DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 4. Herramientas

Contexto Computers understand binary code Binary code can be written in hexadecimal Hexadecimal code can be encoded in assembly language Assembly language is human-readable but not as intuitive as source code Decompilers convert assembly into an easier-to-read source code

4. Herramientas 1. Enfoques 2. Editores de Hexadecimal 3. Desensambladores 4. Depuradores 5. Decompiladores 6. Herramientas de monitoreo 7. Herramientas de parches

Enfoques

Reversing methodologies Offline analysis Live analysis

Enfoques offlinee code analysis Dead-listing Take a binary executable and use disassembler or a decompiler to convert it into a human-readable form Reversing: manually reading and analyzing parts of that output

Enfoques live code analysis Involves the same conversion of code into a human- readable form Don’t just statically read the converted code but instead run it in a debugger and observer its behavior on a live system Observation of internal data and how it affects the flow of the code We can see what individual variables contain and what happens when the program read or modifies that data Better approach for beginners Tools: debuggers

Editores de Hexadecimal

Hex editors read executing programs from RAM Display their contents in hexadecimal code Enable the editing of the running hexadecimal code Hex EditorsRAM EditorData Recovery Tools RAM Disassembler WinHex Tsearch

Editores de Hexadecimal Hex EditorAuthorPlatformLicenceWebsite WinHexSf-softWindowsSharewarehttp://

Desensambladores

Desensambladores/Depuradores Convert binary code into its assembly equivalent Extract ASCII strings and used libraries View memory, stack and CPU registers Run the program (with breakpoints) Edit the assembly code at runtime

Desensambladores One of the most important reversing tools Decode binary machine code into a readable assembly language text Platform-specific

Desensambladores

Desensambladores IDA Pro The most popular of the disassemblers IDA (Interactive Disassembler) by DataRescue Supports a variety of processor architectures  IA-32  IA-64  AMD64 …… Supports a variety of executable file formats  Portable Executable (PE, used in Windows)  Executable and Linking Format (ELF, used in Linux)  XBE (used on Microsoft’s Xbox) Costs  $399 usd (standard edtion)  $795 usd (advanced edition)

Desensambladores ILDasm For Microsoft Intermediate Language (MSIL)  Low-level assembly language  like language used in.NET programs Fundamental tool for.NET reversing Operates only on Portable Executable Files (PE) .exe,.dll of.NET Framework Included in.NET Framework SDK PE Ilasm.exe archivo texto De MSIL

Desensambladores ILDasm: ejemplo de utilización 1. Compilar el código en un lenguaje de programación que no admite todos los atributos de metadatos en tiempo de ejecución 2. Obtener el archivo texto de MSIL resultante 3. Editar manualmente los atributos que faltan 4. Ejecutar el archivo texto mediante el ensamblador MSIL para producir un archivo ejecutable final

Depuradores

1. To assist software developpers with locating and correcting errors in their programs 2. To be used as powerful reversing tools Idea The debugger provides a disassembled view of the currently running function and allows the user to step through the disassembled code and see what the program does at every line

Depuradores key debuggers features Powerful disassembler Software and hardware breakpoints View of Registers and Memory Process Information

Depuradores User-Mode Debuggers Conventional applications that attach to another process (the debugee) and can take full control of it Easy to set up and use Running on the system Kernel-Mode Debuggers To get a view of the system as a whole and not on a specific process They are components that sits alongside the system’s kernel and allow for stopping and observing the entire system at any given moment Difficult to set up and ussually require a dedicated system because destabilize the operating system Kernel Debugging on Virtual Machines

Depuradores Some User-Mode Debuggers OllyDbg (Oleh Yuschuk)  For assembler (32 bits) and Windows operating systems  Free and shareware debugger  Used for cracking WinDbg  Free debugger provided by Microsoft (Debugging Tools for Windows) IDA Pro Some Kernel-Mode Debuggers WinDbg Numega SoftICE

Depuradores OllyDbg Executes program in a controlled environment Allows the flow of the program to be controlled Uses a convenient layout showing hexadecimal, assembly, CPU registers and stack Allows the program to be dumped from the memory onto the hard-disk Highlights recently changed values in memory/stack/CPU registers

Decompiladores

A reverser’s dream tool It is never possible to restore the original code in its exact form The compilation process always removes some information from the program decompiler High-level language source- code Program binary

Decompiladores REC Decompiles a programa from binary code to C pseudo-code Translates any binary it cannot decompile into assembly code Typically generates 60-70% of the program source code Hex EditorAuthorPlatformLicenceWebsite RecBacker Street Software Windows Linux Freewarehttp:// et.com/rec/rec.htm

Herramientas de monitoreo

System monitoring: an important part of the reversing process A general category of tools that observe the various channels of I/O that exists between applications and the operating system p.e. file access monitors An interesing set of tools: Sysinternals  om/es-mx/sysinternals om/es-mx/sysinternals  Categories  Utilities for disks and files  Network  Process and subprocesses  Security  System Information  Others

Herramientas de monitoreo the most interesting tools FileMon Monitors all file-system level traffic between programs and the operating system TCPView Monitors all active TCP and UDP network connections on evey process TDIMon  Similar to TCPView  Monitors network traffic  Provides information on any sockect-level operation performed from any process in the system RegMon A registry activity monitor that reports all registry access from every program PortMon A physical port monitor that monitors all serial and parallel I/O traffic on the system WinObj Presents a hierarchical view of the named objects in the system Processs Explorer  A turbo version of the Windows Task Manager (WTM)  Designed to replace WTM

Herramientas de parches

Patching tools Patching  Process of modifying code in a binary executable to somehow alter its behavior  Related to reversing because in order to know where to patch, one must understand the program being patched  Comes after a reversing session  Typically performed by crackers

Bibliografía Reversing: Secrets of Reverse Engineering  Eldad Eilam  Wiley Publishing, Inc.  2005 Desensamblador de MSIL (ILDasm)  es/library/f7dy01k1(v=vs.80).aspx es/library/f7dy01k1(v=vs.80).aspx Tutorial de Ildasm.exe  es/library/aa309387(v=vs.71).aspx es/library/aa309387(v=vs.71).aspx Framework Tools – ILDASM: An Introduction to the Microsoft Intermediate Language Dis-Assembler  Dan Mabbutt  WToolsILDASM.htm WToolsILDASM.htm

Bibliografía OllyDbg  

Fin