchContext

.

00B13321 JMP SHORT 00B13324 00B13324 00B13324

.

NOP(0x90) .

( CTRL + E) .

Reverse Engineering


- 31 -

.

.

SEH .

/*B13313*/ PUSH 0B1331C /*B13318*/ INC DWORD PTR SS:[ESP] /*B1331B*/ RETN /*B1331C*/ NOP

0B1331C ESP 1 . JMP 0B1331D .

/*B1331D*/ MOV EAX,DWORD PTR SS:[ESP+C]

ESP+C EAX . ESP+C 0007FD4

0007FCC4 . CONTEXT .

Reverse Engineering


- 32 -

/*B13321*/ JMP SHORT 00B13324 /*B13324*/ ADD DWORD PTR DS:[EAX+B8],2

EAX+B8 CONTEXT EIP . , EIP 2 .

/*B1332B*/ JMP SHORT 00B13347

00B13347

/*B1332D*/ MOV ESP,EBE817EB /*B13332*/ ADC AL,0E8 /*B13334*/ JMP SHORT 00B13347 /*B13336*/ CALL EC994226 /*B1333B*/ OR EBP,EAX /*B1333D*/ JMP SHORT 00B13347 /*B1333F*/ INT 20 /*B13341*/ JMP SHORT 00B13347

00B13347

/*B13347*/ XOR EAX,EAX

/*B13349*/ RETN

EAX SEH . SEH

SEH .

SEH SEH . F9 .

SEH .

Reverse Engineering


- 33 -

EIP SEH

.

SEH SEH .

SEH EIP 2 SEH

. XOR EAX, EAX EAX 0 SEH

.

Reverse Engineering


- 34 -

2-7. C

Student Notes

C

.

.

.

C

.

C

for, while, if String

strcpy strcmp strlen

.

Reverse Engineering


- 35 -

Example #1. for

#include

main(int argc, char *argv[])

{

int i=0;

int sum=0;

for(i=0; i . 0040103D

00401048 (CMP ) 00401059

00401057 0040103F .

Reverse Engineering


- 36 -

Example #2. if, strcpy, strcmp, strlen

if (strcpy, strcmp, strlen) .

#include void main( int argc, char *argv[] ) { char src[] = "ForEducationbydemantos"; char *dst=(char *)malloc( 30 * sizeof(char)); int cnt=0; printf("Input the password : "); fgets(dst, 30, stdin); dst[strlen(dst)-1] = '\0'; if( strlen(dst) != strlen(src) ) { printf("Not match!!\n"); exit(0); } else { if( !strcmp(dst, src) ) { printf("Good\n"); exit(0); } else printf("Not match!!\n"); exit(0); } }

.

.

Reverse Engineering


- 37 -

4 . EAX F8

EAX .

.

0040109E 004010B9

Not match!! .

.(004010B9)

EAX EDX strcmp

. strcmp (F7 ) . 4

.

.

Reverse Engineering


- 38 -

.

SHR . 0x10 10 16

16 . , 2 4

.

4 ECX EDX 4 4 .

F8 . RETN

CTRL+F8 4

.

. .

Reverse Engineering


- 39 -

Example #3. while

#include #include int main(void) { char ch; ch = getche(); while(ch!='q') { ch=getche(); } printf("found the q"); return 0; }

getche q found the q

. while .

00401034 00401043

. Hex dump v ^ , > .

.

Reverse Engineering


- 40 -

2-8. API

Student Notes

exe API .

API

.

API

.

, , , ,

.

API

CreateFile, ReadFile, WriteFile, SetFilePointer, CopyFile, GetFileAttribute, SetFileAttribute, FindFirstFile, FindNextFile, GetModuleFileName, GetSystemDirectory, GetWindowsDirectory, GetCommandLine, SetCurrentDirectory

RegCreateKey, RegOpenKeyEx, RegSetValueEx, RegQueryValueEx

WSAStartup, WSAAPI socket, recv, send, listen, accept, gethostbyname, ntohs, inet_addr, WNetOpenEnum, WNetEnumResource, InternetGetConnectedState, ioctlsocket

RtlZeroMemory, GlobalAlloc

ShellExecute, GetProcAddress, CreateThread

Reverse Engineering


- 41 -

CreateFile : .

ReadFile : .

WriteFile : .

SetFilePointer : .

CopyFile : .

GetFileAttribute : .

SetFileAttribute : .

FindFirstFile : .

FindNextFile : . FindFirstFile .

GetModuleFileName : .

GetSystemDirectory : .

GetWindowsDirectory : .

GetCommandLine : commandline .

SetCurrentDirectory : .

RegCreateKey : .

RegOpenKeyEx : .

RegSetValueEx : .

RegQueryValueEx : .

WSAStartup : WS2_32.DLL .

socket : .

recv : .

send : .

listen : .

accept : .

gethostbyname : .

Reverse Engineering


- 42 -

ntohs : network byte order host byte order .

inet_addr : IN_ADDR .

WNetOpenEnum : .

WNetEnumResource : WNetOpenEnum .

InternetGetConnectedState : .

ioctlsocket : .

RtlZeroMemory : 0 .

GlobalAlloc : Heap .

ShellExecute : .

GetProcAddress : SLL

CreateThread : .

WIN32.HLP

.

Reverse Engineering


- 43 -

Module 3 PE

Objectives

PE

DOS DOS Stub Code

PE File Header

Optional Header

Section Tables

Import Table

Export Table

Reverse Engineering


- 44 -

3-1. PE

Student Notes

PE (Portable Executable File Format) (File) (Portable)

(Executable) (Format) . Win32

PE .

EXE EXE PE .

DLL PE .

PE Win32 . , CPU

Win32 PE .

Win32 Platform SDK Winnt.h PE .

PE

PE Header

Section #n

...

Section #2

Section #1

Section Table

DOS Stub Code

DOS Header

PE Header

Section #n

...

Section #2

Section #1

Section Table

DOS Stub Code

DOS Header

DISK MEMORY

40byte x

248byte

24 + optional header( 224)

ImageBase

Reverse Engineering


- 45 -

(Image) PE

.

PE .

PE

DOS Header

DOS Stub Code

PE Header

Section Table

Section

DOS Header PE DOS . ImageBase DOS

ImageBase . Stub_PE .

ImageBase 0x01000000

.

DOS 4D 5A(MZ) . MZ DOS Mark Zbikowski DOS

.

Reverse Engineering


- 46 -

PE Header

PE PE . , optional

ImageBase, , , , PE

, .

PE DOS e_lfanew . e_lfanew DOS

4byte .

Section Table

, , ,

. PE PE

PE . PE 248bytes

.

40bytes . 4

40bytes * 4 = 160bytes .

Section

.

. VirtualAddress PointerToRawData . offset

Reverse Engineering


- 47 -

.

.

.text offset 0x400 .text 0x400

. Winhex 0x400 .

PointerToRawData .

.

.text VirtualAddress . VirtualAddress 0x1000

ImageBase offset . offset RVA(Relative Virtual

Address) . .text ImageBase VirtualAddress

0x01001000 . 0x01001000 HEX .

Reverse Engineering


- 48 -

.text 493AD377 .text

FAF4F377 .

.

PE .

SectionAlignment FileAlignment .

.

Optional Header .

FileAlignment

SectionAlignment

Reverse Engineering


- 49 -

3-2. DOS DOS Stub Code

Student Notes

DOS DOS . PE DOS DOS

64bytes . 2byte e_magic

4byte e_lfanew . Winnt.h IMAGE_DOS_HEADER .

typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations

WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed

DOS DOS Stub Code

PE signature

PE File Header

Section #n

...

Section #2

Section #1

Section Table

Optional Header

DOS Stub Code

DOS Header

PE signature

DOS Stub Code

DOS Header

e_lfanew

IMAGE_DOS_HEADER(64byte)

MZ

Reverse Engineering


- 50 -

WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words

LONG e_lfanew; // File address of new exe header } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

e_magic DOS 4D 5A(MZ) . e_lfanew PE

.

DOS Stub Code .

. This

program cannot be run in DOS mode .

STUB

.

Reverse Engineering


- 51 -

3-3. PE File Header

Student Notes

Winnt.h IMAGE_NT_HEADERS .

typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader;

} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

IMAGE_NT_HEADERS PE IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER

. PE 50 45 00 00

IMAGE_FILE_HEADER 20bytes .

IMAGE_OPTIONAL_HEADER 224bytes .

PE File Header

PE signature

PE File Header

Section #n

...

Section #2

Section #1

Section Table

Optional Header

DOS Stub Code

DOS Header

Machine

NumberOfSections

TimeDateStamp

PointerToSymbolTable

NumberOfSymbols

SizeOfOptionalHeader

Characteristics

PE\0\0

IMAGE_FILE_HEADER(20byte)

4byte

Reverse Engineering


- 52 -

Data Directory Data Directory Optional .

Winnt.h IMAGE_FILE_HEADER .

typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader;

WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

Winhex .

PE DOS e_lfanew .

File 4 .

Machine : CPU ID . IA32 0x14C IA64 0x200 .

NumberOfSections : .

SizeOfOptionalHeader : optional .

224bytes data directory 96bytes .

Reverse Engineering


- 53 -

Characteristics : . 0x10F

. Winnt.h .

#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004

#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 #define IMAGE_FILE_32BIT_MACHINE 0x0100 #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 #define IMAGE_FILE_SYSTEM 0x1000 #define IMAGE_FILE_DLL 0x2000 #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000

0x10F IMAGE_FILE_RELOCS_STRIPPED(0x0001),

IMAGE_FILE_EXECUTABLE_IMAGE(0x0002), IMAGE_FILE_LINE_NUMS_STRIPPED(0x0004),

IMAGE_FILE_LOCAL_SYMS_STRIPPED(0x0008), IMAGE_FILE_32BIT_MACHINE(0x0100)

.

Reverse Engineering


- 54 -

3-4. Optional Header

Student Notes

Optional PE .

. optional 30 1

. .

. Winnt.h IMAGE_OPTIONAL_HEADER .

typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData;

Optional Header

PE signature

PE File Header

Section #n

...

Section #2

Section #1

Section Table

Optional Header

DOS Stub Code

DOS Header

...

IMAGE_DATA_DIRECTORY #1



MagicAddressOfEntryPointImageBaseSectionAlignmentFileAlignmentSizeOfImageSizeOfHeaderNumberOfRvaAndSizes...

IMAGE_OPTIONAL_HEADER(224byte)

Data Directory(128byte)

Reverse Engineering


- 55 -

DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion;

WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];

} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;

Winhex .

Reverse Engineering


- 56 -

Machine : optional optional

. 0x10B .

AddressOfEntryPoint : PE

. RVA . ,

ImageBase .

ImageBase : PE . EXE

ImageBase DLL ImageBase

. DLL

. EXE 0x00400000

, DLL 0x10000000 .

SectionAlignment : .

SectionAlignment .

0x1000(4096byte).

FileAlignment : .

FileAlignment . 0x200(512byte) 2 n

.

SizeOfImage : PE SectionAlignment

.

SizeOfHeader : : FileAlignment

.

Reverse Engineering


- 57 -

Data Directory Optional 128bytes IMAGE_DATA_DIRECTORY

. Winnt.h .

typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16

Optional NumberOfRvaAndSize

16 .

Export table, Import table PE (VirtualAddresS)

(Size) .

16 15 0x00

. 15 .

IMAGE_DIRECTORY_ENTRY_EXPORT : EXPORT

. EXPORT DLL .

Reverse Engineering


- 58 -

IMAGE_DIRECTORY_ENTRY_IMPORT : IMPORT

.

IMAGE_DIRECTORY_ENTRY_BASERELOC : .

.

IMAGE_DIRECTORY_ENTRY_TLS : Thread Local Storage .

TLS Callback .

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT : DLL .

IMAGE_DIRECTORY_ENTRY_IAT : (IAT) .

DLL IAT .

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT : .

Reverse Engineering


- 59 -

3-5. Section Table

Student Notes

IMAGE_SECTION_HEADER .

.

.

access violation

. , , ,

.

.

Section Table

PE signature

PE File Header

Section #n

...

Section #2

Section #1

Section Table

Optional Header

DOS Stub Code

DOS Header

...

NameVirtualAddressSizeOfRawDataPointerToRawDataCharacteristics



Section #1

Section #2

Section #n

Reverse Engineering


- 60 -

,

.

Winnt.h IMAGE_SECTION_HEADER .

typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations;

DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

Winhex .

Name : . 8byte NULL 8byte

. 8byte 8byte .

VirtualAddress : (RVA ).

SizeOfRawData : . FileAlignment .

PointerToRawData : .

Characteristics : .

PointerToRawData SizeOfRawData VirtualAddress

Reverse Engineering


- 61 -

Characteristics .

Reverse Engineering


- 62 -

3-6. Import Table

Student Notes

Import PE (DLL)

. USER32.DLL KERNEL32.DLL .

DLL EXE DLL .

DLL

DLL Import Table .

PE .idata .

IMAGE_IMPORT_DESCRIPTOR DLL

NULL .

Import Table

OriginalFirstThunk

TimeDateStamp

ForwarderChain

Name

FirstThunk

ForwarderChain

Name

NULL

FirstThunk

TimeDateStamp

OriginalFirstThunk

IMAGE_DIRECTORY_ENTRY_IMPORT

Size

VirtualAddress

IMAGE_THUNK_DATA

IMAGE_THUNK_DATA

hint func1

IMAGE_IMPORT_BY_NAMEILT #1

IAT #1

func1

USER32.DLL

ILT #2

IAT #2

KERNEL32.DLL

IMAGE_IMPORT_DESCRIPTOR

IMPORT TABLE

Binding

Binding

Reverse Engineering


- 63 -

Winnt.h IMAGE_IMPORT_DESCRIPTOR .

typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; DWORD OriginalFirstThunk; }; DWORD TimeDateStamp; DWORD ForwarderChain; DWORD Name; DWORD FirstThunk; } IMAGE_IMPORT_DESCRIPTOR;

OriginalFirstThunk : ILT(Import Lookup Table) RVA .

ILT IMAGE_THUNK_DATA . IMAGE_THUNK_DATA

IMAGE_IMPORT_BY_NAME

.

TimeDateStamp : 0 -1 .

ForwarderChain : 0 -1 .

Name : DLL RVA .

FirstThunk : IAT(Import Address Table) RVA . IAT ILT

IMAGE_THUNK_DATA ILT . PE

DLL . IAT

.

IMAGE_THUNK_DATA .

typedef struct _IMAGE_THUNK_DATA32 { union { PBYTE ForwarderString; PDWORD Function; DWORD Ordinal; PIMAGE_IMPORT_BY_NAME AddressOfData; } u1; } IMAGE_THUNK_DATA32;

IMAGE_THUNK_DATA ILT, IAT .

ILT

- OriginalFirstThunk .

- .

Reverse Engineering


- 64 -

- IMAGE_IMPORT_BY_NAME Ordinal .

- Ordinal

IMAGE_IMPRT_BY_NAME RVA .

- .

IAT

- FirstThunk .

- AddressOfData Ordinal .

- IMAGE_THUNK_DATA IMAGE_IMPORT_BY_NAME AddressOfData

. IMAGE_IMPORT_BY_NAME

.

- 1 ordinal , 0 AddressOfData .

- .

IMAGE_THUNK_DATA AddressOfData .

IMAGE_THUNK_DATA Ordinal .

Reverse Engineering


- 65 -

Winhex .

NULL . 6 DLL

.

Import Table

IMAGE_DIRECTORY_ENTRY_IMPORT

Reverse Engineering


- 66 -

VirtualAddress . ,

PE . Stud_PE

.

PE . Import Table Raw

. PE

RVA VirtualAddress Size .

RVA 0x12FD4 .text . .text RawOffset

0x400 0x123D4 .

( RVA) ( VirtualOffset) + RawOffset

Reverse Engineering


- 67 -

. calc.exe

.text .

.

PE IAT(Import Address Table) .

IMAGE_DIRECTORY_ENTRY_IMPORT .

DLL

IMAGE_IMPORT_DESCRIPTOR DLL .

.

RVA 0x12FD4 .text .

, ( 0x12FD4 0x1000 ) + 0x400 = 0x123D4 . Winhex .

Reverse Engineering


- 68 -

calc.exe DLL RVA 0x134D6.

RVA

. Stud_PE 0x134D6 .text

. Name 0x134D6 0x1000 + 0x400 = 0x128D6 .

KERNEL32.dll .

Reverse Engineering


- 69 -

3-7. Export Table

Student Notes

Import Export

. Export Data Directory

0 IMAGE_DIRECTORY_ENTRY_EXPORT VirtualAddress Size .

Export Import . Winnt.h

.

typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion;

Export Table

Name

Base

NumberOfFunctions

NumberOfNames

AddressOfFunctions

AddressOfNames

AddressOfNameOrdinals

...

AddressOfNames

AddressOfNameOrdinals

...

NumberOfFunctions

NumberOfNames

AddressOfFunctions

Base

Name

IMAGE_DIRECTORY_ENTRY_EXPORT

Size

VirtualAddress

RVA

RVA

RVA

EXPORT TABLEMYDLL.DLL

RVA

RVA

ordinal

ordinal

code

code

Kernel32.OpenProcess

Myfunc2

MyFunc1

Reverse Engineering


- 70 -

DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;

Name : DLL ASCII RVA

Base :

NumberOfFunctions : AddressOfFunctions RVA

NumberOfNames : AddressOfNames RVA

AddressOfFunctions : (RVA )

AddressOfNames : (RVA )

AddressOfNameOrdinals : . Base

.

DLL

(RVA ), .

Export Table

.

1. IMAGE_DIRECTORY_ENTRY_EXPORT VirtualAddress

VirtualAddress 0x00016A1C Size 0x00004B9A.

2. VirtualAddress RawOffset

( RVA) ( VirtualOffset) + RawOffset

0x00016A1C 0x00001000 + 0x00000400 = 0x00015E1C

Reverse Engineering


- 71 -

RVA 0x16A1C .text . .text

RawOffset 0x400 0x15E1C . Winhex .

.

Name : 0x000186D2

Base : 1

NumberOfFuntions : 0x000002DB

NumberOfNames : 0x000002DB

AddressOfFunctions : 0x00016A44

AddressOfNames : 0x000175B0

AddressOfNameOrdinals : 0x0001811C

offset RVA

.

Reverse Engineering


- 72 -

Name : 0x000186D2 0x1000 + 0x400 = 0x00017AD2

USER32.dll . NULL ( \0 ) .

1 (Base : 1), 731 (NumberOfFuntions : 0x2DB),

731 . (NumberOfNames : 0x2DB)

AddressOfNames .

AddressOfNames : 0x000175B0 0x1000 + 0x400 = 0x000169B0

0x000186DD RVA offset 0x00017ADD.

ActivateKeyboardLayout .

AddressOfFunctions 0x00016A44 0x1000 + 0x400 = 0x00015E44

.

Reverse Engineering


- 73 -

AddressOfNameOrdinals : 0x0001811C 0x1000 + 0x400 = 0x0001751C

0x1751C NumberOfNameOrdinals .

1 Base

. USER32.dll 731(0x2DB)

AddressOfNameOrdinals 731(0x2DB) .

.

Reverse Engineering


- 74 -

Reverse Engineering


- 75 -

Module 4

Objectives

CrackMe / KeygenMe

Reverse Engineering


- 76 -

4-1.

Student Notes

, , , .

. .

Debugger Ollydbg

Disassembler IDA W32DASM

File Analyzer Stud PE PEiD ImportREConstruction

HEX Editor WinHex

Reverse Engineering


- 77 -

Ollydbg

http://www.ollydbg.de/ , .

File : .

View : .

Debug : .

Plugins : .

Options : .

Window, Help : () .

restart, close, run .

.

.

E : Executable modules,

M : Memory map,

H : Handles,

C : CPU main htread,

/ : Patches,

K : Call stack of main thread

B : Breakpoints,

R : References,

... : Run trace

Reverse Engineering


- 78 -

.

A OP .

, OP , , .

.

B . A offset ,

.

C .

.

D CPU . .

E Stack .

Ollydbg .

Reverse Engineering


- 79 -

Option Appearance udd plugins .

Option Debugging Option CPU : jump .

Reverse Engineering


- 80 -

Exception .

.

Reverse Engineering


- 81 -

Stud PE

PE http://www.cgsoftlabs.ro/studpe.html

.

PEiD

PE Stud PE .

http://www.peid.info/ .

Reverse Engineering


- 82 -

ImportREC

IAT . IAT

IAT . ImportREC .

http://vault.reversers.org/ImpRECDef .

IAT . IAT

. 0000 0000

IAT 0000 0000

ImportREC . IAT

.

Reverse Engineering


- 83 -

Winhex

HEX . .

Reverse Engineering


- 84 -

4-2. CrackMe

Student Notes

Crackme

. Crackme

, . Keygen

Keygen

.

.

CrackMe

Key Keyfile

Reverse Engineering


- 85 -

Crackme #1

.

Invalid Password

.

Invalid Password . .

Search for All reference text strings

.

The password is %s .

The password is xxxxxxxxxx

Invalid Password . Invalid Password

.

Reverse Engineering


- 86 -

Invalid Password 004010DA

. 004010DA 0040109C The password is %s

. JNB

004010DC The password is %s . ,

. .

PUSH Crackme#.00407030 Please enter the password:

CALL . CALL

. .

.

Reverse Engineering


- 87 -

.

/*40102C*/ ADD ESP,4 //

/*40102F*/ PUSH 10 // 10

/*401031*/ PUSH 0 // 0

/*401033*/ LEA EAX,DWORD PTR SS:[EBP-34] // EBP-34 () EAX

/*401036*/ PUSH EAX // EAX

/*401037*/ CALL Crackme#.00401150 // 00401150

/*40103C*/ ADD ESP,0C //

/*40103F*/ MOV DWORD PTR SS:[EBP-1C],0 // EBP-1C 0

/*401046*/ MOV DWORD PTR SS:[EBP-20],0 // EBP-20 0

/*40104D*/ MOV DWORD PTR SS:[EBP-24],0 // EBP-24 0

.

.

.

00401054 00401140 .

. EAX .

Reverse Engineering


- 88 -

Disassembly . ,

00401054 00401084 .

.

/*401059*/ MOV BYTE PTR SS:[EBP-4],AL // AL EBP-4 1

/*40105C*/ MOV ECX,DWORD PTR SS:[EBP-1C] // EBP-1C ECX

/*40105F*/ MOV DL,BYTE PTR SS:[EBP-4] // EBP-4 DL

/*401062*/ MOV BYTE PTR SS:[EBP+ECX-34],DL // DL EBP+ECX-34

/*401066*/ MOV EAX,DWORD PTR SS:[EBP-1C] // EBP-1C EAX

/*401069*/ ADD EAX,1 // EAX 1

/*40106C*/ MOV DWORD PTR SS:[EBP-1C],EAX // EAX EBP-1C

/*40106F*/ MOVSX ECX,BYTE PTR SS:[EBP-4] // EBP-4 ECX

/*401073*/ CMP ECX,0A // ECX 0x0A

/*401076*/ JE SHORT Crackme#.00401086 // 00401086

/*401078*/ MOVSX EDX,BYTE PTR SS:[EBP-4] // EBP-4 EDX

/*40107C*/ TEST EDX,EDX // EDX EDX AND

/*40107E*/ JE SHORT Crackme#.00401086 // 00401086

/*401080*/ CMP DWORD PTR SS:[EBP-1C],10 // EBP-1C 0x10

/*401084*/ JB SHORT Crackme#.00401054 // EBP-1C 0x10 00401054

Reverse Engineering


- 89 -

. 4

.

CALL 00401140 EAX .

[EBP-1C] [EBP+ECX-34]

. [EBP-4] . BYTE PTR SS

(1 ) .

ECX [EBP-4] 0x0A . [EBP-4]

0x72( r ) 0x0A . 0x0A LF(Line Feed)

.

[EBP-1C] 0x10 [EBP-1C]

16 (0x10) . 16

00401054 . , 16

.

.

Reverse Engineering


- 90 -

.

EAX (0x0B) ESP

.

Crackme#1 16 EAX

. EAX .

EAX .

.

EBP-34 EAX EAX [EBP-8] . [EBP-20]

[EBP-24] 0 3 . .

[EBP-34] 0013FF4C .

004010AE . 004010AE .

[EBP-20] 0x0D [EBP-20] 0x0D 004010DC

. , [EBP-20] 0x0D .

Reverse Engineering


- 91 -

[EBP-20] 0 .

004010B4 .

/*4010B4*/ MOV EAX,DWORD PTR SS:[EBP-20] // EBP-20 EAX

/*4010B7*/ SHR EAX,2 // EAX 2

/*4010BA*/ MOV ECX,DWORD PTR SS:[EBP-8] // EBP-8 ECX

/*4010BD*/ MOV EDX,DWORD PTR SS:[EBP-24] // EBP-24 EDX

/*4010C0*/ MOV EAX,DWORD PTR DS:[ECX+EAX*4] // ECX+EAX*4 EAX

/*4010C3*/ CMP EAX,DWORD PTR SS:[EBP+EDX*4-18] // EBP+EDX*4-18 EAX

4

. .

Reverse Engineering


- 92 -

004010B4 004010C3 ECX

EAX 0 .([EBP-20] 0 )

EDX [EBP-24] 3 .

, EBP+EDX*4-18 0013FF80 + 3 * 4 18 = 0x0013FF80 + 0xC 0x18 = 0x0013FF74 . ,

qwer powe . 004010DA

004010C9 . 004010C9 Invalid Password

. 4 powe

.

.

. 4 004010DA

0040109C .

/*40109C*/ MOV ECX,DWORD PTR SS:[EBP-20] // EBP-20 ECX

/*40109F*/ ADD ECX,4 // ECX 4

/*4010A2*/ MOV DWORD PTR SS:[EBP-20],ECX // ECX EBP-20

/*4010A5*/ MOV EDX,DWORD PTR SS:[EBP-24] // EBP-24 EDX

/*4010A8*/ SUB EDX,1 // EDX 1

/*4010AB*/ MOV DWORD PTR SS:[EBP-24],EDX // EDX EBP-24

/*4010AE*/ CMP DWORD PTR SS:[EBP-20],0D // EBP-20 0x0D

Reverse Engineering


- 93 -

[EBP-20] 0 ECX 0 4

[EBP-20] . [EBP-24] EDX 1

[EBP-24] . [EBP-20] ECX 4 [EBP-24] EDX 2

. [EBP-20] 4 0x0D

13 0x0D(13) 004010DC .

004010B4 004010C3 [EBP-20] 4 EAX

SHR 1 . [EBP-8] ECX [EBP-24]

EDX .

.

ECX + EAX*4 = 0x0013FF4C + 1 * 4 = 0x0013FF50

EBP + EDX*4 18 = 0x0013FF80 + 2 * 4 0x18 = 0x0013FF80 + 0x08 0x18 = 0x0013FF70

.

4

4 .

.

Reverse Engineering


- 94 -

4-3. KeygenMe

Student Notes

Keygenme

. keygenme C C++

.

.

KeygenMe

Key Key Key Keygen

Reverse Engineering


- 95 -

keygenme#1

.

.

.

. .

Nope, thats not it! Try again

. .

. Search for All referenced text strings .

(Good boy...) .

.

Reverse Engineering


- 96 -

0040128A OR EAX, EAX. lstrcmpA

( )

.

. .

Reverse Engineering


- 97 -

00401248 F9 .

Check It 00401248 . F8

00401252 .

/*401252*/ PUSH keygenme.00406584

. .

.

. 00401285 lstrcmp

1234567890 JXCS-USIQ-XNUI-

CPRU . OR EAX, EAX

. 0040128E 004012A8 .

.

.

? Nope, thats not it! Try

again .

MessageBoxA 4 . API .

Reverse Engineering


- 98 -

int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box );

. .

/*4012A8*/ PUSH 10 /*4012AA*/ PUSH keygenme.00406337 /*4012AF*/ PUSH keygenme.00406318 /*4012B4*/ PUSH DWORD PTR SS:[EBP+8] /*4012B7*/ CALL

00406337 00406318 . 00406318

.

lstrcmpA .

00406B84 . .

.

/*4012AA*/ PUSH keygenme.00406337

/*4012AF*/ PUSH keygenme.00406318

/*4012AA*/ PUSH keygenme.0040630C

/*4012AF*/ PUSH keygenme.00406B84

Copy to executable All modifications

Reverse Engineering


- 99 -

. Copy all .

Save file

.

.

.

.

C .

URL .

http://dual5651.hacktizen.com/new/87

Reverse Engineering


- 100 -

Reverse Engineering


- 101 -

Module 5 MUP(Manual UnPack)

Objectives

Packgin / Unpacking

Packing

MUP

MUP Ollydbg script

Reverse Engineering


- 102 -

5-1. Packing / Unpacking

Student Notes

Pack , .

.

.

. Entry Point

Entry

Point(OEP) .

Packing / Unpacking

Packing

(EXE, DLL) Unpacking

( )

Unpack Stub

PE Header

...

...

Code Section

PE Header

Entry Point

OEP

Entry Point

Reverse Engineering


- 103 -

5-2. Packing

Student Notes

( ) .

.

PEiD EXEInfo

. 100% .

.

.

Packing

UPX, ASPack, FSG Packer Packer .

() ()

Reverse Engineering


- 104 -

EXEInfo SVK-Protector v1.32 demo

PEiD yodas cryptor 1.x / modified . Stud_PE yodas

cryptor 1.x / modified .

yodas cryptor .

A B

A . B

.

() OEP

.

Reverse Engineering


- 105 -

5-3. MUP

Student Notes

MUP OEP IAT .

.

IAT . IAT .

UPX .

MUP

1. Packing PEiD EXEInfo

2. OEP .3.

unpack 4. IAT

Reverse Engineering


- 106 -

.

Compressed code? .

.

PUSHAD .

. .

OEP

POPAD .

PUSHAD

.

Reverse Engineering


- 107 -

POPAD JMP

.

JMP F8 OEP .

Reverse Engineering


- 108 -

.

OEP . Dump debugged process

. Olly Dump .

. Entry Point 20C40 12475

. OEP . Rebuild Import .

IAT

. IAT IAT

IAT ? . IAT ImportREConstructor

.

Reverse Engineering


- 109 -

ImportREC Attach to an Active Process MUP .

calc_upx.exe IAT .

IAT IAT

.

OEP 1 AuthoSearch Get Imports

.

Reverse Engineering


- 110 -

Fix Dump IAT .

calc_dump_.exe IAT .

. calc_dump.exe IAT

.

IAT

PE . NULL (00000000) .

. ImportREC IAT 00000000

IAT 00000000 .

?

.

Reverse Engineering


- 111 -

IAT IAT

.

IAT read .

IAT .

ImportREC IAT RVA Size

.

RVA 00025190 00425190 .

.

. ImportREC 0xCC .

Reverse Engineering


- 112 -

0xCC .

00000000 . .

. IAT . ImportREC IAT

. IAT 0x425190

0x4252C0 0x130 .

OEP Get Import IAT .

Reverse Engineering


- 113 -

Fix Dump IAT

.

(OEP) . IAT

ImportREC

. .

Before Packing

After Packing

Reverse Engineering


- 114 -

5-4. MUP Ollydbg script

Student Notes

MUP .

. MUP

. MUP

.

Olly Script .

.

MUP .

MUP Ollydbg script

MUP Ollydbg script

, 16 (10 . ex. 10=16.)

[] ! #

DWORD +, -, *, /, &, |, ^, >,

Reverse Engineering


- 115 -

Olly Script

$result

EAX

$version

Ollyscript

ex) cmp, $version, 1.47 //1.47 ?

# INC filename

ex) # INC text.txt

# LOG

LOG

OllyDbg Log

ADD dst, src

dst

ex) add y, Times

Alloc size

size $result

ex) alloc 1000, free $result 1000

AI / AO

Animate into / animate over

STI / STO

Step into / step over

ESTI / ESTO

Shift + F7 / Shift + F8

Reverse Engineering


- 116 -

TI / TO

Trace into / trace over

TC

Close Run Trace

TICND / TOCND

Trace into / trace over

ex) TICND eip>40100A

BC Address / BP Address

Breakpoint Clear / BreakPoint

BPCND Address, Condition

BP

ex) bpcnd 40100A, EAX==1

BPHWC Address / BPHWCALL

BP HW Clear / BP HW Clear All

BPHWS Address, pattern

BP HW Set r() w() x() /BPHWS Address

ex) BPHWS 40100A, r

BPL Address, Expression

BP of Logging

ex) bpl 40100A, EAX

BPLCND Address, Expression, Condition

BP of Logging Condition

ex) bplcnd 40100A, EAX, ECX==0

BPMC

BP Memory Clear

Reverse Engineering


- 117 -

BPRM Address, size / BPWM Address, size

BP on Read Memory / BP on Write Memory

ex) BRPM 40100A, FF

ex) BPWM 40100A, FF

AN Address

Ollydbg analyse

ASM Address, Instruction

Ollydbg assemble

$result

ex) asm 40100A, xor eax, eax

CMT address, comment(string of character)

Ollydbg

ex) cmt eip,

Reverse Engineering


- 118 -

OR dst, src / XOR dst, src

Or/xor

EOB Label / EOE Label

Excute On Breakpoint / Excute On Exception

ex) EOB Label / EOE Label1

FILL Address, Length, Value

ex) fill 40100A,10,90

Find Address, Content

$result , 0

ex) find eip, # 6A??E8 #

FINDOP Address, Content

$result

ex) findop 401000, #61# // find next POPAD

findop 401000, #6A??# // find next PUSH

FINDMEM what [, Start Address]

$result , 0

ex) findmem #6A00E8#

findmem #6A00E8#, 00400000

REPL Address, Find, Replace, Length

find ( )

ex) repl eip, #??00 #, #??01 #, 10

RET

REV val

Val $result

ex) rev 01020304 // $result == 04030201

Reverse Engineering


- 119 -

EXEC/ENDE

EXECute / END Excute, {}

ex) var x

var y

mov x, "eax

mov y, "0DEADBEEF

exec

mov {x}, {y}

mov ecx, {x}

ende

ex) exec

push 0

call ExitProcess

ende

ret

JA LABEL / JAE LABEL

Cmp , ja / jae

JB LABEL / JNB LABEL

Cmp , ja / jae

JE LABEL / JNE LABEL

Cmp , ja / jae

JMP LABEL

JMP

LEN str

Str

ex) len NiceJump

msg $RESULT

Reverse Engineering


- 120 -

MUP

.

UPX . PUSHAD POPAD

OEP .

OEP . OEP

Step Over(F8) OEP . OEP

?

ESP .

OEP .

.

STI // Step into(F7), PUSHAD .

BPHWS esp, r // PUSHAD POPAD BP

RUN // (F9)

BPHWC // BP BP

STO // Step over(F8), OEP

CMT eip,

Reverse Engineering


- 121 -

Module 6 Anti-Reverse

Objectives

Breakpoint

TLS Callback

Process Attach

Reverse Engineering


- 122 -

6-1.

Student Notes

.

.

.

.

.

.

.

kernel32!OutputDebugStringACtrl-CRogue Int3"Ice" BreakpointInterrupt 2DhTimestamp countersPopf and the trap flagStack Segment registerDebug registers manipulationContext modificationTLS-callbackCC scanningEntryPoint RVA set to 0

kernel32!IsDebuggerPresentPEB!IsDebuggedPEB!NtGlobalFlagsHeap flagsVista anti-debug (no name)NtQueryInformationProcesskernel32!CheckRemoteDebuggerPresentUnhandledExceptionFilterNtSetInformationThreadkernel32!CloseHandle and NtCloseSelf-debuggingKernel-mode timersUser-mode timers

: http://www.securityfocus.com/infocus/1893

Reverse Engineering


- 123 -

kernel32!IsDebuggerPresent

PEB(Process Environment Block) BeingDebugged

. IsDebuggerPresent()

.

IsDebuggerPresent Debugger not found!

. Debugger found!

.

.

IsDebuggerPresent() EAX .

IsDebuggerPresent() 1 0 . CMP

. (IsDebugg.0040101F)

.

Reverse Engineering


- 124 -

call IsDebuggerPresent test eax, eax jne @DebuggerDetected

CALL F7 .

TEB(Thread Environment Block) PEB PEB PEB + 2

BeingDebugged . BeingDebugged 0

IsDebuggerPresent .

F9 Debugger not found! .

PEB!IsDebugged

PEB . IsDebuggerPresent

. .

mov eax, fs:[30h] mov eax, byte [eax+2] test eax, eax jne @DebuggerDetected

Reverse Engineering


- 125 -

PEB!NtGlobalFlags

PEB 68 NtGlobalFlags .

NtGlobalFlags 0x70 0x00 .

ntdll . Heap

.

FLG_HEAP_ENABLE_TAIL_CHECK (Heap Tail Checking) : 0x10

FLG_HEAP_ENABLE_FREE_CHECK (Heap Free Checking) : 0x20

FLG_HEAP_VALIDATE_PARAMETERS (Heap Parameter Checking) : 0x40

NtGlobalFlags .

FS:[30] PEB . PEB 0x68 NtGlobalFlags .

Reverse Engineering


- 126 -

PEB 0x68 70 .

70 .

NtQueryInformationProcess

.

NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess( IN HANDLE ProcessHandle, IN PROCESS_INFORMATION_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength

);

ProcessDebugPort 7 ProcessInformationClass

ProcessInformation -1 . ,

ProcessInformation 0 -1 .

NtQueryInformationProcess .

Reverse Engineering


- 127 -

NtQueryInformationProcess CALL DWORD PTR

DS:[40306C] NtQueryInformationProcess .

.

eax .

0 TEST 0

. 0x00401035 Step into(F7)

. .

0x7FFE0300 .

0x0013FFC0 ProcessInformation FFFFFFFF .

ProcessInformation .

. POP EAX

FFFFFFFF .

Reverse Engineering


- 128 -

NtQueryinformationProcess ProcessInformation 0

.

7 . 9 . RETN 14

.

ESP+C ProcessInformation 0 .

.

00000000 . TEST

.

Reverse Engineering


- 129 -

kernel32!CheckRemoteDebuggerPresent

CheckRemoteDebuggerPresent

.

BOOL CheckDebugger(HANDLE hProcess) { BOOL Retval = 0; CheckRemoteDebuggerPresent(hProcess,&Retval); return Retval; }

NtQueryInformationProcess . .

CALL EAX Step into(F7) .

EBP+8 0 NtQueryInformationProcess


NtQueryInformationProcess ProcessInformation 0 .


Reverse Engineering


- 130 -

0, 4, 7 PUSH EAX EBP+8

PUSH NtQueryInformationProcess . ProcessInformation

NtQueryInformationProcess

.

/*7C85C09C*/ CMP DWORD PTR SS:[EBP+8],0 EBP+8

.

F9 Debugger not found! .

ProcessInformation NtQueryInformationProcess

.

Timing Check

.

. RDTSC(Read Time

Stamp Counter) . .

Reverse Engineering


- 131 -

.

.

GetTickCount .

Olly Advanced

.

Olly Advanced .

1. 4 (CR4) TSD(Time Stamp Disable) bit

1 . TSD bit 1 Ring0

RDTSC GP(General Protection)

.

2. GP GPF . GPF

0xD GPF IDT

0xD * 4byte .

3. Olly Advanced IDT GPF

GPF RDTSC

RDTSC

timing check .

Reverse Engineering


- 132 -

kernel32!OutputDebugStringA

ASCII OutputDebugStringA .

. 1

.

Ollydbg .

1.10 .

.

. Olly Advanced .

HideDebugger Olly Invisible, IsDebuggerPresent .

Reverse Engineering


- 133 -

6-2. BreakPoint

Student Notes

. .

.

.

.

Break Point

Hardware Breakpoint DR0 ~ DR3 DR7

Software Breakpoint

0xCC (INT 3) Instruction Breakpoint

Memory Breakpoint

Reverse Engineering


- 134 -

Hardware Breakpoint

DR0 ~ DR3 DR7 . .

Software Breakpoint . 0xCC(INT 3) .

Instruction Breakpoint . / .

Memory Breakpoint . /

Hardware Breakpoint

Reverse Engineering


- 135 -

IA32 . DR0 ~ DR7

8 .

DR0 ~ DR3 :

DR4 ~ DR5 :

DR6 : ,

.

DR7 : ,

.

R/W0 ~ R/W3 . 00

01 11 .

DR7 .

. IA32

Ring0 .

SEH Ring3 .

2-6 SEH ContextRecord

.

_CONTEXT . ,

Reverse Engineering


- 136 -

Ring3 .

.

1. SEH

2.

3. SEH

4. ContextRecord

.

. SEH

.

.

Debug Hardware breakpoints

.

Reverse Engineering


- 137 -

F9 .

.

Access violation . Shift + F7/F8/F9

. Shift + F9 Shift + F8

. Shift + F9 .

.

Shift + F9 Shift + F7 .

.

F7 . Shift + F7

SEH Chain . View SEH chain SEH

.

Reverse Engineering


- 138 -

0x0040103E .

.

F9 .

! DR0 ~ DR3

. 0 0x0040109A .

0x0040109A

.

SEH DR0 ~ DR3

0 .

.

CMP DWORD PTR DS:[EAX+4h],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+8h],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+0Ch],0 JNE @hardware_bpx_found CMP DWORD PTR DS:[EAX+10h],0 JNE @hardware_bpx_found

Reverse Engineering


- 139 -

MOV 0

.

MOV DWORD PTR DS:[EAX+4h],0 MOV DWORD PTR DS:[EAX+8h],0 MOV DWORD PTR DS:[EAX+0Ch],0 MOV DWORD PTR DS:[EAX+10h],0

?

NOP .

.

NOP

.

.

.

SEH .

EBP+0x10 ContextRecord .

ContextRecord .

ESP+0x0C ContextRecord .

SEH chain .

Reverse Engineering


- 140 -

Software Breakpoint

1 0xCC(INT 3)

. .

1byte 0xCC .

.

.

.

good job

.

Step over(F8) .

(CALL softbp.exit) (ADD ESP, 0C) .

00401005 .

. ProtectedFunc F2

Reverse Engineering


- 141 -

.

0xCC . 0xCC

. code permutation .

ECX . EAX 0x660 . SHR

EAX 3 0xCC . 0x660

0110 0110 0000 3 000011001100

. 16 0xCC . (4 1100

10 12 . , 16 C )

, 0xCC(INT 3)

.

EDI EAX .

0xCC ECX 0 0 . TEST ECX, ECX

Reverse Engineering


- 142 -

ECX 0 004010A4 .

RETN . RETN

.

RETN POP EIP . POP EIP

.

B58C7BB6

. RETN

.

.

.

.

ProtectedFunc

.

Reverse Engineering


- 143 -

ProtectedFunc F9

.

. 0xCC F8

.

Import . ,

.

F9 .

Reverse Engineering


- 144 -

.( CTRL+N)

MessageBoxA .

F9 .

Reverse Engineering


- 145 -

6-3. TLS Callback

Student Notes

TLS Callback

. TLS Callback . ,

.

TLS Callback . TLS Callback

, OEP

.

TLS Callback

TLS (Thread Local Storage) Callback

TLS Callback .

PE Data Directory 10IMAGE_DIRECTORY_ENTRY_TLS .

Reverse Engineering


- 146 -

.

.

. TLS TLS Callback . ,

TLS Callback .

PE Data Directory TLS . TLS

10 . Stud_PE .

Data Dir IMAGE_DIR_ENTRY_TLS TLS .

RVA, Size, Raw . PE Raw Stud-PE

PE . RVA .

TLS RVA TLS VirtualOffset + RawOffset = 3060 3000 + 800 = 860

Reverse Engineering


- 147 -

TLS 0x860 . Winnt.h IMAGE_TLS_DIRECTORY

.

typedef struct _IMAGE_TLS_DIRECTORY32 { DWORD StartAddressOfRawData; DWORD EndAddressOfRawData; PDWORD AddressOfIndex; PIMAGE_TLS_CALLBACK *AddressOfCallBacks; DWORD SizeOfZeroFill; DWORD Characteristics; } IMAGE_TLS_DIRECTORY32;

AddressOfCallBacks TLS Callback . Winhex .

TLS Callback 0x00403084 . RVA . TLS

Callback . 0x00403084 RVA

ImageBase 0x3084 . (3084 3000 + 800 = 884)

TLS 884 . Winhex .

TLS Callback 0040101B . Entry Point

System breakpoint .

.

Reverse Engineering


- 148 -

System breakpoint .

TLS Callback 0040101B . CTRL+G . 0040101B

.

0040101B F9 . IsDebuggerPresent

.

TLS Callback

,

.

TLS Callback IMAGE_DIRECTORY_ENTRY_TLS

TLS AddressOfCallbacks 00000000 .

TLS Callback IDA

. IDA CTRL+E .

Reverse Engineering


- 149 -

Reverse Engineering


- 150 -

6-4. Process Attach

Student Notes

DLL OCX

. DLL

.

DLL Injection dll

DLL attach .

.

Process Attach

dll ocx

Reverse Engineering


- 151 -

File Attach .

Attach

.

explorer.exe .

Pause . Start .

.

Executable modules . dll

. dll dll View

names .

Reverse Engineering


- 152 -

.

Conditioinal log breakpoint on import

.

Reverse Engineering


- 153 -

dll . View Log .

Log .

. ntdll.dll

ZwContinue CALL . Anti-Attach ZwContinue (Anti-

Debugging )

.

Ollydbg AttachAnyway

ZwContinue

. ZwContinue .

Reverse Engineering


- 154 -

Reverse Engineering


- 155 -

Module 7

Objectives

- shadowbot

Reverse Engineering


- 156 -

7-1.

Student Notes

KISA

. 2007 4 8

.

8

8 :

. .

ID: stage8, PASSWORD:

KISA 4 Unpacking Steganography

Reverse Engineering


- 157 -

.

.

.

. PEiD Nothing found

.

?

Hardcore Scan .

Reverse Engineering


- 158 -

nSPack 2.2 North Star/Liu Xing Ping . PEiD

userdb.txt nSPack .

.

.

. !packed by [email protected]

Reverse Engineering


- 159 -

nspack .

.

Memory map . View Memory ALT+M

.

PE 006E0000 ImageBase .

. F9

.

Reverse Engineering


- 160 -

ImageBase 00400000 .

.

.

CTRL+F2 VirtualAlloc

00400000

. VirtualAlloc .

LPVOID VirtualAlloc( LPVOID lpAddress, // address of region to reserve or commit DWORD dwSize, // size of region DWORD flAllocationType, // type of allocation DWORD flProtect // type of access protection );

. . Command bar

.

VirtualAlloc 7C8245A9 .

F9 00400000

. F9 VirtualAlloc

.

Address NULL . Address 00400000 . F9

Address 00400000 .

Reverse Engineering


- 161 -

F8 VirtualAlloc

.

. CTRL+A

.

.

.

. write .

(write) .

Reverse Engineering


- 162 -

F9 .

00400000 . write

. RETN

. ( )

F9 . RETN 0C F8 .

F8 0045972C .

PUSHAD

POPAD .

Reverse Engineering


- 163 -

POPAD POP JMP EAX

0045972C . OEP .

OEP ImportREC IAT .

IAT .

IAT .

Dump debugged process

OEP .

Reverse Engineering


- 164 -

IAT . 00459737

00406120 CALL 00406050 .

.

Follow in Dump Memory address

.

Long Address IAT .

, IAT . 0000 0000

. 0000 0000

. ImportREC IAT 0000 0000

IAT .

Reverse Engineering


- 165 -

IAT 0045D118 0045D6D0 . IAT

OEP OEP 0045972C .

IAT CTRL+F2

VirtualAlloc .

.

IAT .

. IAT 0045D118

. (Breakpoint Hardware, on write DWROD) F9 .

.

Reverse Engineering


- 166 -

F8 IAT .

IAT . IAT . 0045D118 0045D6D0 .

0045D6D0 0045D730 .

IAT . 0045D730

. ( Binary B

reverse engineering - agz.esagz.es/reverse-engineering/basic/reverse engineering [security... · ©...

Documents

Beginners Guide to Reverse Engineering Android · PDF fileSESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer

Android Reverse Engineering - Internet Security Auditors

Reverse Engineering Tool Based on Unified Mapping Method ... · 4D Reverse Engineering Tool. Keywords Reverse Engineering, Imagix-4D Reverse Engineering Tool, Class Diagram 1. Introduction

Reverse Engineering archeology: Reverse engineering

© SERG Reverse Engineering (Software Security) Software Vulnerabilities: Definition, Classification, and Prevention

Enbedded Devices Security Firmware Reverse Engineering

Reverse Engineering of Automotive Componenetsold.nasscom.in/sites/default/files/Reverse Engineering of...Reverse Engineering of Automotive Componenets Reverse engineering is increasingly

WASM SECURITY ANALYZE AND REVERSE ENGINEERING · 2018. 12. 22. · wasm security analyze and reverse engineering tiejun wu guangyuan zhao fu ying labs, nsfocus. who we are •wu tiejun(@toughie88)

Reverse Engineering Java SIM card - Security Explorations · Reverse Engineering Java SIM card ILLUSTRATION OF THE IMPACT AND POTENTIAL OF JAVA CARD VULNERABILITIES DESCRIPTION This

Tools and Basic Reverse Engineering - Security Groupsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/2/02... · Tools and Basic Reverse Engineering . Modern Binary Exploitation

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable

software security and reverse engineering - … · Software Security and Reverse Engineering ... in fact you build the executable from the source-code. The reverse engineering is

Reverse Engineering, DRM, & Operating Systems Securityaustin/cs265-spring14/RevEng_DRM_OS-Security.pdf · Reverse Engineering, DRM, & Operating Systems Security Prof. Tom Austin San

IOS Application Security Part 32 - Automating Tasks With IOS Reverse Engineering Toolkit (IRET)

Reverse Engineering Pneumatic Steel Strapping Machineold.nasscom.in/sites/default/files/Reverse-engineering-pneumatic... · Reverse Engineering Pneumatic Steel Strapping Machine Reverse

Reverse Engineering for Security · Reverse Engineering for Security Pramod Subramanyan spramod@cse.iitk.ac.in Indian Institute of Technology, Kanpur 6th Workshop on Design Automation

Security Warrior - TechTargetmedia.techtarget.com/searchEnterpriseLinux/... · Linux Reverse Engineering This chapter is concerned with reverse engineering in the Linux environment,

Windows for Reverse Engineers OS Internals · Windows for Reverse Engineers OS Internals CS-E4330 - Special Course in Information Security Reverse Engineering Malware Course 2017

Network Security Via Reverse Engineering of TCP Code

Obfuscation & Reverse Engineering - Auckland › compsci316s2c › ...OBFUSCATION & REVERSE ENGINEERING Lecture 16b COMPSCI 316 Cyber Security. Top right corner for field customer

Embedded Devices Security Firmware Reverse Engineering

Advanced Internet Security - Reverse Engineering · Internet Security 2 5 Reverse Engineering • Application areas – copy ... (Live Demo) Int. Secure Systems ... jmp *0x804a008

Security Guide Release 16 - Oracle · reconfigurations, reassembly or reverse assembly, re-engineering or reverse engineering and recompilations or reverse compilations of the VARApplications

Android Reverse Engineering - Internet Security Auditors€¦ · Malware identification in Android apps . OWASP 4 Reverse engineering: definition and objectives Definition Refers

net reverse engineering · .NET Reverse Engineering Erez Metula, CISSP Application Security Department Manager Security Software Engineer 2B Secure ErezMetula @2bsecure.co.il

Reverse Engineering the Wetware: Understanding Human Behavior to Improve Information Security

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers

Reverse Engineering Introduction to Computer Security CSC 405Introduction to Computer Security Reverse Engineering Alexandros Kapravelos kapravelos@ncsu.edu ... • set when operation

Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer

Lab 5: Android Application Reverse Engineering and … Zhang - CSC Course: Cyber Security Practice 1 Department of Computer: Cyber Security Practice Lab 5: Android Application Reverse

Reverse engineering

Reverse Engineering & Malware Analysis Engineering... · Reverse Engineering & Malware Analysis ... aren't making any changes to their security in 2017” - Barkly, ... Linux.ProxyM

Reverse Engineering and Computer Security · Reverse Engineering in the Computer Underground •Cracking software copy protection PC software and games modding the Xbox and Playstation