Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2012 Check Point Software Technologies Ltd. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager Information Security – Theory vs.

Published byUrsula Waters Modified over 9 years ago

Similar presentations

Presentation on theme: "©2012 Check Point Software Technologies Ltd. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager Information Security – Theory vs."— Presentation transcript:

1 ©2012 Check Point Software Technologies Ltd. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager Information Security – Theory vs. Reality Tel Aviv University, 368-4474-01, Winter 2012-2013 Lecture 7

2 2 2©2012 Check Point Software Technologies Ltd. What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. aka: Reversing, RE, SRE

3 3 3©2012 Check Point Software Technologies Ltd. Why do it? Discover Trade Secrets Find Vulnerabilities Academic Research (Yeah, right…) Circumvent [Copy] Protection Analyse Protocols Pure Curiosity Patch Binary and Alter Behavior

4 4 4©2012 Check Point Software Technologies Ltd. Sounds awesome, right?

5 5 5©2012 Check Point Software Technologies Ltd. So where’s the catch?  Low-level is, well, low level… 00401000 push ebp 00401001 mov ebp, esp 00401003 push ecx 00401004 push ecx 00401005 and dword ptr [ebp-4], 0 00401009 push esi 0040100A mov esi, [ebp+8] 0040100D push edi 0040100E push esi 0040100F call ds:[00402008h] 00401015 mov edi, eax 00401017 xor edx, edx 00401019 test edi, edi 0040101B jle 00401047h 0040101D movsx ecx, byte ptr [edx+esi] 00401021 add [ebp-4], ecx 00401024 mov [ebp-8], ecx 00401027 rol dword ptr [ebp-4], 1 0040102A mov eax, ecx 0040102C imul eax, [ebp-4] 00401030 mov [ebp-4], eax 00401033 mov eax, [ebp-8] 00401036 add [ebp-4], eax 00401039 xor [ebp-4], ecx 0040103C inc edx 0040103D cmp edx, edi 0040103F jl 0040101Dh 00401041 cmp dword ptr [ebp-4], 0 00401045 jnz 00401063h 00401047 push 0 00401049 push 40230Ch 0040104E push 4022CCh 00401053 push ds:[004023ACh] 00401059 call ds:[00402010h] 0040105F xor eax, eax 00401061 jmp 0040107Fh 00401063 xor dword ptr [ebp+0Ch], 01337C0DEh 0040106A sub dword ptr [ebp+0Ch], 0BADC0DE5h 00401071 mov eax, [ebp-4] 00401074 not dword ptr [ebp+0Ch] 00401077 xor eax, [ebp+0Ch] 0040107A neg eax 0040107C sbb eax, eax 0040107E inc eax 0040107F pop edi 00401080 pop esi 00401081 leave 00401082 retn for (Serial = 0, i = 0; i < strlen(UserName); i++) { CurChar = (int) UserName[i]; Serial += CurChar; Serial = (((Serial > 31) && 1)); Serial = (((Serial * CurChar) + CurChar) ^ CurChar); } UserSerial = ~((UserSerial ^ 0x1337C0DE) - 0xBADC0DE5);

6 6 6©2012 Check Point Software Technologies Ltd. So where’s the catch?  Low-level is, well, low level…  Needle in a haystack –Average opcode size: 3 bytes –Average executable size: 500KB (on WinXP) –There are executables, libraries, drivers….

7 7 7©2012 Check Point Software Technologies Ltd. So where’s the catch?  Low-level is, well, low level…  Needle in a haystack  Sometimes, the code resists –Packers and compressors –Obfuscators

8 8 8©2012 Check Point Software Technologies Ltd. So where’s the catch?  Low-level is, well, low level…  Needle in a haystack  Sometimes, the code resists  Sometimes, the code fights back –Detect reversing tools –Detect VMs and emulators

9 9 9©2012 Check Point Software Technologies Ltd. A Battle of Wits  Author writes code  Reverser reverses it  Author creates an anti-reversing technique  Reverser bypasses it  And so on…

10 10 ©2012 Check Point Software Technologies Ltd. So what do you need in order to be a good reverser?

11 11 ©2012 Check Point Software Technologies Ltd. We’ll come back to this…

12 12 ©2012 Check Point Software Technologies Ltd. Tools of the Trade  Disassembler (Static code analysis)  Debugger (Dynamic code analysis)  Hex Editor  PE Analyzer  Resource Editor

13 13 ©2012 Check Point Software Technologies Ltd. Disassemblers

14 14 ©2012 Check Point Software Technologies Ltd. The old world: Sourcer

15 15 ©2012 Check Point Software Technologies Ltd. The old world: Sourcer

16 16 ©2012 Check Point Software Technologies Ltd. Old ages: Sourcer

17 17 ©2012 Check Point Software Technologies Ltd. Old ages: Sourcer

18 18 ©2012 Check Point Software Technologies Ltd. Welcome to Windows: W32DASM

19 19 ©2012 Check Point Software Technologies Ltd. The Holy Grail: IDA-Pro  Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler’s decisions.  Slowly evolved into an automatic RE tool: –Built-in full-control script language –Library recognition (including user-generated) –Function prototype information –Display –Propagate throughout the code –Support for plug-ins –Support for Python scripting –Multi-architecture, cross-platform support –Full incorporation with built-in and external debuggers

20 20 ©2012 Check Point Software Technologies Ltd. Debuggers באג בדיזיין –זין בדיבאג

21 21 ©2012 Check Point Software Technologies Ltd. First, there was DEBUG…

22 22 ©2012 Check Point Software Technologies Ltd. GUI and much more: Turbo Debugger

23 23 ©2012 Check Point Software Technologies Ltd. GUI and much more: Turbo Debugger

24 24 ©2012 Check Point Software Technologies Ltd. GUI and much more: Turbo Debugger

25 25 ©2012 Check Point Software Technologies Ltd. Next major step: Soft-ICE

26 26 ©2012 Check Point Software Technologies Ltd. And finally: OllyDbg

27 27 ©2012 Check Point Software Technologies Ltd. Other Tools

28 28 ©2012 Check Point Software Technologies Ltd. Hex-Editor

29 29 ©2012 Check Point Software Technologies Ltd. PE Analyzer

30 30 ©2012 Check Point Software Technologies Ltd. Resource Editor

31 31 ©2012 Check Point Software Technologies Ltd. Methodology

32 32 ©2012 Check Point Software Technologies Ltd. How we do it?  Finding the interesting part –System calls (User mode and Kernel mode API) –Strings and constants –Dynamic loading of libraries –Provocation –Zoom-in and Zoom-out  Better and quicker (and how not to get stuck) –Iterative passes over the code –Leave no stone unturned –Macros/Scripts/Plugins –BinDiffing (manual and with tools)

33 33 ©2012 Check Point Software Technologies Ltd. Let’s play with them tools…

34 34 ©2012 Check Point Software Technologies Ltd. 60 seconds on x86 registers  General purpose registers: 32bit/16bit/8bit  Index registers: 32bit/16bit  Segment registers: 16bit  Flags: 32bit/16bit

35 35 ©2012 Check Point Software Technologies Ltd. Exercise 1: Static Reversing

36 36 ©2012 Check Point Software Technologies Ltd. Exercise 1: Static Reversing  Target: a 2004 “Crack-Me”  Tools: IDA-Pro

37 37 ©2012 Check Point Software Technologies Ltd. Exercise 2: Dynamic Reversing

38 38 ©2012 Check Point Software Technologies Ltd. Exercise 2: Dynamic Reversing  Target: a 2004 “Crack-Me”  Tools: OllyDbg, IDA-Pro

39 39 ©2012 Check Point Software Technologies Ltd. Exercise 3: Simple Anti-Debugging

40 40 ©2012 Check Point Software Technologies Ltd. Exercise 3: Simple Anti Debugging  Target: a 2006 “Crack-Me”  Tools: OllyDbg

41 41 ©2012 Check Point Software Technologies Ltd. Reversing Malware  Malware is comprised of the following building blocks: –Infection Vector –Concealment –Operation –Communications  Check Point’s Anti-Malware Software Blade sits at the gateway  Therefore, communications interest us the most

42 42 ©2012 Check Point Software Technologies Ltd. Introducing: Spy Eye  A CrimeWare ToolKit, originating in Russia.  Used mostly for stealing financial information, but will settle for any other identity information and key logging…  Like any serious trojan, Spy Eye compresses its traffic and encrypts it –Compression is performed using a public library (LZO) –Encryption algorithm is proprietary

43 43 ©2012 Check Point Software Technologies Ltd. Act 1: Encryption

44 44 ©2012 Check Point Software Technologies Ltd. Act 2: Configuration Download

45 45 ©2012 Check Point Software Technologies Ltd. Act 3: Another Encryption

46 46 ©2012 Check Point Software Technologies Ltd. So what do you need in order to be a good reverser?

47 47 ©2012 Check Point Software Technologies Ltd. What makes a good reverser? Qualities Patient Curious Persistent Outside-the-Box Thinking Optional: Good lookin’ Knowledge Assembly Language Some High-Level programming Best: origin of binary Operating System Internals API Data Structures File Structures Good scripting skills Anti-Debugging Tricks

48 48 ©2012 Check Point Software Technologies Ltd. Outside-the-Box Thinking

49 49 ©2012 Check Point Software Technologies Ltd. And remember, kids: BinaryReverse Engineer + =?

50 50 ©2012 Check Point Software Technologies Ltd. Which means… F A I L

51 51 ©2012 Check Point Software Technologies Ltd. Questions?

52 52 ©2012 Check Point Software Technologies Ltd. Check your Opportunities We are looking for:  Excellent Computer Science/Software Engineering students for a variety of developing positions  Talented software developers  Security & Malware researchers To learn more about our openings please check our website: www.checkpoint.com

53 53 ©2012 Check Point Software Technologies Ltd. Thank you! inbarr@checkpoint.com

Download ppt "©2012 Check Point Software Technologies Ltd. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager Information Security – Theory vs."

Similar presentations

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
COMP 2003: Assembly Language and Digital Logic

COMP 2003: Assembly Language and Digital Logic
SMT Solvers for Malware Unpacking 8 July 2013. Authors and thanks 2 Ian Blumenfeld Roberta Faux Paul Li Work overseen by Mark Raugas – Director CyberPoint.

SMT Solvers for Malware Unpacking 8 July Authors and thanks 2 Ian Blumenfeld Roberta Faux Paul Li Work overseen by Mark Raugas – Director CyberPoint.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad

Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia

Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager.

©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.

1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.
Assembly Language Advantages 1. It reveals the secret of your computer’s hardware and software. 2. Speed. 3. Some special applications and occasions. Disadvantages.

Assembly Language Advantages 1. It reveals the secret of your computer’s hardware and software. 2. Speed. 3. Some special applications and occasions. Disadvantages.
Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.

Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.
SRE  Introduction 1 Software Reverse Engineering (SRE)

SRE  Introduction 1 Software Reverse Engineering (SRE)
0wning Antivirus Alex Wheeler Neel Mehta

0wning Antivirus Alex Wheeler Neel Mehta
Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.

Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.
6.828: PC hardware and x86 Frans Kaashoek

6.828: PC hardware and x86 Frans Kaashoek

Similar presentations

Ads by Google