Reverse Engineering Tools/TechniquesSAMEER SAPRA & MANBIR SINGH

Contents• Introduction• Requirements• Purpose• Techniques/Tools• Security Risks• Famous Cases of Reverse Engineering• Activity

Introduction• Reverse engineering, also called back engineering, is the processes of

extracting knowledge or design information from anything man-made and re-producing it or reproducing anything based on the extracted information.

• The process often involves disassembling something (a mechanical device, electronic component, computer program, or biological, chemical, or organic matter) and analyzing its components and workings in detail.

• https://www.youtube.com/watch?v=mwrhRP2PswA

Requirements• Need knowledge of assembly language.• Reverse Engineering tools.

Purpose• Security Auditing,• Removal of copy protection,• Circumvention of access restrictions,• Customization of embedded systems,• Enabling additional features like extend a free trial of a software.

Techniques/Tools• Disassemblers

• Used to convert binary code into assembly code and also used to extract strings imported and exported functions, libraries etc. The disassemblers convert the machine language into a user-friendly format.

• Debuggers• This tool expands the functionality of a disassembler by supporting the CPU

registers, the hex duping of the program, view of stack etc. • Allows the user to view the running state of a program.

Techniques/Tools• Hex Editors

• Allow the binary to be viewed in the editor and change it as per the requirements of the software.

• PE and Resource Viewer• PE is a Portable Executable which is a format for executables, object code,

DLLs, FON Font files and others. The viewer allows to read and display the executable file properties and structure.

• Decompilation• Decompilation uses a decompiler tool that tries to recreate the source

code in a high level language that can be available in machine code or bytecode.

IDA Pro - Disassembler• Performs automatic code analysis, using cross-references between code

sections, knowledge of parameters of API calls and other information.• System host

• Windows x86 and ARM• Linux x86• Mac OS X x86

• Executable file formats• COFF and other derivatives, including Win32/64/generic PE• ELF and derivatives(generic)• MZ (MS-DOS)• LC/LE/LX (OS/2 3.x and various DOS extenders)• AIM (generic)

IDA Pro - Disassembler• Instruction Set

• ARM Architecture,• Motorola 68k and H8,• Intel 80x86 family,• Java Virtual Machine, and many more...

• Compiler/libraries (for automatic library function recognition)• Borland C++ 5.x for DOS/Windows,• Borland C++ 3.1,• Microsoft C,• Microsoft Visual C++, and many more…

• Supports a number of Debuggers• GNU is supported on Linux and OS X, as well as the native Windows

debugger• An Intel PIN-based debugger

IDA Pro - Demo• Wrote a simple console application in C++.

BinDiff - Disassembler• BinDiff is an interesting tool used to reverse engineer. BinDiff compares

2 binaries and finds out how similar or how different they are. Example if you have a patch DLL and a unpatched dll you can compare the similarities and the which function have been changed, this is down by highlighting the changes between the two.

• Does not compare the bytes between the two but uses the disassembler and compares the two call graphs and compare the basic blocks in the instructions within them.

OllyDbg - Disassembler• A tool that is common and available online is OllyDbg provides:

• Ability to decode over 1900 standard API and 400 C functions• Attaches and able to view running programs• Debugs multi threaded applications• Configurable disassembler supporting MASM and IDEAL formats• Is also a debugger

• http://resources.infosecinstitute.com/reverse-engineering-ollydbg/

Immunity Debuggers - Debugger• Immunity Debugger is a powerful tool to help taking advantage to write,

analyze malware, and help reverse engineer binary files. Has a friendly user interface within functionality such as graphing.

• Immunity Debugger is a branch tool based off of OllyDbg, but also includes built-in support for python scripting.

• Using debugger tools like Immunity Debugger can help you find the holes within the program.

PE Explorer - PE and Resource Reader• PE Explorer is a multi featured program that is used for inspecting the

insides of your own software but what is more important is the ability to inspect the inner workings of a outside Windows applications and libraries which you wouldn't have access to the source code.• View and edit different PE files• The resource editor provides a fast resource viewer, extractor, and a

rebuilder.• Win32 Disassembler• Digital Signature View

dotPeek - Decompilation• dotPeek is a standalone tool. It is able to be a reliable decompiler in any

.NET assembly into equivalent C# code. The decompiler can support multiple formats such as exe files, DLL’s, and Windows metadata files.

• The tool is able to view a upload a file and will try to load it so that it can be viewed as source code. This tool is good when trying to view files that you don’t have the source code to.

• dotPeek inherits features from ReSharper. These features extended the tool usage such as usage search and different code structure and hierarchy views.

SECURITY RISKS• External systems can use tools within their disposal to view the system

and inner workings.

• Spoofing: The ability to gather credentials about someone to make certain transactions.

• Code modification: Changing the business logic, control flow, and the programs operations. This can be done by many ways

• Disabling or circumvent security controls to bypass authentication.• Encryption• License Management/checking.• root/jailbreak detection.

SECURITY RISKS

• Information Disclosure: Probing the system for digital keys, certificates, credentials, metadata, proprietary algorithms, and other internal logic.

• Elevation of Privilege: Spreading unauthorized code that would cause disturbance within the system.

• Inserting malware • Exploiting the application and repackaging it.

Atari Games Corp vs Nintendo of America Inc

• Nintendo designed a program, the 10NES, to prevent unauthorized video games from working on the NES.

• Their license agreement stated that the company could only make 5 games per year and prevented them from selling the games to other home entertainment system.

• Attari attempted to crack 10NES in order to bypass any need for a restrictive license agreement.

• In 1986 they purchased some Nintendos and started reverse engineering.

Sega Enterprises Ltd vs Accolade Inc.• The case involved Seg’s video console and cartridges, which the

cartridges had 20-25 byte of code segment that was interrogated by the console as a security measure.

• Accolade was able to disassemble the code which were also part of three different games.

• Accolade had “fair use” of the copyright in the games programs.• Under section 107 of the Copyright Act using disassembly of

copyrighted games code, it is fair to exam the unprotected ideas and functionalities that are embodied in the code.

ActivityDownload this executable and try to crack it.

http://canyouhack.it/Content/Challenges/Crack/Crack1.exe

REFERENCES• https://en.wikipedia.org/wiki/Reverse_engineering• https://www.owasp.org/index.php/Technical_Risks_of_Reverse_Engineering

_and_Unauthorized_Code_Modification• https://www.youtube.com/watch?v=yhlsDBuDG7A•https://www.udemy.com/reverse-engineering-and-exploit-development/• https://blog.udemy.com/reverse-engineering-tutorial/• http://programmers.stackexchange.com/questions/160985/reverse-engine

ering-what-is-it-really-good-for• http://reverseengineering.stackexchange.com/questions/4635/whats-the-

difference-between-a-disassembler-debugger-and-decompiler• https://en.wikipedia.org/wiki/Decompiler• https://ethics.csc.ncsu.edu/intellectual/reverse/study.php• http://resources.infosecinstitute.com/reverse-engineering-tools/

References• https://en.wikibooks.org/wiki/Reverse_Engineering/Legal_Aspects• http://www.heaventools.com/overview.htm• https://www.jetbrains.com/decompiler/• https://en.wikibooks.org/wiki/Reverse_Engineering/Legal_Aspects