1 / 53

Introduction to Reverse Engineering

Introduction to Reverse Engineering. Information Security – Theory vs. Reality Tel Aviv University, 368-4474-01 , Winter 201 2 -2013 Lecture 7. Inbar Raz Malware Research Lab Manager. What is Reverse Engineering?.

maj
Download Presentation

Introduction to Reverse Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Reverse Engineering Information Security – Theory vs. RealityTel Aviv University, 368-4474-01, Winter 2012-2013Lecture 7 Inbar RazMalware Research Lab Manager

  2. What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. aka: Reversing, RE, SRE

  3. Why do it? AcademicResearch(Yeah, right…) FindVulnerabilities Discover Trade Secrets Circumvent[Copy]Protection AnalyseProtocols Patch BinaryandAlter Behavior PureCuriosity

  4. Sounds awesome, right?

  5. So where’s the catch? • Low-level is, well, low level… 00401000 push ebp00401001 movebp, esp00401003 push ecx00401004 push ecx00401005 and dwordptr [ebp-4], 000401009 push esi0040100A movesi, [ebp+8]0040100D push edi0040100E push esi0040100F call ds:[00402008h]00401015 movedi, eax00401017 xoredx, edx00401019 test edi, edi0040101B jle 00401047h0040101D movsxecx, byte ptr [edx+esi]00401021 add [ebp-4], ecx00401024 mov [ebp-8], ecx00401027 roldwordptr [ebp-4], 10040102A moveax, ecx0040102C imuleax, [ebp-4]00401030 mov [ebp-4], eax00401033 moveax, [ebp-8]00401036 add [ebp-4], eax00401039 xor [ebp-4], ecx0040103C incedx0040103D cmpedx, edi0040103F jl 0040101Dh00401041 cmpdwordptr [ebp-4], 000401045 jnz 00401063h00401047 push 000401049 push 40230Ch0040104E push 4022CCh00401053 push ds:[004023ACh]00401059 call ds:[00402010h]0040105F xoreax, eax00401061 jmp 0040107Fh00401063 xordwordptr [ebp+0Ch], 01337C0DEh0040106A sub dwordptr [ebp+0Ch], 0BADC0DE5h00401071 moveax, [ebp-4]00401074 not dwordptr [ebp+0Ch]00401077 xoreax, [ebp+0Ch]0040107A negeax0040107C sbbeax, eax0040107E inceax0040107F pop edi00401080 pop esi00401081 leave00401082 retn for (Serial = 0, i = 0; i < strlen(UserName); i++) { CurChar = (int) UserName[i]; Serial += CurChar; Serial = (((Serial << 1) && 0xFFFFFFFE) || ((Serial >> 31) && 1)); Serial = (((Serial * CurChar) + CurChar) ^ CurChar); } UserSerial = ~((UserSerial ^ 0x1337C0DE) - 0xBADC0DE5);

  6. So where’s the catch? • Low-level is, well, low level… • Needle in a haystack • Average opcode size: 3 bytes • Average executable size: 500KB (on WinXP) • There are executables, libraries, drivers….

  7. So where’s the catch? • Low-level is, well, low level… • Needle in a haystack • Sometimes, the code resists • Packers and compressors • Obfuscators

  8. So where’s the catch? • Low-level is, well, low level… • Needle in a haystack • Sometimes, the code resists • Sometimes, the code fights back • Detect reversing tools • Detect VMs and emulators

  9. A Battle of Wits • Author writes code • Reverser reverses it • Author creates an anti-reversing technique • Reverser bypasses it • And so on…

  10. So what do you need in order to be a good reverser?

  11. We’ll come backto this…

  12. Tools of the Trade • Disassembler (Static code analysis) • Debugger (Dynamic code analysis) • Hex Editor • PE Analyzer • Resource Editor

  13. Disassemblers

  14. The old world: Sourcer

  15. The old world: Sourcer

  16. Old ages: Sourcer

  17. Old ages: Sourcer

  18. Welcome to Windows: W32DASM

  19. The Holy Grail: IDA-Pro • Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler’s decisions. • Slowly evolved into an automatic RE tool: • Built-in full-control script language • Library recognition (including user-generated) • Function prototype information • Display • Propagate throughout the code • Support for plug-ins • Support for Python scripting • Multi-architecture, cross-platform support • Full incorporation with built-in and external debuggers

  20. Debuggers זין בדיבאג באג בדיזיין –

  21. First, there was DEBUG…

  22. GUI and much more: Turbo Debugger

  23. GUI and much more: Turbo Debugger

  24. GUI and much more: Turbo Debugger

  25. Next major step: Soft-ICE

  26. And finally: OllyDbg

  27. Other Tools

  28. Hex-Editor

  29. PE Analyzer

  30. Resource Editor

  31. Methodology

  32. How we do it? • Finding the interesting part • System calls (User mode and Kernel mode API) • Strings and constants • Dynamic loading of libraries • Provocation • Zoom-in and Zoom-out • Better and quicker (and how not to get stuck) • Iterative passes over the code • Leave no stone unturned • Macros/Scripts/Plugins • BinDiffing(manual and with tools)

  33. Let’s play with them tools…

  34. 60 seconds on x86 registers • General purpose registers:32bit/16bit/8bit • Index registers:32bit/16bit • Segment registers:16bit • Flags:32bit/16bit

  35. Exercise 1:Static Reversing

  36. Exercise 1: Static Reversing • Target: a 2004 “Crack-Me” • Tools: IDA-Pro

  37. Exercise 2:Dynamic Reversing

  38. Exercise 2: Dynamic Reversing • Target: a 2004 “Crack-Me” • Tools: OllyDbg, IDA-Pro

  39. Exercise 3:Simple Anti-Debugging

  40. Exercise 3: Simple Anti Debugging • Target: a 2006 “Crack-Me” • Tools: OllyDbg

  41. Reversing Malware • Malware is comprised of the following building blocks: • Infection Vector • Concealment • Operation • Communications • Check Point’s Anti-Malware Software Blade sits at the gateway • Therefore, communications interest us the most

  42. Introducing: Spy Eye • A CrimeWareToolKit, originating in Russia. • Used mostly for stealing financial information, but will settle for any other identity information and key logging… • Like any serious trojan, Spy Eye compresses its traffic and encrypts it • Compression is performed using a public library (LZO) • Encryption algorithm is proprietary

  43. Act 1:Encryption

  44. Act 2:Configuration Download

  45. Act 3:Another Encryption

  46. So what do you need in order to be a good reverser?

  47. What makes a good reverser? Qualities • Patient • Curious • Persistent • Outside-the-Box Thinking • Optional: Good lookin’ Knowledge • Assembly Language • Some High-Level programming • Best: origin of binary • Operating System Internals • API • Data Structures • File Structures • Good scripting skills • Anti-Debugging Tricks

  48. Outside-the-Box Thinking

  49. And remember, kids: Binary ReverseEngineer + =?

  50. Which means… F A I L

More Related