Introduction to Reverse Engineering
Download
Report
Transcript Introduction to Reverse Engineering
Introduction to
Reverse Engineering
Inbar Raz
Malware Research Lab Manager
December 2011
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
What is Reverse Engineering?
Reverse engineering is the process of
discovering the technological principles of a
device, object, or system through analysis of
its structure, function, and operation.
aka: Reversing, RE, SRE
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
2
2
Why do it?
Discover
Trade
Secrets
Find
Vulnerabilities
Academic
Research
(Yeah, right…)
Circumvent
[Copy]
Protection
Patch Binary
and
Alter Behavior
Analyse
Protocols
Pure
Curiosity
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
3
3
Sounds
awesome,
right?
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
4
4
So where’s the catch?
Low-level is, well, low level…
00401000 push
ebp
00401001 mov
ebp, esp
00401003 push
ecx
00401004 push
ecx
00401005 and
dword ptr [ebp-4], 0
00401009 push
esi
0040100A mov
esi, [ebp+8]
for (Serial = 0, i = 0; i < strlen(UserName);
0040100D i++)
push { edi
CurChar = (int) UserName[i];
0040100E push
esi
Serial += CurChar;
0040100F call
ds:[00402008h]
Serial = (((Serial << 1) && 0xFFFFFFFE)
((Serialedi,
>> 31)
00401015|| mov
eax && 1));
Serial = (((Serial * CurChar) + CurChar)
^
CurChar);
00401017 xor
edx, edx
}
00401019 test
edi, edi
UserSerial = ~((UserSerial ^ 0x1337C0DE)
0xBADC0DE5);
0040101B jle
00401047h
0040101D movsx
ecx, byte ptr [edx+esi]
00401021 add
[ebp-4], ecx
00401024 mov
[ebp-8], ecx
00401027 rol
dword ptr [ebp-4], 1
0040102A mov
eax, ecx
0040102C imul
eax, [ebp-4]
00401030 mov
[ebp-4], eax
00401033 mov
eax, [ebp-8]
00401036 add
[ebp-4], eax
00401039 xor
[ebp-4], ecx
0040103C inc
edx
0040103D cmp
edx, edi
jl Ltd. [PROTECTED]
0040101Dh
©2011 Check Point0040103F
Software Technologies
— All rights reserved.
5
5
So where’s the catch?
Low-level is, well, low level…
Needle in a haystack
– Average opcode size:
3 bytes
– Average executable size:
500KB (on WinXP)
– There are executables,
libraries, drivers….
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
6
6
So where’s the catch?
Low-level is, well, low level…
Needle in a haystack
Sometimes, the code resists
– Packers and compressors
– Obfuscators
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
7
7
So where’s the catch?
Low-level is, well, low level…
Needle in a haystack
Sometimes, the code resists
Sometimes, the code fights back
– Detect reversing tools
– Detect VMs and emulators
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
8
8
A Battle of Wits
Video clip: The Battle of Wits, “The Princess Bride”
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
9
9
A Battle of Wits
Author writes code
Reverser reverses it
Author creates an anti-reversing technique
Reverser bypasses it
And so on…
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
10
10
So what do you need
in order to be
a good reverser?
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
11
11
We’ll come back
to this…
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
12
12
Tools of the Trade
Debugger (Dynamic code analysis)
Disassembler (Static code analysis)
Hex Editor
PE Analyzer
Resource Editor
and more…
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
13
13
Debuggers
באג בדיזיין – זין בדיבאג
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
14
14
First, there was DEBUG…
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
15
15
GUI and much more: Turbo Debugger
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
16
16
GUI and much more: Turbo Debugger
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
17
17
GUI and much more: Turbo Debugger
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
18
18
Next major step: Soft-ICE
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
19
19
And finally: OllyDbg
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
20
20
Disassemblers
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
21
21
The old world: Sourcer
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
22
22
The old world: Sourcer
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
23
23
Old ages: Sourcer
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
24
24
Old ages: Sourcer
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
25
25
Welcome to Windows: W32DASM
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
26
26
The Holy Grail: IDA-Pro
Started as an Interactive Dis-Assembler, enabling user
interaction with the disassembler’s decisions.
Slowly evolved into an automatic RE tool:
– Built-in full-control script language
– Library recognition (including user-generated)
– Function prototype information
– Display
– Propagate throughout the code
– Support for plug-ins
– Support for Python scripting
– Multi-architecture, cross-platform support
– Full incorporation with built-in and external debuggers
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
27
27
Hex-Editor
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
28
28
PE Analyzer
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
29
29
Resource Editor
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
30
30
Let’s play
with them tools…
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
31
31
60 seconds on x86 registers
General purpose registers:
32bit/16bit/8bit
Index registers:
32bit/16bit
Segment registers:
16bit
Flags:
32bit/16bit
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
32
32
Exercise 1:
Static Reversing
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
33
33
Exercise 1: Static Reversing
Target: a 2004 “Crack-Me”
Tools: IDA-Pro
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
34
34
Exercise 2:
Dynamic Reversing
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
35
35
Exercise 2: Dynamic Reversing
Target: a 2004 “Crack-Me”
Tools: OllyDbg, IDA-Pro
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
36
36
Exercise 3:
Simple Anti-Debugging
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
37
37
Exercise 3: Simple Anti Debugging
Target: a 2006 “Crack-Me”
Tools: OllyDbg
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
38
38
Reversing Malware
Malware is comprised of the following building blocks:
– Infection Vector
– Concealment
– Operation
– Communications
Check Point’s Anti-Malware Software Blade
sits at the gateway
Therefore, communications interest us the most
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
39
39
Introducing: Spy Eye
A CrimeWare ToolKit, originating in Russia.
Used mostly for stealing financial information, but will settle
for any other identity information and key logging…
Like any serious trojan, Spy Eye compresses its traffic and
encrypts it
– Compression is performed using a public library (LZO)
– Encryption algorithm is proprietary
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
40
40
Act 1:
Encryption
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
41
41
Act 2:
Configuration Download
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
42
42
Act 3:
Another Encryption
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
43
43
So what do you need
in order to be
a good reverser?
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
44
44
What makes a good reverser?
Qualities
Knowledge
• Patient
• Assembly Language
• Curious
• Some High-Level programming
• Best: origin of binary
• Persistent
• Outside-the-Box Thinking
• Operating System Internals
• API
• Data Structures
• File Structures
• Good scripting skills
• Anti-Debugging Tricks
• Optional: Good lookin’
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
45
45
Outside-the-Box Thinking
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
46
46
And remember, kids:
Binary
Reverse Engineer
+
©2011 Check Point Software Technologies Ltd.
=?
[PROTECTED] — All rights reserved.
47
47
Which means…
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
48
48
Questions?
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
49
49
Thank you!
[email protected]
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
50
50
Credits
All images and videos have their origin URL in the “Alt Text” property.
All rights belong to their respective owner.
©2011 Check Point Software Technologies Ltd.
[PROTECTED] — All rights reserved.
51
51