1. ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager December 2011

2. 2 2©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. aka: Reversing, RE, SRE

3. 3 3©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Why do it? Discover Trade Secrets Find Vulnerabilities Academic Research (Yeah, right…) Circumvent [Copy] Protection Analyse Protocols Pure Curiosity Patch Binary and Alter Behavior

4. 4 4©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Sounds awesome, right?

5. 5 5©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. So where’s the catch?  Low-level is, well, low level… 00401000 push ebp 00401001 mov ebp, esp 00401003 push ecx 00401004 push ecx 00401005 and dword ptr [ebp-4], 0 00401009 push esi 0040100A mov esi, [ebp+8] 0040100D push edi 0040100E push esi 0040100F call ds:[00402008h] 00401015 mov edi, eax 00401017 xor edx, edx 00401019 test edi, edi 0040101B jle 00401047h 0040101D movsx ecx, byte ptr [edx+esi] 00401021 add [ebp-4], ecx 00401024 mov [ebp-8], ecx 00401027 rol dword ptr [ebp-4], 1 0040102A mov eax, ecx 0040102C imul eax, [ebp-4] 00401030 mov [ebp-4], eax 00401033 mov eax, [ebp-8] 00401036 add [ebp-4], eax 00401039 xor [ebp-4], ecx 0040103C inc edx 0040103D cmp edx, edi 0040103F jl 0040101Dh 00401041 cmp dword ptr [ebp-4], 0 00401045 jnz 00401063h 00401047 push 0 00401049 push 40230Ch 0040104E push 4022CCh 00401053 push ds:[004023ACh] 00401059 call ds:[00402010h] 0040105F xor eax, eax 00401061 jmp 0040107Fh 00401063 xor dword ptr [ebp+0Ch], 01337C0DEh 0040106A sub dword ptr [ebp+0Ch], 0BADC0DE5h 00401071 mov eax, [ebp-4] 00401074 not dword ptr [ebp+0Ch] 00401077 xor eax, [ebp+0Ch] 0040107A neg eax 0040107C sbb eax, eax 0040107E inc eax 0040107F pop edi 00401080 pop esi 00401081 leave 00401082 retn for (Serial = 0, i = 0; i < strlen(UserName); i++) { CurChar = (int) UserName[i]; Serial += CurChar; Serial = (((Serial > 31) && 1)); Serial = (((Serial * CurChar) + CurChar) ^ CurChar); } UserSerial = ~((UserSerial ^ 0x1337C0DE) - 0xBADC0DE5);

6. 6 6©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. So where’s the catch?  Low-level is, well, low level…  Needle in a haystack –Average opcode size: 3 bytes –Average executable size: 500KB (on WinXP) –There are executables, libraries, drivers….

7. 7 7©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. So where’s the catch?  Low-level is, well, low level…  Needle in a haystack  Sometimes, the code resists –Packers and compressors –Obfuscators

8. 8 8©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. So where’s the catch?  Low-level is, well, low level…  Needle in a haystack  Sometimes, the code resists  Sometimes, the code fights back –Detect reversing tools –Detect VMs and emulators

9. 9 9©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. A Battle of Wits  Video clip: The Battle of Wits, “The Princess Bride”

10. 10 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. A Battle of Wits  Author writes code  Reverser reverses it  Author creates an anti-reversing technique  Reverser bypasses it  And so on…

11. 11 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. So what do you need in order to be a good reverser?

12. 12 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. We’ll come back to this…

13. 13 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Tools of the Trade  Debugger (Dynamic code analysis)  Disassembler (Static code analysis)  Hex Editor  PE Analyzer  Resource Editor and more…

14. 14 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Debuggers באג בדיזיין –זין בדיבאג

15. 15 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. First, there was DEBUG…

16. 16 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. GUI and much more: Turbo Debugger

17. 17 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. GUI and much more: Turbo Debugger

18. 18 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. GUI and much more: Turbo Debugger

19. 19 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Next major step: Soft-ICE

20. 20 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. And finally: OllyDbg

21. 21 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Disassemblers

22. 22 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. The old world: Sourcer

23. 23 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. The old world: Sourcer

24. 24 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Old ages: Sourcer

25. 25 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Old ages: Sourcer

26. 26 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Welcome to Windows: W32DASM

27. 27 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. The Holy Grail: IDA-Pro  Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler’s decisions.  Slowly evolved into an automatic RE tool: –Built-in full-control script language –Library recognition (including user-generated) –Function prototype information –Display –Propagate throughout the code –Support for plug-ins –Support for Python scripting –Multi-architecture, cross-platform support –Full incorporation with built-in and external debuggers

28. 28 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Hex-Editor

29. 29 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. PE Analyzer

30. 30 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Resource Editor

31. 31 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Let’s play with them tools…

32. 32 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 60 seconds on x86 registers  General purpose registers: 32bit/16bit/8bit  Index registers: 32bit/16bit  Segment registers: 16bit  Flags: 32bit/16bit

33. 33 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Exercise 1: Static Reversing

34. 34 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Exercise 1: Static Reversing  Target: a 2004 “Crack-Me”  Tools: IDA-Pro

35. 35 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Exercise 2: Dynamic Reversing

36. 36 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Exercise 2: Dynamic Reversing  Target: a 2004 “Crack-Me”  Tools: OllyDbg, IDA-Pro

37. 37 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Exercise 3: Simple Anti-Debugging

38. 38 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Exercise 3: Simple Anti Debugging  Target: a 2006 “Crack-Me”  Tools: OllyDbg

39. 39 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Reversing Malware  Malware is comprised of the following building blocks: –Infection Vector –Concealment –Operation –Communications  Check Point’s Anti-Malware Software Blade sits at the gateway  Therefore, communications interest us the most

40. 40 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Introducing: Spy Eye  A CrimeWare ToolKit, originating in Russia.  Used mostly for stealing financial information, but will settle for any other identity information and key logging…  Like any serious trojan, Spy Eye compresses its traffic and encrypts it –Compression is performed using a public library (LZO) –Encryption algorithm is proprietary

41. 41 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Act 1: Encryption

42. 42 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Act 2: Configuration Download

43. 43 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Act 3: Another Encryption

44. 44 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. So what do you need in order to be a good reverser?

45. 45 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. What makes a good reverser? Qualities Patient Curious Persistent Outside-the-Box Thinking Optional: Good lookin’ Knowledge Assembly Language Some High-Level programming Best: origin of binary Operating System Internals API Data Structures File Structures Good scripting skills Anti-Debugging Tricks

46. 46 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Outside-the-Box Thinking

47. 47 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. And remember, kids: BinaryReverse Engineer + =?

48. 48 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Which means… F A I L

49. 49 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Questions?

50. 50 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Thank you! inbarr@checkpoint.com

51. 51 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Credits All images and videos have their origin URL in the “Alt Text” property. All rights belong to their respective owner.