1 / 51

Introduction to Reverse Engineering

Introduction to Reverse Engineering. Inbar Raz Malware Research Lab Manager December 2011. What is Reverse Engineering?.

Download Presentation

Introduction to Reverse Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction to Reverse Engineering Inbar RazMalware Research Lab ManagerDecember 2011

  2. What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. aka: Reversing, RE, SRE

  3. Why do it? AcademicResearch(Yeah, right…) FindVulnerabilities Discover Trade Secrets Circumvent[Copy]Protection AnalyseProtocols Patch BinaryandAlter Behavior PureCuriosity

  4. Sounds awesome, right?

  5. So where’s the catch? • Low-level is, well, low level… 00401000 push ebp00401001 movebp, esp00401003 push ecx00401004 push ecx00401005 and dwordptr [ebp-4], 000401009 push esi0040100A movesi, [ebp+8]0040100D push edi0040100E push esi0040100F call ds:[00402008h]00401015 movedi, eax00401017 xoredx, edx00401019 test edi, edi0040101B jle 00401047h0040101D movsxecx, byte ptr [edx+esi]00401021 add [ebp-4], ecx00401024 mov [ebp-8], ecx00401027 roldwordptr [ebp-4], 10040102A moveax, ecx0040102C imuleax, [ebp-4]00401030 mov [ebp-4], eax00401033 moveax, [ebp-8]00401036 add [ebp-4], eax00401039 xor [ebp-4], ecx0040103C incedx0040103D cmpedx, edi0040103F jl 0040101Dh00401041 cmpdwordptr [ebp-4], 000401045 jnz 00401063h00401047 push 000401049 push 40230Ch0040104E push 4022CCh00401053 push ds:[004023ACh]00401059 call ds:[00402010h]0040105F xoreax, eax00401061 jmp 0040107Fh00401063 xordwordptr [ebp+0Ch], 01337C0DEh0040106A sub dwordptr [ebp+0Ch], 0BADC0DE5h00401071 moveax, [ebp-4]00401074 not dwordptr [ebp+0Ch]00401077 xoreax, [ebp+0Ch]0040107A negeax0040107C sbbeax, eax0040107E inceax0040107F pop edi00401080 pop esi00401081 leave00401082 retn for (Serial = 0, i = 0; i < strlen(UserName); i++) { CurChar = (int) UserName[i]; Serial += CurChar; Serial = (((Serial << 1) && 0xFFFFFFFE) || ((Serial >> 31) && 1)); Serial = (((Serial * CurChar) + CurChar) ^ CurChar); } UserSerial = ~((UserSerial ^ 0x1337C0DE) - 0xBADC0DE5);

  6. So where’s the catch? • Low-level is, well, low level… • Needle in a haystack • Average opcode size: 3 bytes • Average executable size: 500KB (on WinXP) • There are executables, libraries, drivers….

  7. So where’s the catch? • Low-level is, well, low level… • Needle in a haystack • Sometimes, the code resists • Packers and compressors • Obfuscators

  8. So where’s the catch? • Low-level is, well, low level… • Needle in a haystack • Sometimes, the code resists • Sometimes, the code fights back • Detect reversing tools • Detect VMs and emulators

  9. A Battle of Wits • Video clip: The Battle of Wits, “The Princess Bride”

  10. A Battle of Wits • Author writes code • Reverser reverses it • Author creates an anti-reversing technique • Reverser bypasses it • And so on…

  11. So what do you need in order to be a good reverser?

  12. We’ll come backto this…

  13. Tools of the Trade • Debugger (Dynamic code analysis) • Disassembler (Static code analysis) • Hex Editor • PE Analyzer • Resource Editor and more…

  14. Debuggers זין בדיבאג באג בדיזיין –

  15. First, there was DEBUG…

  16. GUI and much more: Turbo Debugger

  17. GUI and much more: Turbo Debugger

  18. GUI and much more: Turbo Debugger

  19. Next major step: Soft-ICE

  20. And finally: OllyDbg

  21. Disassemblers

  22. The old world: Sourcer

  23. The old world: Sourcer

  24. Old ages: Sourcer

  25. Old ages: Sourcer

  26. Welcome to Windows: W32DASM

  27. The Holy Grail: IDA-Pro • Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler’s decisions. • Slowly evolved into an automatic RE tool: • Built-in full-control script language • Library recognition (including user-generated) • Function prototype information • Display • Propagate throughout the code • Support for plug-ins • Support for Python scripting • Multi-architecture, cross-platform support • Full incorporation with built-in and external debuggers

  28. Hex-Editor

  29. PE Analyzer

  30. Resource Editor

  31. Let’s play with them tools…

  32. 60 seconds on x86 registers • General purpose registers:32bit/16bit/8bit • Index registers:32bit/16bit • Segment registers:16bit • Flags:32bit/16bit

  33. Exercise 1:Static Reversing

  34. Exercise 1: Static Reversing • Target: a 2004 “Crack-Me” • Tools: IDA-Pro

  35. Exercise 2:Dynamic Reversing

  36. Exercise 2: Dynamic Reversing • Target: a 2004 “Crack-Me” • Tools: OllyDbg, IDA-Pro

  37. Exercise 3:Simple Anti-Debugging

  38. Exercise 3: Simple Anti Debugging • Target: a 2006 “Crack-Me” • Tools: OllyDbg

  39. Reversing Malware • Malware is comprised of the following building blocks: • Infection Vector • Concealment • Operation • Communications • Check Point’s Anti-Malware Software Blade sits at the gateway • Therefore, communications interest us the most

  40. Introducing: Spy Eye • A CrimeWareToolKit, originating in Russia. • Used mostly for stealing financial information, but will settle for any other identity information and key logging… • Like any serious trojan, Spy Eye compresses its traffic and encrypts it • Compression is performed using a public library (LZO) • Encryption algorithm is proprietary

  41. Act 1:Encryption

  42. Act 2:Configuration Download

  43. Act 3:Another Encryption

  44. So what do you need in order to be a good reverser?

  45. What makes a good reverser? Qualities • Patient • Curious • Persistent • Outside-the-Box Thinking • Optional: Good lookin’ Knowledge • Assembly Language • Some High-Level programming • Best: origin of binary • Operating System Internals • API • Data Structures • File Structures • Good scripting skills • Anti-Debugging Tricks

  46. Outside-the-Box Thinking

  47. And remember, kids: Binary ReverseEngineer + =?

  48. Which means… F A I L

  49. Questions?

  50. Thank you! inbarr@checkpoint.com

More Related