©2012 Check Point Software Technologies Ltd. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager Information Security – Theory vs. Reality Tel Aviv University, , Winter Lecture 7
2 2©2012 Check Point Software Technologies Ltd. What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. aka: Reversing, RE, SRE
3 3©2012 Check Point Software Technologies Ltd. Why do it? Discover Trade Secrets Find Vulnerabilities Academic Research (Yeah, right…) Circumvent [Copy] Protection Analyse Protocols Pure Curiosity Patch Binary and Alter Behavior
4 4©2012 Check Point Software Technologies Ltd. Sounds awesome, right?
5 5©2012 Check Point Software Technologies Ltd. So where’s the catch? Low-level is, well, low level… push ebp mov ebp, esp push ecx push ecx and dword ptr [ebp-4], push esi A mov esi, [ebp+8] D push edi E push esi F call ds:[ h] mov edi, eax xor edx, edx test edi, edi B jle h D movsx ecx, byte ptr [edx+esi] add [ebp-4], ecx mov [ebp-8], ecx rol dword ptr [ebp-4], A mov eax, ecx C imul eax, [ebp-4] mov [ebp-4], eax mov eax, [ebp-8] add [ebp-4], eax xor [ebp-4], ecx C inc edx D cmp edx, edi F jl Dh cmp dword ptr [ebp-4], jnz h push push 40230Ch E push 4022CCh push ds:[004023ACh] call ds:[ h] F xor eax, eax jmp Fh xor dword ptr [ebp+0Ch], 01337C0DEh A sub dword ptr [ebp+0Ch], 0BADC0DE5h mov eax, [ebp-4] not dword ptr [ebp+0Ch] xor eax, [ebp+0Ch] A neg eax C sbb eax, eax E inc eax F pop edi pop esi leave retn for (Serial = 0, i = 0; i < strlen(UserName); i++) { CurChar = (int) UserName[i]; Serial += CurChar; Serial = (((Serial > 31) && 1)); Serial = (((Serial * CurChar) + CurChar) ^ CurChar); } UserSerial = ~((UserSerial ^ 0x1337C0DE) - 0xBADC0DE5);
6 6©2012 Check Point Software Technologies Ltd. So where’s the catch? Low-level is, well, low level… Needle in a haystack –Average opcode size: 3 bytes –Average executable size: 500KB (on WinXP) –There are executables, libraries, drivers….
7 7©2012 Check Point Software Technologies Ltd. So where’s the catch? Low-level is, well, low level… Needle in a haystack Sometimes, the code resists –Packers and compressors –Obfuscators
8 8©2012 Check Point Software Technologies Ltd. So where’s the catch? Low-level is, well, low level… Needle in a haystack Sometimes, the code resists Sometimes, the code fights back –Detect reversing tools –Detect VMs and emulators
9 9©2012 Check Point Software Technologies Ltd. A Battle of Wits Author writes code Reverser reverses it Author creates an anti-reversing technique Reverser bypasses it And so on…
10 ©2012 Check Point Software Technologies Ltd. So what do you need in order to be a good reverser?
11 ©2012 Check Point Software Technologies Ltd. We’ll come back to this…
12 ©2012 Check Point Software Technologies Ltd. Tools of the Trade Disassembler (Static code analysis) Debugger (Dynamic code analysis) Hex Editor PE Analyzer Resource Editor
13 ©2012 Check Point Software Technologies Ltd. Disassemblers
14 ©2012 Check Point Software Technologies Ltd. The old world: Sourcer
15 ©2012 Check Point Software Technologies Ltd. The old world: Sourcer
16 ©2012 Check Point Software Technologies Ltd. Old ages: Sourcer
17 ©2012 Check Point Software Technologies Ltd. Old ages: Sourcer
18 ©2012 Check Point Software Technologies Ltd. Welcome to Windows: W32DASM
19 ©2012 Check Point Software Technologies Ltd. The Holy Grail: IDA-Pro Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler’s decisions. Slowly evolved into an automatic RE tool: –Built-in full-control script language –Library recognition (including user-generated) –Function prototype information –Display –Propagate throughout the code –Support for plug-ins –Support for Python scripting –Multi-architecture, cross-platform support –Full incorporation with built-in and external debuggers
20 ©2012 Check Point Software Technologies Ltd. Debuggers באג בדיזיין –זין בדיבאג
21 ©2012 Check Point Software Technologies Ltd. First, there was DEBUG…
22 ©2012 Check Point Software Technologies Ltd. GUI and much more: Turbo Debugger
23 ©2012 Check Point Software Technologies Ltd. GUI and much more: Turbo Debugger
24 ©2012 Check Point Software Technologies Ltd. GUI and much more: Turbo Debugger
25 ©2012 Check Point Software Technologies Ltd. Next major step: Soft-ICE
26 ©2012 Check Point Software Technologies Ltd. And finally: OllyDbg
27 ©2012 Check Point Software Technologies Ltd. Other Tools
28 ©2012 Check Point Software Technologies Ltd. Hex-Editor
29 ©2012 Check Point Software Technologies Ltd. PE Analyzer
30 ©2012 Check Point Software Technologies Ltd. Resource Editor
31 ©2012 Check Point Software Technologies Ltd. Methodology
32 ©2012 Check Point Software Technologies Ltd. How we do it? Finding the interesting part –System calls (User mode and Kernel mode API) –Strings and constants –Dynamic loading of libraries –Provocation –Zoom-in and Zoom-out Better and quicker (and how not to get stuck) –Iterative passes over the code –Leave no stone unturned –Macros/Scripts/Plugins –BinDiffing (manual and with tools)
33 ©2012 Check Point Software Technologies Ltd. Let’s play with them tools…
34 ©2012 Check Point Software Technologies Ltd. 60 seconds on x86 registers General purpose registers: 32bit/16bit/8bit Index registers: 32bit/16bit Segment registers: 16bit Flags: 32bit/16bit
35 ©2012 Check Point Software Technologies Ltd. Exercise 1: Static Reversing
36 ©2012 Check Point Software Technologies Ltd. Exercise 1: Static Reversing Target: a 2004 “Crack-Me” Tools: IDA-Pro
37 ©2012 Check Point Software Technologies Ltd. Exercise 2: Dynamic Reversing
38 ©2012 Check Point Software Technologies Ltd. Exercise 2: Dynamic Reversing Target: a 2004 “Crack-Me” Tools: OllyDbg, IDA-Pro
39 ©2012 Check Point Software Technologies Ltd. Exercise 3: Simple Anti-Debugging
40 ©2012 Check Point Software Technologies Ltd. Exercise 3: Simple Anti Debugging Target: a 2006 “Crack-Me” Tools: OllyDbg
41 ©2012 Check Point Software Technologies Ltd. Reversing Malware Malware is comprised of the following building blocks: –Infection Vector –Concealment –Operation –Communications Check Point’s Anti-Malware Software Blade sits at the gateway Therefore, communications interest us the most
42 ©2012 Check Point Software Technologies Ltd. Introducing: Spy Eye A CrimeWare ToolKit, originating in Russia. Used mostly for stealing financial information, but will settle for any other identity information and key logging… Like any serious trojan, Spy Eye compresses its traffic and encrypts it –Compression is performed using a public library (LZO) –Encryption algorithm is proprietary
43 ©2012 Check Point Software Technologies Ltd. Act 1: Encryption
44 ©2012 Check Point Software Technologies Ltd. Act 2: Configuration Download
45 ©2012 Check Point Software Technologies Ltd. Act 3: Another Encryption
46 ©2012 Check Point Software Technologies Ltd. So what do you need in order to be a good reverser?
47 ©2012 Check Point Software Technologies Ltd. What makes a good reverser? Qualities Patient Curious Persistent Outside-the-Box Thinking Optional: Good lookin’ Knowledge Assembly Language Some High-Level programming Best: origin of binary Operating System Internals API Data Structures File Structures Good scripting skills Anti-Debugging Tricks
48 ©2012 Check Point Software Technologies Ltd. Outside-the-Box Thinking
49 ©2012 Check Point Software Technologies Ltd. And remember, kids: BinaryReverse Engineer + =?
50 ©2012 Check Point Software Technologies Ltd. Which means… F A I L
51 ©2012 Check Point Software Technologies Ltd. Questions?
52 ©2012 Check Point Software Technologies Ltd. Check your Opportunities We are looking for: Excellent Computer Science/Software Engineering students for a variety of developing positions Talented software developers Security & Malware researchers To learn more about our openings please check our website:
53 ©2012 Check Point Software Technologies Ltd. Thank you!