Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Reverse Engineering

Published byIsaac Dustin Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Reverse Engineering"— Presentation transcript:

1 Introduction to Reverse Engineering
Spring 2016 – (SC)2

2 What is Reverse Engineering?
Reverse Engineering is the processes of extracting knowledge or design information from anything man-made…and analyzing its components and workings in detail Wikipedia

3 What is Reverse Engineering?
Reverse Engineering is the processes of extracting knowledge or design information from anything man-made…and analyzing its components and workings in detail Wikipedia Uses Debugging Creating Interoperability Malware Analysis Security Analysis “Cracking” Espionage Things Software (binary/code) File Types Communications Circuitry Mechanical Components Documentation

4 Binary Reverse Engineering
Given a compiled code sample And a debugger Can you determine an input string that Causes a program crash? Defeats the security protections? Wins the game? Opens the door?

5 What is a Binary Binary is the 1s and 0s
When we say “a binary” we are referring to: a compiled program or raw data (of an unknown format) Easiest rendered as Hex/ASCII Program binary can be Read as machine code Disassembled into ASM Decompiled into high level language Very roughly into C C# code can usually be reproduced Java usually can be decompiled

6 What is a Binary Binary is the 1s and 0s
When we say “a binary” we are referring to: a compiled program or raw data (of an unknown format) Easiest rendered as Hex/ASCII Program binary can be Read as machine code Disassembled into ASM Decompiled into high level language Very roughly into C C# code can usually be reproduced Java usually can be decompiled Decompiled code is usually harder to use than the ASM

7 What Does Compiling Do (C code)
Step 0 – Pre-processing - #include / #if / #define Step 1 – Abstract Syntax Tree (AST) generation This allows the compiler to “understand” the code and optimize Optimization is guaranteed to be same operation, but faster/efficient Step 2 – Generate Assembly Code (ASM) Convert optimized AST into assembly code Step 3 – Assemble the ASM to an Object file (binary) 1 to 1 translation of ASM to machine code with extra headers Step 4 – Link the Object files into a Portable Executable (PE) This is the executable

8 What Does Compiling Do cont. (C code)
Each step can be done independently (except step 1) Step 0: Precompile gcc –E test.c –o test.i Step 2: Compile to ASM gcc –S test.i –o test.s Step 3: Assemble ASM to Object (machine code) gcc –c test.s –o test.o Step 4: Link Object to PE gcc test.o –o test

9 What Does Compiling Do cont. (C code)
test.c test.s test.o

10 What Does Compiling Do cont. (C code)
$ radare2 test aa sys.main V p o main Radare2 disassembly of main function in final binary

11 What Does Compiling Do cont. (C code)
Function Offset Function Name Radare2 disassembly of main function in final binary

12 What Does Compiling Do cont. (C code)
Offset Machine Code Disassembly Radare2 disassembly of main function in final binary

13 What Does Compiling Do cont. (C code)
Guessed Symbol Name Syscall Symbol Name Radare2 disassembly of main function in final binary

14 Structure of a Binary A Portable Executable (PE) contains:
TEXT segment contains the machine code, this is what is disassembled DATA segment contains static data (ex. strings, libraries, and function names) BSS segment contains unallocated data All of this is loaded into RAM on program startup at the Offset A Stack is allocated somewhere in memory for use at runtime The rest of the memory can be used arbitrarily by the program Multiple TEXT segments are allowed for libraries (ex. printf may get its own)

15 Reverse Engineering a Virtual Door

16 Introducing MicroCorruption
Reverse Engineering CTF with a full disassembler and debugger Play in your browser (Firefox or Chrome) Reverse engineer the program for each level to open the door Gets progressively harder Uses a real world microprocessor – MSP430 16 16-bit registers 16 bit memory space 27 instructions

17 Types of Registers General Purpose registers: R1, R2, …. R15
Stack pointer: SP Instruction pointer: IP Status/Flags: SR Constant Generator: CG Flags: (Z)ero, (C)arry, (N)egative

18 ASM OP Types Binary – OPERATION SRC, DST Unary – OPERATION DST
MOV – move contents of SRC to DST ADD – add SRC to DST and store in DST CMP – Compare SRC and DST, store results in SR Unary – OPERATION DST INC – increment DST by one DEC – decrement DST by one TST – compare DST with 0, store result in SR SUB is defined as ADD negative (2s complement) BIT = NAND BIS = OR XOR AND RRA/RRC – Rotate right artithmetic/carry SXT – Sign Extention SWPB – Swap bytes (high  low) Suffix: .B for byte wise

19 ASM OP Types Jumps – OPERATION DST
JMP – Unconditional jump to DST JEQ – Jump to DST if Zero flag is set (CMP was equal, TST was zero) JNZ – Jump to DST if Zero flag is NOT set (opposite of JEQ) Stack Modification – OPERATION VALUE PUSH – Pushes VALUE onto stack POP – Pops value off of stack into VALUE Function Calling CALL – Jump to DST and push current IP to stack; aka function call RET – Pop IP off stack; aka return (no DST) JEQ == JZ JNZ == JNE JNC/JLO – no carry/lower JC/JHS – carry/higher or same JN - negative JGE – greter or equal JL – less RETI – Return x bytes

20 ASM Value Types Numeric constant: mov #0x1234, r1
Moves constant into r1 Pointer constant: mov r1, &0x1234 Moves r1 into memory location 0x1234 Register: mov r1, r2 Move r1 into r2 Pointer from register: r2 Move memory location pointed to by r1 to r2 Pointer from register with offset: mov r2, 0x1234(r1) Move r2 into memory location pointed to by r1 + 0x1234 Note: Negative constants can be represented two ways: 2s complement: #0xFFFF === #-0x1

21 Playing the Game Goal: Open the Door Use the debugger (basic)
Step through the execution Understand how it verifies the password Create a password that passes the verification Use the debugger (basic) Type “help” for a list of commands Use “s” to step through the program one instruction at a type See changes in memory below or registers on the right Use “b” or click in the disassembly window to create a breakpoint Use “c” to continue through the program until a breakpoint Use “n” to skip over function calls, use “f” to skip out of function calls Hint: Set a breakpoint at <main> and use “continue” to skip to the start of the program

22 Set break point on main, show rough program structure via “next” command
Demonstrate where the decision is “main” to open or lock the door Set break point at “call check_password” Demonstrate where that r15 is “pointing” to the input string Show CMP #9, r12 Set break point there to read r12 Determine how to modify r12, see code above the CMP which is counting the bytes of input Create the 9 byte string, show that r12 is 0xa (10) because of NULL byte Change to a 8 byte string, win!

23 MSP340 vs x86 The MSP340 is much simpler than Intel or AMD desktop CPUs The x86 registers are 32/64 bit (special purpose up to 256 bit) Instruction set vastly larger Modern OSes (Windows, Linux, OSX) use a complex stack/heap memory architecture Supports static memory (stack/BSS segment) And dynamic memory (aka Heap, used by malloc/new) Many different ways to call methods Fastall, stdcall, syscall, safecall, interrupts, etc Each has a well defined stack frame mechanism

24 Microcorruption and Beyond
The challenges on Microcorruption are great but ramp up quickly Many require learning about more complex attacks than simply stepping through the code: Buffer Overflows Stack Smashing Return Pointers ROP Chains The manual PDF document is very incomplete. Remember that the simulated microprocessor is real and has very real documentation. Most of it works as expected in the game.

25 Other Games / Resources
Smash the Stack IO One of the best out there for Reverse Engineering and Exploit Dev Over The Wire: Many wargames to play with Reverse Engineering Stack Smashing, Exploit Dev, Linux usage, Networking, Crypto, C code Crackmes.de – Old School Cracking Site Smashing the Stack for Fun and Profit – The Original Phrack Article Open Security Training Corelan Team Tutorials CTF Field Guide

Download ppt "Introduction to Reverse Engineering"

Similar presentations

Programs in Memory Bryce Boe 2012/08/29 CS32, Summer 2012 B.

Programs in Memory Bryce Boe 2012/08/29 CS32, Summer 2012 B.
Practical Malware Analysis

Practical Malware Analysis
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Architecture CSCE 350

Computer Architecture CSCE 350
Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.

Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.
Ch. 8 Functions.

Ch. 8 Functions.
Instruction Set Architecture

Instruction Set Architecture
Intel Computer Architecture Presented By Jessica Graziano.

Intel Computer Architecture Presented By Jessica Graziano.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
CPSC 325 - Compiler Tutorial 8 Code Generator (unoptimized)

CPSC Compiler Tutorial 8 Code Generator (unoptimized)
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
JETT 2003 Java.compareTo(C++). JAVA Java Platform consists of 4 parts: –Java Language –Java API –Java class format –Java Virtual Machine.

JETT 2003 Java.compareTo(C++). JAVA Java Platform consists of 4 parts: –Java Language –Java API –Java class format –Java Virtual Machine.
Choice for the rest of the semester New Plan –assembler and machine language –Operating systems Process scheduling Memory management File system Optimization.

Choice for the rest of the semester New Plan –assembler and machine language –Operating systems Process scheduling Memory management File system Optimization.
X86 ISA Compiler Baojian Hua Front End source code abstract syntax tree lexical analyzer parser tokens IR semantic analyzer.

X86 ISA Compiler Baojian Hua Front End source code abstract syntax tree lexical analyzer parser tokens IR semantic analyzer.

Similar presentations

Ads by Google