Tools and Basic Reverse Engineering – Part 2

Modern Binary Exploitation

CSCI 4968 – Spring 2015

Jeremy Blackthorne

MBE - 01/30/2015 Tools and Basic RE 1

Lecture Overview

1. Review of Last Lecture

2. Introduction to Dynamic Analysis

3. Tools!

4. Resources

MBE - 01/30/2015 Tools and Basic RE 2

Review

Reversing Concepts:

–Static vs dynamic

–Diffing

–patching

MBE - 01/30/2015 Tools and Basic RE 3

Review

Tools:

–file

–md5sum

–ssdeep

–strings

–readelf

–objdump

–IDA Pro.exe

MBE - 01/30/2015 Tools and Basic RE 4

Review

IDA Pro:

–Rename variables

–Insert comments

–Recognize structures

–Cross reference

–Stack usage in assembly

MBE - 01/30/2015 Tools and Basic RE 5

Lecture Overview

1. Review of Last Lecture

2. Introduction to Dynamic Analysis

3. Tools!

4. Resources

MBE - 01/30/2015 Tools and Basic RE 6

RE Domain

Process, t=0 Process, t=i Process, t=n Binary File

Load Step Step

Static Dynamic MBE - 01/30/2015 Tools and Basic RE 7

Slide Colors

• Linux Tool

– Command

• Windows Tool

– ToolName.exe

• Associated Challenges:

– ChallengeName

MBE - 01/30/2015 Tools and Basic RE 8

Debugger – IDA Pro

•crackme0x04_win.exe

•IDA Pro.exe

MBE - 01/30/2015 Tools and Basic RE 9

RE Domain

Code Registers

Stack Other Memory

Libraries

Stack

c

b

a

Old EIP

Old EBP

x

y

z 0x00

0x01

0x02

0x03

0x04

0x05

0x06

0x07

ESP

EBP

MBE - 01/30/2015 Tools and Basic RE 11

Lecture Overview

1. Review of Last Lecture

2. Introduction to Dynamic Analysis

3. Tools!

4. Resources

MBE - 01/30/2015 Tools and Basic RE 12

Debugger – Evan’s Debugger

• crackme0x00a.exe

• edb

– edb->options->Preferences->Appearance

MBE - 01/30/2015 Tools and Basic RE 13

ELF Memory Layout

MBE - 01/30/2015 14

Virtual Memory Layout

MBE - 01/30/2015 15

Physical Memory Layout

MBE - 01/30/2015 16

Physical Memory Layout

MBE - 01/30/2015 17

Debugger – GNU Debugger

• crackme0x00a

• gdb

MBE - 01/30/2015 Tools and Basic RE 18

GNU Debugger - Basics

• crackme0x00a

• gdb

– disassemble main (disas main)

– set disassembly-flavor intel

– break main (b main)

– run

– stepi (s), step into

– nexti (n), step over

MBE - 01/30/2015 Tools and Basic RE 19

GNU Debugger – Examine Memory

• gdb

– Examine memory: x/NFU address

– N = number

– F = format

– U = unit

• Examples

– x/10xb 0xdeadbeef, examine 10 bytes in hex

– x/xw 0xdeadbeef, examine 1 word in hex

– x/s 0xdeadbeef, examine null terminated string

MBE - 01/30/2015 Tools and Basic RE 20

GNU Debugger - python

• gdb

– python print ‘A’ *10

MBE - 01/30/2015 Tools and Basic RE 21

GNU Debugger – Init File

• mv special ~/.gdbinit

• gdb

– help user

– hexdump

MBE - 01/30/2015 Tools and Basic RE 22

Tracing

• ltrace, library calls

• strace, system calls

MBE - 01/30/2015 Tools and Basic RE 23

Lecture Overview

1. Review of Last Lecture

2. Introduction to Dynamic Analysis

3. Tools!

4. Resources

MBE - 01/30/2015 Tools and Basic RE 24

Additional Resources

• Gdb customizations – http://reverse.put.as/gdbinit/ – https://github.com/dholm/voidwalker – http://stackoverflow.com/questions/209534/pret

tify-my-gdb – https://github.com/longld/peda

• Ring security – http://duartes.org/gustavo/blog/post/cpu-rings-

privilege-and-protection/ – http://www.amazon.com/The-Rootkit-Arsenal-

Evasion-Corners/dp/1598220616 MBE - 01/30/2015 Tools and Basic RE 25