Professional Documents
Culture Documents
Intro Reverse Engineering
Intro Reverse Engineering
~ intropy ~
Intro
Proprietary formats
Interoperability
SMB on UNIX
Word compatible editors
Virus research
The disassembler parses the file format and related code sections
Good disassemblers do deep recursive analysis to ensure proper
instruction disassembly
Allows the user the ability to look at what code will do without
actually running it
Does not allow the ease of live disassembly/debugging
Viewing registers
Inspecting the contents of memory
File Formats
Executable Contents
Machine code
Program data
Static variables
Strings
Loader data
Imports
Exports
Sections
Allows the loader to find various information
Not finite, executables can have user defined
sections
Executable Formats
ELF Executable and Linker Format
History
Originally published by UNIX system laboratories as a dynamic,
linkable format to be used in various UNIX platforms
Dissection
Header
Sections
ELF Header
e_ident
ELF Sections
Each section of an ELF executable contain various information
needed to execute
.bss
below.
.plt
- This section holds the procedure linkage table.
.relNAME - This section holds relocation information. By convention, ``NAME'' is
supplied by the section to which the relocations apply. Thus a relocation
section for .text normally would have the name .rel.text
.rodata - This section holds read-only data that typically contributes to a nonwritable segment in the process image.
.rodata1 - This section holds read-only data that typically contributes to a nonwritable segment in the process image.
.shstrtab - This section holds section names.
.strtab - This section holds strings, most commonly the strings that represent the
names associated with symbol table entries.
.symtab - This section holds a symbol table. If the file has a loadable segment that
includes the symbol table, the section's attributes will include the
SHF_ALLOC bit. Otherwise the bit will be off.
.text
- This section holds the ``text'' or executable instructions, of a program.
PE Portable Executable
History
Microsoft migrated to the PE format with the introduction of the Windows NT 3.1
operating system. It is based of a modified form of the UNIX COFF format
What uses PE
Windows NT
Window 2000
Windows XP
Windows 2003
Windows CE
Dissection
DOS Stub
The DOS stub contains a message that the executable will not run in DOS mode
Sections
Optional Header
SizeOfCode
- Size of the code (text) section, or the sum of all code sections
if there are multiple sections.
AddressOfEntryPoint Address of the entry function to start execution from
BaseOfCode
- RVA of the start of the code relative to the base address
BaseOfData
RVA of the start of the data relative to the base address
SectionAlignment
Alignment of sections when loaded into memory
FileAlignment
Alignment of section on disk
SizeOfImage
- Size, in bytes, of image, including all headers; must be a
multiple of Section Alignment
SizeOfHeaders
- Combined size of MS-DOS stub, PE Header, and section
headers rounded up to a multiple of FileAlignment.
NumberOfRvaAndSizes - Number of data-dictionary entries in the remainder of the
Optional Header. Each describes a location and size.
Sections
The sections in a PE file contain various pieces of the
executable needed to run including various RVAs and offsets
.text Contains all executable code
.idata Contains imported data such as dll addresses
.edata Contains any exported data
.data Contains initialized data like global variables and string
literals
.bss Contains un-initialized data
.rsrc Contains all module resources
.reloc Contains relocation data for the OS loader
Data Formats
Different than executable formats
Doesnt usually contain machine code
Has structure but not always defined sections
Assembly Language
What is it
Lowest level of programming (besides
microcode)
Direct processor register access utilizing
architecture defined instructions
Output of most compilers
How is it used
Directly using an assembler
NASM
ml
as
PA-RISC
copy %r14,%r25
ARM
LDR r0,[r8]
Instruction Sets
The mneumonics for the opcodes handled by
the processor
Minimal set of commands that achieve a
programming goal
Multibyte instructions
Multiple synonymous opcodes
16 registers
Vendors
Intel (IA-32)
DEC [PDP-11]
Motorola (m68K)
Overview
Purpose
Registers are used to store temporary data
Pointers
Computations
Stack Layout
Stack is dynamic but builds as it goes
Addresses start at a higher address and builds to
lower addresses
The stack is generally allocated in 4 byte chunks
Register sizes
Register sizes depend on the supported
architecture
32 bit
64 bit
IA32
16 registers 32 bits (4 bytes) each
RISC
32 general purpose registers 64 bits [8 bytes]
each
IA32 Registers
EBP Stack frame base pointer
Points to the start of the functions stack frame
ESP Stack source pointer
Points to the current (top) location on the stack
EIP Instruction pointer
Points to the next executable instruction
Segment registers
EFLAGS
CF Carry Flag
SF Signed Flag
ZF Zero Flag
Calling conventions
Calling conventions define how the callers data is arranged on the stack
cdecl
fastcall
stdcall
Higher performance
First two parameters are passed over registers
Common in Windows
Parameters are received in reverse order
Function unwinds stack
ret 0x16
Example
PUSH
MOV
CMP
JNZ
EBP
EBP, ESP
DWORD PTR [EBP+C], 111
00401054
OllyDbg
Overview
Purpose
OllyDbg is a general purpose win32 user land debugger.
The great thing about it is the intuitive UI and powerful
disassembler
Licensing
OllyDbg is free (shareware), however it is not open source
and the source code is not available
Extensibility
OllyDbg has defined a plugin architecture allowing
extensibility via powerful plugins
Window Layouts
Window layouts are the various parts of the UI
that contain pertinent information
Code window Displays the executable machine
code
Register window Allows the user to watch the
contents of each register during execution
Memory window Allows the user to view the
contents of various memory locations
Stack window Displays the stack, including
memory addresses and values
Working in OllyDbg
Navigation
Moving
Searching
Commenting
Listing Names
Showing Memory
Hardware breakpoints
There are several ways you can proceed from the entry point
Single stepping
Executes one instruction at a time and can be achieved by hitting F7
Steps into every function
Tedious as fuck
Stack
Handled in the stack window
Display can be address or relative address from ebp
Call stack
Displays the functions the current function has been
called from
Can be displayed with the shortcut Alt + K
Patching
Allows us to modify the executable assembly code
and save it to a new file with the changes
OllyDbg Plugins
OllyDbg provides a downloadable PDK for
plugin development
Several plugins exist that provide extra
usability
Heap Vis
Breakpoint manager
Ollyscript
IDA Pro
Overview
IDA Pro was originally designed as a powerful
disassembler
Supports 30+ processors
It has since been broadened to include a built in
debugger
Designed for reverse engineers with quickness and
robustness in mind
This sometimes makes the learning curve step
Window Layouts
Customizing window layouts
Each saved session will store any customized
layouts
A default layout can also be saved
Customized layouts are provided to help the user
with workflow and can consist of any combination
or number of windows
Navigation
Shortcuts
Jumping
IDA allows the user to jump to various parts of a binary file easily
Some of the jumps
Markers
Markers can be used to tag locations in the binary for future reference
Markers are set using Alt + M and naming
Jumping to a marker is easily achieved with Ctrl + M
Editing
Comments
Comments allow you to organize and document important
parts of the binary
Comments can be entered using the shortcut keys ; or :
Windows
IDA View
Hex View
Names
Strings
Imports
Functions
Graphing
IDA Pro has a powerful graphing engine that
allows a user to visualize call graphs and
xrefs
Flow chart graphs display the current functions
machine code and any branches
Function call graph will display the call flow of all
the functions in the executable (Can be large)
Xref graphs display the to and from xrefs with
machine code
SDK/Plugins
The SDK allows the user to develop plugins for use in IDA Pro
Plugins are generally written in C/C++ and compiled against
the SDK libraries and headers
Using the plugins you can write
processor modules
input processing modules
plugin modules
Flirt
Fast Library Identification and Recognition
Technology
Flirt is a means for IDA Pro to identify imported
functions and compilers by matching against
a database of known signatures
This greatly speeds up analysis by
automatically naming discovered functions
Only works with C/C++ functions
IDC Scripting
The IDC scripting engine allows the user to
achieve small tasks through the IDC scripting
engine
IDC resembles C and has many helpful
functions built in
PatchByte
Comment
FindCode
Decompiling
Overview
Decompiling is different than disassembling in that it
tries to reconstruct machine code to readable (and
ultimately compilable) source code
Native compiled code is difficult to reconstruct because of
the compilers behavior when optimizing the produced
code
Virtual machine code is much easier to achieve readable
code because of its nature. It must be compiled into a
intermediate language with all necessary information the
target platform may need to run
.Net
Java
.Net
.Net is compiled down into MSIL (Microsoft
intermediate language) and is a good
example of decompiling
.Net must provide the operating system with a
wealth of information including symbol
names, and data structures
Native code
Native code is a language that has been
compiled down into machine language
Often times because of optimization a
compiler inadvertently obfuscates the higher
lever source code
Decompiling is not quite to the point of
producing a good representation of the
original source code
Decompilers
.Net
ILDasm
Remotesoft Salamander
Reflector for .Net
Java
JODE
JAD (Disappeared)
Native
Boomerang
Decompilation Demo
Thanks fend3r!
Conclusion
Reverse engineering is a vast and complex
world
With a lot of practice though it becomes much
easier
A good reverser knows their tools inside and
out
Workflow and organization are the keys to
reversing
Shirt Quiz
References
Reversing - http://www.wiley.com/WileyCDA/WileyTitle/productCd0764574817.html
ELF File format - http://www.skyfree.org/linux/references/ELF_Format.pdf
PE File Format http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndebug/ht
ml/msdn_peeringpe.asp
http://lsd-pl.net/references.html
OllyDbg - http://ollydbg.de/
OllyDbg Plugins - http://ollydbg.win32asmcommunity.net/stuph/
IDA Pro - http://www.datarescue.com/
IDC - http://www.datarescue.com/idadoc/707.htm
IDA Plugins - http://home.arcor.de/idapalace/
Reflector - http://www.aisto.com/roeder/dotnet/
JODE - http://jode.sourceforge.net/
Boomerang - http://boomerang.sourceforge.net/
Crackmes.de - http://www.crackmes.de/
Fucking done.
Questions?