Trying to like a boss… REVERSE ENGINEERING

WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular software or device to understand the concepts of its manufacture, to produce something similar or simply understand how it works.

WHAT IS IT USED FOR? Some of the reasons why people reverse engineer within computer science are: Breaking copy protections (time trials, serial protections, to impress) Studying viruses and other malware (Stuxnet, Duqu) To add functionality to existing software To recreate a software, when the original source code has been lost To study software for any vulnerabilities (exploits in operating systems)

KNOWLEDGE REQUIRED? At least a basic understanding of how coding works. Being familiar with the Assembly Language Learning the tools of the trade The ability to experiment (Ask yourself why the program does this)

TOOLS USED: Disassemblers Debuggers Hex editors Memory viewers Program format viewers and editors Tools to monitor the system Unpackers and decrypters

DISASSEMBLER A disassembler is used to take the machine language code and display them in a format that is more human readable friendlier format. This tool also gives us data about the program such as strings used within, variables, and function calls made. An example of such a tools is OBJDUMP

DEBUGGERS Debuggers are the tool of the reverse engineer. Their job is to analyze the binary file and to allow the reverse to step through the code within it. With the ability to do this the reverser can better understand what is going on underneath the hood of the program. Some debuggers allow a person to make changes to the running code to change the flow of the program. Examples are Ollydbg, GDB, Windbg, IDA, Softice Differences : Ring 0 (Softice), Ring 3 (others mentioned)

HEX EDITOR A hex editor allows you to see the bytes that a program is composed of and make changes to them or simply copy them to another file/location. Examples: WinHex, Hexdump, xxd

MEMORY VIEWERS These programs allow a person to dump and view working memory. This also lets us view any changes the program is making within memory. Examples: Memdump

PROGRAM FORMAT VIEWERS Compiled programs come in a certain format for the operating system its used upon. On windows that format is known as the PE (Portable Executable), on linux is most common format is the ELF(Executable and Linkable Format) These tools are important because most programs will do nasty things to the headers in-order to break your debugger.

UNPACKERS AND DECRYPTORS Often times a program will packed or compressed in-order to bring the file size of the program down. This often leads us to first have to unpack the program before we can start debugging the program. Other programs may be Encrypted with a certain algorithm to make it harder for a reverse engineer to understand the underlying code. So it must be decrypted to better understand it adequetly. Programs can also be both Packed and Encrypted.

UNDERSTANDING THE PORTABLE EXECUTABLE Programs on disk are the same within memory. This is important because we can make changes in memory and if we like the result, make those changes to the binary on disk.

SECTIONS At a minimum there are only two sections within a PE file. Code (where the program’s code is held) Data (where Variables and other types of data (export tables, resources relocations are held) The other Sections are : Rdata (read only data) Relocation table (relocated code/ data) Other sections Sections begin with some multiple of 0x200

ASSEMBLY LANGUAGE The Assembly Language was created to make a more human readable representation of raw binary code. It directly represents instructions the processor can execute This is what all of our programs can be translated to. Our high level languages (C / C++…etc) go from code form to a compiler, which translates to Assembly, then passed to the assembler to make object code for the platform (simplified process)