introduction to reverse engineering
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (2.25 MB, 30 trang )
Introduction to Reverse
Engineering
Gergely Erdélyi
Research Manager
Agenda
• Reverse Engineering Intro
• Ethical and Legal Aspects
• Process of Reverse Engineering
• Tools of the Trade
February 02, 09 Page
What is Reverse Engineering? 1/2
February 02, 09 Page
What is Reverse Engineering? 1/2
Image Copyright © 2005 BAE Systems
February 02, 09 Page
What is Reverse Engineering? 1/2
Image Copyright © 2005 BAE Systems
Image Copyright © 2005 BAE Systems
February 02, 09 Page
What is Reverse Engineering? 2/2
Image Copyright © 2005 BAE Systems
February 02, 09 Page
Reverse Code Engineering
• Reverse Engineering is also known as RE or RCE
• RE:
• RCE:
Reverse Engineering
Reverse Code Engineering
• RE is the process of understanding an existing product
• Malware analysis and security research often involves RE
February 02, 09 Page
Compilation Process
Compilation
Linking
Source Code
Object File
Executable
Human readable
Binary code with
Binary code with
text file
readable symbols
no symbols
Code Readability
February 02, 09 Page
Compilation Results
February 02, 09 Page
Compilation Results
int ExecFile(char *FileName)
{
PyObject* PyFileObject = PyFile_FromString(FileName, "r");
if (!PyFileObject)
{
return 0;
}
if (PyRun_SimpleFile(PyFile_AsFile(PyFileObject), FileName) == 0)
{
Py_DECREF(PyFileObject);
return 1;
}
else
{
Py_DECREF(PyFileObject);
return 0;
}
}
February 02, 09 Page
Compilation Results
int ExecFile(char *FileName)
{
PyObject* PyFileObject
.text:00401250
= PyFile_FromString(FileName,
E8 BB DA 0E 00 89 44 24 04 A1 2C A3 57
"r");
00 8B
if
{
}
if
{
.text:00401260 10 89 04 24 E8 27 D5 0E 00 8B 15
.text:00401270 4B FF FF FF 8D B6 00 00 00 00 8D
(!PyFileObject)
.text:00401280 55 89 E5 83 EC 08 C7 04 24 01 00
.text:00401290 A3 57 00 E8 B8 FE FF FF 90 8D B4
return 0; .text:004012A0 55 89 E5 83 EC 08 C7 04 24 02 00
.text:004012B0 A3 57 00 E8 98 FE FF FF 90 8D B4
.text:004012C0 55 8B 0D 54 A3 57 00 89 E5 5D FF
.text:004012D0 55 8B 0D 34 A3 57 00 89 E5 5D FF
.text:004012E0 83 EC 7C B8 70 B5 4E 00 89 44 24
(PyRun_SimpleFile(PyFile_AsFile(PyFileObject),
.text:004012F0 00 89 44 24 38 8D 44 24 60 89 44
.text:00401300
40 00 89
89
3A
.text:00401330 84 8B 00
}
.text:00401340 00 00 00
else
.text:00401350 31 DB 89
{
.text:00401360 5C 24 58
.text:00401370 C7 04 24
Py_DECREF(PyFileObject);
Py_DECREF(PyFileObject);
.text:00401310 24 6C
return 1; .text:00401320 24 E8
return 0;
}
}
.text:00401380
.text:00401390
.text:004013A0
.text:004013B0
.text:004013C0
.text:004013D0
.text:004013E0
8B
B8
B8
EC
31
0E
24
40
E8
FF
56
C0
00
74
08
EC
FF
00
89
8B
8B
40 F++a
.ởD$ ớ,ỳW.ù@
2C A3 57 00 E9
ở $F'+a
.ùĐ,ỳW.T
BF 00 00 00 00 KỡƯ....ỡ+....
00 00 FF 15 18 Uởsõ8Ư $ ...Đ
26 00 00 00 00 ỳW.F+ƯẫỡƯ&....
00 00 FF 15 18 Uởsõ8Ư $ ...Đ
26 00 00 00 00 ỳW.FƯẫỡƯ&....
E1 8D 74 26 00 UùTỳW.ởs]òỡt&.
E1 90 90 90 90 Uù4ỳW.ởs]òẫẫẫẫ
34 B8 74 30 4F==õ8|+pƯN.ởD$4+t0O
FileName)
0)
24 3C B8 90 13 .ởD$8ỡD$`ởD$<+ẫ
44
74
BE
00
8D
74
89
10
24
24
0E
00
44
24
4C
20
40
70
00
C7
24
50
24
57
8D
89
8B
04
50
B9
20
00
44
6C
BC
24
89
01
E8
E8
24
24
24
10
44
00
D4
B4
1C
78
80
20
24
00
59
5A
89
89
00
57
04
00
00
00
7C
64
00
00
BE
89
00
00
24
24
00
8B
88
54
89
85
74
44
85
94
E1
24
44
C0
89
89
FF
24
56
54
24
74
5C
04
0F
80
00
89
04
2E
@.ởD$@ỡD$ ở|$tở\
$lởt$pởl$xởd$Dở
$F:+a
.ù+$ầ...Ô
ọù...Ư $ W.ùử$ầ
...ỡD$PởD$ +ờòV.
1Ưởt$PƯ ...ởT$Tở
\$XởL$ F+Y..ởD$
Ư $ W.FƯZ..+t.
BA
56
FF
89
44
44
6C
E8
00
FF
44
24
24
24
EC
89
89
24
18
18
78
56
44
44
50
8D
8B
83
00
24
24
89
44
5C
C4
89
50
20
F6
24
24
7C
54
8B
E8
8D
1C
6C
C3
24
44
72
BC
89
8B
8D
50
24
C4
27
04
74
B6
EB
24
0E
00
24
24
00
34
89
00
00
E8
70
00
66
04
B8
00
6E
8B
00
90
24
E8
00
BE
7C
00
ù@ƯF8V.ởT$Pd4fẫ
+F8V.ởD$PùD$$ở $
+ởD$ Fr-a
.+F
8V.ởD$Pởữỡ+'....
1+ởD$ ỡD$ ở $Fn+
.
aùD$ ù\$lùt$pù|
$tùl$xõ-|+ỡƯ....
February 02, 09 Page
Uses of Reverse Engineering
• Malware analysis
• Security / vulnerability research
• Driver development
• Compatibility fixes
• Legacy application support
February 02, 09 Page
Ethical and Legal Aspects
Disclaimer: I am not a lawyer, but here we go…
Image: Public Domain
February 02, 09 Page
Ethical and Legal Aspects
• Legality of reverse engineering is governed by copyright laws
• Copyright laws differ from country to country
• Reverse engineering is legal only is few specific cases
• Black box testing does not constitute reverse engineering
• Reverse engineering for compatibility fixes is legal
• Reverse engineering spyware is illegal in most countries
• When in doubt, do not reverse engineer!
February 02, 09 Page
Legal Uses of Reverse Engineering
• Recovery of own lost source code
• Recovery of data from legacy formats
• Malware analysis and research
• Security and vulnerability research
• Copyright infringement investigations
• Finding out the contents of any database you legally purchased
February 02, 09 Page
Illegal Activities
Image Copyright © 2005 Klaus with K
February 02, 09 Page
Illegal Activities
• Illegal to reverse engineer and sell a competing product
• Illegal to crack copy protections
• Illegal to distribute a crack/registration for copyrighted software
• Illegal to gain unauthorized access to any computer system
• Copyright protected software is off-limits in most cases
• Spyware/Adware with companies behind them are included
February 02, 09 Page
Decompilation Process
Disassembly
Decompilation
Executable
Disassembly
Source Code
Binary code with
Reverse engineer
Human
no symbols
readable code
readable code
Code Readability
February 02, 09 Page
Disassembly Results
February 02, 09 Page
Disassembly Results
.text:00401250
.text:00401260
.text:00401270
.text:00401280
.text:00401290
.text:004012A0
.text:004012B0
.text:004012C0
.text:004012D0
.text:004012E0
.text:004012F0
E8
10
4B
55
A3
55
A3
55
55
83
00
BB
89
FF
89
57
89
57
8B
8B
EC
89
DA
04
FF
E5
00
E5
00
0D
0D
7C
44
0E
24
FF
83
E8
83
E8
54
34
B8
24
00
E8
8D
EC
B8
EC
98
A3
A3
70
38
89
27
B6
08
FE
08
FE
57
57
B5
8D
44
D5
00
C7
FF
C7
FF
00
00
4E
44
24
0E
00
04
FF
04
FF
89
89
00
24
04
00
00
24
90
24
90
E5
E5
89
60
A1
8B
00
01
8D
02
8D
5D
5D
44
89
2C
15
8D
00
B4
00
B4
FF
FF
24
44
A3
2C
BF
00
26
00
26
E1
E1
34
24
57
A3
00
00
00
00
00
8D
90
B8
3C
00
57
00
FF
00
FF
00
74
90
74
B8
8B
00
00
15
00
15
00
26
90
30
90
40
E9
00
18
00
18
00
00
90
4F
13
F++a
.ởD$ ớ,ỳW.ù@
ở $F'+a
.ùĐ,ỳW.T
KỡƯ....ỡ+....
Uởsõ8Ư $ ...Đ
ỳW.F+ƯẫỡƯ&....
Uởsõ8Ư $ ...Đ
ỳW.FƯẫỡƯ&....
UùTỳW.ởs]òỡt&.
Uù4ỳW.ởs]òẫẫẫẫ
õ8|+pƯN.ởD$4+t0O
.ởD$8ỡD$`ởD$<+ẫ
.text:00401300
.text:00401310
.text:00401320
.text:00401330
.text:00401340
.text:00401350
.text:00401360
.text:00401370
40
24
24
84
00
31
5C
C7
00
6C
E8
8B
00
DB
24
04
89
89
3A
00
00
89
58
24
44
74
BE
00
8D
74
89
10
24
24
0E
00
44
24
4C
20
40
70
00
C7
24
50
24
57
8D
89
8B
04
50
B9
20
00
44
6C
BC
24
89
01
E8
E8
24
24
24
10
44
00
D4
B4
1C
78
80
20
24
00
59
5A
89
89
00
57
04
00
00
00
7C
64
00
00
BE
89
00
00
24
24
00
8B
88
54
89
85
74
44
85
94
E1
24
44
C0
89
89
FF
24
56
54
24
74
5C
04
0F
80
00
89
04
2E
@.ởD$@ỡD$ ở|$tở\
$lởt$pởl$xởd$Dở
$F:+a
.ù+$ầ...Ô
ọù...Ư $ W.ùử$ầ
...ỡD$PởD$ +ờòV.
1Ưởt$PƯ ...ởT$Tở
\$XởL$ F+Y..ởD$
Ư $ W.FƯZ..+t.
.text:00401380
.text:00401390
.text:004013A0
.text:004013B0
.text:004013C0
.text:004013D0
.text:004013E0
8B
B8
B8
EC
31
0E
24
40
E8
FF
56
C0
00
74
08
EC
FF
00
89
8B
8B
BA
56
FF
89
44
44
6C
E8
00
FF
44
24
24
24
EC
89
89
24
18
18
78
56
44
44
50
8D
8B
83
00
24
24
89
44
5C
C4
89
50
20
F6
24
24
7C
54
8B
E8
8D
1C
6C
C3
24
44
72
BC
89
8B
8D
50
24
C4
27
04
74
B6
EB
24
0E
00
24
24
00
34
89
00
00
E8
70
00
66
04
B8
00
6E
8B
00
90
24
E8
00
BE
7C
00
ù@ƯF8V.ởT$Pd4fẫ
+F8V.ởD$PùD$$ở $
+ởD$ Fr-a
.+F
8V.ởD$Pởữỡ+'....
1+ởD$ ỡD$ ở $Fn+
.
aùD$ ù\$lùt$pù|
$tùl$xõ-|+ỡƯ....
February 02, 09 Page
Disassembly Results
.text:004013F0
sub_4013F0
near
CODE
sub_406AB0+6F" p
.text:00401250 E8
BB DA 0E 00 89 44proc
24 04
A1 2C A3 57 00 8B 40 ; F++a
.ởD$XREF:
ớ,ỳW.ù@
.text:00401260 10 89 04 24 E8 27 D5 0E 00 8B 15 2C A3 57 00 E9 ; ởsub_4601D0+5D"
$F'+a
.ùĐ,ỳW.T
.text:004013F0
p
.text:00401270 4B FF FF FF 8D B6 00 00 00 00 8D BF 00 00 00 00 KỡƯ....ỡ+....
.text:004013F0
.text:00401280 55
89 E5 83 EC 08 C7=04dword
24 01ptr
00 00
00 FF 15 18 Uởsõ8Ư $ ...Đ
.text:004013F0
var_1C
-1Ch
.text:00401290
A3
57
00
E8
B8
FE
FF
FF
90
8D
B4
26
00 00 00 00 ỳW.F+ƯẫỡƯ&....
.text:004013F0 var_18
= dword ptr -18h
.text:004012A0
55
89
E5
83
EC
08
C7
04
24
02
00
00
.text:004013F0 arg_0
= dword ptr 4 00 FF 15 18 Uởsõ8Ư $ ...Đ
.text:004012B0 A3 57 00 E8 98 FE FF FF 90 8D B4 26 00 00 00 00 ỳW.FƯẫỡƯ&....
.text:004013F0
.text:004012C0 55 8B 0D 54 A3 57 00 89 E5 5D FF E1 8D 74 26 00 UùTỳW.ởs]òỡt&.
.text:004013F0
.text:004012D0 55 8B 0D 34 A3 57 00push
89 E5 5Dedi
FF E1 90 90 90 90 Uù4ỳW.ởs]òẫẫẫẫ
.text:004012E0
83
EC
7C
B8
70
B5
4E
00 89 44esi
24 34 B8 74 30 4F õ8|+pƯN.ởD$4+t0O
.text:004013F1
push
.text:004012F0
00
89
44
24
38
8D
44
24
60
89
44 24 3C B8 90 13 .ởD$8ỡD$`ởD$<+ẫ
.text:004013F2
push
ebx
.text:00401300 40 00 89 44 24 40 8Dsub
44 24 1Cesp,
89 7C10h
24 74 89 5C @.ởD$@ỡD$ ở|$tở\
.text:004013F3
.text:00401310 24 6C 89 74 24 70 89mov
6C 24 78edi,
89 64[esp+1Ch+arg_0]
24 44 89 04 $lởt$pởl$xởd$Dở
.text:004013F6
.text:00401320 24 E8 3A BE 0E 00 8B BC 24 80 00 00 00 85 FF 0F $F:+a
.ù+$ầ...Ô
.text:004013FA
.text:00401330 84 8B 00 00 00 C7 04test
24 10 20edi,
57 00edi
8B 94 24 80 ọù...Ư $ W.ùử$ầ
.text:004013FC
jz
short loc_40143D
.text:00401340 00 00 00 8D 44 24 50 89 44 24 04 BE 88 E1 56 00 ...ỡD$PởD$ +ờòV.
.text:004013FE
offset...ởT$Tở
dword_572010
.text:00401350 31 DB 89 74 24 50 B9mov
01 00 00[esp+1Ch+var_1C],
00 89 54 24 54 89 1Ưởt$PƯ
.text:00401405
call
sub_406F80
.text:00401360 5C 24 58 89 4C 24 20 E8 D4 59 00 00 89 44 24 04 \$XởL$ F+Y..ởD$
.text:00401370 C7 04 24 10 20 57 00mov
E8 B4 5Aebx,
00 00eax
85 C0 74 2E Ư $ W.FƯZ..+t.
.text:0040140A
.text:0040140C
jmp
short
loc_401439
.text:00401380 8B 40 08 BA E8 EC 56 00 89 54 24 50 EB 34 66 90 ù@ƯF8V.ởT$Pd4fẫ
.text:00401390 B8
EC 56 00 89 44 24 50 8B 44 24 24 89 04 24 +F8V.ởD$PùD$$ở $
.text:0040140C
; E8
--------------------------------------------------------------------------.text:004013A0 B8 FF FF FF FF 89 44 24 20 E8 72 C4 0E 00 B8 E8 +ởD$ Fr-a
.+F
.text:0040140E
.text:004013B0 EC 56 00 89 44 24 50align
89 F610h
8D BC 27 00 00 00 00 8V.ởD$Pởữỡ+'....
.text:00401410
.text:004013C0 31 C0 89 44 24 18 8D 44 24 1C 89 04 24 E8 6E BE 1+ởD$ ỡD$ ở $Fn+
.text:00401410
loc_401410:
XREF: sub_4013F0+4B" j
.text:004013D0 0E
00 8B 44 24 18 8B 5C 24 6C 8B 74 24 70 8B 7C ; .
aCODE
ùD$ ù\$lùt$pù|
.text:00401410
ebx
.text:004013E0 24 74 8B 6C 24 78 83mov
C4 7C C3[esp+1Ch+var_18],
8D B6 00 00 00 00 $tùl$xõ-|+ỡƯ....
.text:00401414
mov
[esp+1Ch+var_1C], offset dword_572010
.text:0040141B
call
sub_406E30
.text:00401420
mov
[esp+1Ch+var_18], ebx
February 02, 09 Page
February 02, 09 Page
Required Skills
• General computer architecture knowledge
• Assembly programming of target processors
• Operating systems
• File formats
• Information search skills
• ...real persistence...
February 02, 09 Page
Most Commonly Used Tools
• Hex editor/viewer
• Disassembler
• Search engine
• Debugger
• Script language
February 02, 09 Page
Most Commonly Used Tools
• Hex editor/viewer
• Disassembler
• Search engine
• Debugger
• Script language
February 02, 09 Page
