Inbar Raz Malware Research Lab Manager Information Security Theory vs Reality Tel Aviv University 368447401 Winter 201 2 2013 Lecture 7 What is Reverse Engineering Reverse engineering ID: 583420
Download Presentation The PPT/PDF document "Introduction to Reverse Engineering" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Introduction to Reverse Engineering
Inbar RazMalware Research Lab Manager
Information Security – Theory vs. Reality
Tel Aviv University, 368-4474-01
, Winter 201
2
-2013
Lecture 7Slide2
What is Reverse Engineering?
Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.aka: Reversing, RE, SRESlide3
Why do it?
Discover
Trade
Secrets
Find
Vulnerabilities
Academic
Research
(Yeah, right…)
Circumvent
[Copy]
Protection
Analyse
Protocols
Pure
Curiosity
Patch Binary
and
Alter BehaviorSlide4
Sounds awesome, right?Slide5
So where’s the catch?
Low-level is, well, low level…
00401000 push
ebp
00401001
mov
ebp
,
esp
00401003 push
ecx
00401004 push
ecx
00401005 and
dword
ptr
[ebp-4], 0
00401009 push
esi
0040100A
mov
esi
, [ebp+8]
0040100D push
edi
0040100E push esi0040100F call ds:[00402008h]00401015 mov edi, eax00401017 xor edx, edx00401019 test edi, edi0040101B jle 00401047h0040101D movsx ecx, byte ptr [edx+esi]00401021 add [ebp-4], ecx00401024 mov [ebp-8], ecx00401027 rol dword ptr [ebp-4], 10040102A mov eax, ecx0040102C imul eax, [ebp-4]00401030 mov [ebp-4], eax00401033 mov eax, [ebp-8]00401036 add [ebp-4], eax00401039 xor [ebp-4], ecx0040103C inc edx0040103D cmp edx, edi0040103F jl 0040101Dh00401041 cmp dword ptr [ebp-4], 000401045 jnz 00401063h00401047 push 000401049 push 40230Ch0040104E push 4022CCh00401053 push ds:[004023ACh]00401059 call ds:[00402010h]0040105F xor eax, eax00401061 jmp 0040107Fh00401063 xor dword ptr [ebp+0Ch], 01337C0DEh0040106A sub dword ptr [ebp+0Ch], 0BADC0DE5h00401071 mov eax, [ebp-4]00401074 not dword ptr [ebp+0Ch]00401077 xor eax, [ebp+0Ch]0040107A neg eax0040107C sbb eax, eax0040107E inc eax0040107F pop edi00401080 pop esi00401081 leave00401082 retn
for (Serial = 0,
i
= 0;
i
<
strlen
(
UserName
);
i
++) {
CurChar
= (
int
)
UserName
[
i
];
Serial +=
CurChar
;
Serial = (((Serial << 1) && 0xFFFFFFFE) || ((Serial >> 31) && 1));
Serial = (((Serial *
CurChar
) +
CurChar
) ^
CurChar
);
}
UserSerial
=
~((
UserSerial
^ 0x1337C0DE) - 0xBADC0DE5);Slide6
So where’s the catch?
Low-level is, well, low level…Needle in a haystackAverage opcode size: 3 bytesAverage executable size: 500KB (on
WinXP)There are executables, libraries, drivers….Slide7
So where’s the catch?
Low-level is, well, low level…Needle in a haystackSometimes, the code resistsPackers and compressorsObfuscatorsSlide8
So where’s the catch?
Low-level is, well, low level…Needle in a haystackSometimes, the code resistsSometimes, the code fights backDetect reversing toolsDetect VMs and emulatorsSlide9
A Battle of Wits
Author writes codeReverser reverses itAuthor creates an anti-reversing techniqueReverser bypasses itAnd so on…Slide10
So what do you need
in order to be
a good reverser?Slide11
We’ll come back
to this…Slide12
Tools of the Trade
Disassembler (Static code analysis)
Debugger (Dynamic code analysis)Hex EditorPE AnalyzerResource EditorSlide13
DisassemblersSlide14
The old world: SourcerSlide15
The old world: SourcerSlide16
Old ages: SourcerSlide17
Old ages: SourcerSlide18
Welcome to Windows: W32DASMSlide19
The Holy Grail: IDA-Pro
Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler’s decisions.Slowly evolved into an automatic RE tool:Built-in full-control script languageLibrary recognition (including user-generated)Function prototype informationDisplayPropagate throughout the codeSupport for plug-ins
Support for Python scriptingMulti-architecture, cross-platform supportFull incorporation with built-in and external debuggersSlide20
Debuggers
באג בדיזיין –
זין בדיבאגSlide21
First, there was DEBUG…Slide22
GUI and much more: Turbo DebuggerSlide23
GUI and much more: Turbo DebuggerSlide24
GUI and much more: Turbo DebuggerSlide25
Next major step: Soft-ICESlide26
And finally: OllyDbgSlide27
Other ToolsSlide28
Hex-EditorSlide29
PE AnalyzerSlide30
Resource EditorSlide31
MethodologySlide32
How we do it?
Finding the interesting partSystem calls (User mode and Kernel mode API)Strings and constantsDynamic loading of librariesProvocationZoom-in and Zoom-outBetter and quicker (and how not to get stuck)
Iterative passes over the codeLeave no stone unturnedMacros/Scripts/PluginsBinDiffing (manual and with tools)Slide33
Let’s play
with them tools…Slide34
60 seconds on x86 registers
General purpose registers:32bit/16bit/8bitIndex registers:32bit/16bitSegment registers:16bitFlags:32bit/16bitSlide35
Exercise 1:
Static ReversingSlide36
Exercise 1: Static Reversing
Target: a 2004 “Crack-Me”Tools: IDA-ProSlide37
Exercise 2:
Dynamic ReversingSlide38
Exercise 2: Dynamic Reversing
Target: a 2004 “Crack-Me”Tools: OllyDbg, IDA-ProSlide39
Exercise 3:
Simple Anti-DebuggingSlide40
Exercise 3: Simple Anti Debugging
Target: a 2006 “Crack-Me”Tools: OllyDbgSlide41
Reversing Malware
Malware is comprised of the following building blocks:Infection VectorConcealmentOperationCommunicationsCheck Point’s Anti-Malware Software Blade sits at the gatewayTherefore, communications interest us the mostSlide42
Introducing: Spy Eye
A CrimeWare ToolKit, originating in Russia.Used mostly for stealing financial information, but will settle for any other identity information and key logging…Like any serious trojan, Spy Eye compresses its traffic and encrypts itCompression is performed using a public library (LZO)
Encryption algorithm is proprietarySlide43
Act 1:
EncryptionSlide44
Act 2:
Configuration DownloadSlide45
Act 3:
Another EncryptionSlide46
So what do you need
in order to be
a good reverser?Slide47
What makes a good reverser?
QualitiesPatientCuriousPersistentOutside-the-Box Thinking
Optional: Good lookin’
Knowledge
Assembly Language
Some High-Level programming
Best: origin of binary
Operating System Internals
API
Data Structures
File Structures
Good scripting
skills
Anti-Debugging TricksSlide48
Outside-the-Box ThinkingSlide49
And remember, kids:
Binary
Reverse
Engineer
+
=?Slide50
Which means…
F A I LSlide51
Questions?Slide52
Check
your
Opportunities
We are looking for:
Excellent Computer
Science/Software Engineering
students
for a variety of developing positions
Talented software developers
Security & Malware researchers
To learn more about our openings please check our website:
www.checkpoint.comSlide53
Thank you!
inbarr@checkpoint.com