SlideShare ist ein Scribd-Unternehmen logo

Reverse engineering

Als PPT, PDF herunterladen
Saswat Padhi
Saswat Padhi
1 von 20
REVERSE ENGINEERING An Introduction to Cracking Windows Applications Saswat Padhi 3rd Year UG, CSE Hostel 8, IIT Bombay
Presentation for STAB Annual Seminar Weekday 2 DISCLAIMER • This presentation is intended for educational purposes only. • Reverse engineering of copyrighted material is illegal and unethical and in no way, do I encourage this. • Playing with malware is not a good idea, unless you take proper precautionary measures. Always work within sandboxed environment. For example, in a virtual OS. • Malware analysis is “advanced” stuff. And when you choose to mess with a nasty app, it is expected that you know what you are doing. Only you are responsible for what happens to your system.
Presentation for STAB Annual Seminar Weekday 3 What is this heavy term? • Reverse Engineering simply aims at “understanding” a system through analysis of its structure, function and operation. • We try to go backwards in the development cycle: having an implementation, we try to go back to the analysis stage, with a high level understanding. • With the abstract understanding, we try to modify parts of existing implementation or implement on Complete disassembly of a Pentax K1000 camera. our own! Image borrowed from bitrebel.com.
Presentation for STAB Annual Seminar Weekday 4 And why should someone learn this? • Malware analysis: Analyzing malware to build anti-malware • Bug fixing: Fixing bugs in legacy software • Personalization/Customizations • Academic/Learning purposes • Removing access restrictions • Removal of copy protection • Compatibility • Just for fun!  • Convey the message “Go Open Source”! :-P
Presentation for STAB Annual Seminar Weekday 5 Wait … Isn’t this “illegal”!? • Public release of information obtained through reversing a proprietary application or sharing the application after modifying it to remove/reduce security is illegal. • DMCA allows, reverse engineering applications for achieving interoperability. • Analysis of malware is of course legal!  • “Clean room” design is perfectly legal. • A team of examiners write a specification for target the software. • Several reviews ensure exclusion of any copyrighted materials. • A separate team of developers re-implement the software.
Presentation for STAB Annual Seminar Weekday 6 A bit of history… • AMD had reverse engineered Intel’s early processors (and had outperformed all of them!). • ReactOS, an open source clone of Windows is still under active development. It’s not based on *nix systems at all. • Phoenix developed it’s BIOS chip by reverse engineering IBM’s BIOS, with a clean room approach. Phoenix BIOS gave birth to the first IBM-compatible PCs. • Wine is reverse engineering Windows for supporting Win API. • OpenOffice.org is reverse engineering Microsoft Office for supporting the proprietary file formats. • Samba enables file sharing between Windows and non- Windows systems. But they had to reverse engineer Windows file sharing.
Presentation for STAB Annual Seminar Weekday 7 What we would be discussing today… Reverse Engineering is a whole different branch by itself. We would only be touching upon a few important fundamental points that would give you the basic feel of it (and hopefully motivate you  to dig further into it)… •PE Identification: Packers, Identifying the source language •Decompilers; Disassemblers and Debuggers •Introduction to OllyDbg’s Features •Where to start? & Where to focus? •Patching with OllyDbg •Phishing and KeyGening
Presentation for STAB Annual Seminar Weekday 8 PEiD • Identification of PE (Portable Executable) is an important step. It involves identification of compilers, cryptors, packers etc… • Gives you a starting point to look for a solution. • Unpacking needed? • De-compilation possible? • Crypto libraries used? • PEiD is by far the best PE Identification tool (470+ signatures and can be extended with external signatures). • If PEiD says “Nothing Found”, the application might be using a custom packer. PEiD (PEiD) PEiD (OllyDbg) PEiD (KeyGenMe_#6) X
Presentation for STAB Annual Seminar Weekday 9 Packers ?! • Packers compress the compiled program, much like data. • They compress either or both code and data sections and can additionally encrypt them. Compiled Packed Packers Executable Executable Unpacking CODE DATA The extractor stub Unpackers CODE DATA STUB decompresses and/or decrypts the data and code. Writes them to a separate file or does it in-memory. OEP: Original Entry Point Entry Point • Several packers exist. Most of them are selective about the type of PE they support.
Presentation for STAB Annual Seminar Weekday 10 Packers ?! • Some of the most popular (and thus most wanted targets for unpackers) are ASPack, Enigma, Themida, MPRESS, UPX etc. • Most packed PEs are manually customized to avoid usage of direct unpackers. • Customized executables might not even be recognized by PE Identifiers! So, might not have any idea of the “behavior” of the packer. • Without direct unpackers, we have to manually step through the executable, and find out the original entry point. (When we step through code in a debugger, the application is actually in execution, so take precaution while trying this with malware).
Presentation for STAB Annual Seminar Weekday 11 Why should you know the compiler? • Java and Python compile sources to byte code instead of machine code, which runs on a virtual machine. • Same is the case with managed code like .NET. C#, VB and all .NET languages compile the code to MSIL (MicroSoft Intermediate Language). • The meta-data present with the intermediate byte code is enough to make satisfactory “de-compilation” possible. • For example, Java byte code contains names of classes and all members; types and modifiers of fields; signatures of methods. Even names of local variables and line numbers can be saved optionally, by setting specific attributes.
Presentation for STAB Annual Seminar Weekday 12 Why should you know the compiler? • Some of the things de-compilers need to be “smart” about are: • Structured control flow (loops and conditionals) from gotos in byte code. • Type inference for locals, especially for generics as they are generated at compile time. • This is very different from the compilation with debug info (-g) that can be used with C/C++ compilers. • Debug info is just a mapping from binary to source file. • If the sources are missing, debugger would not “magically” show them! • Machine code is so much “reduced” that it’s almost impossible to “grow” it back to a high level source code.
Presentation for STAB Annual Seminar Weekday 13 Some Available Decompilers… • .NET MSIL Decompiler: Reflector (Freeware till 6.x) KeyGenMe #6 Reflector(KeyGenMe #6) UnpackMe Reflector(UnpackMe) • Java Decompiler: JD (Freeware and Decent, there are dozen others!) SK_CrackMe JD(SK_CrackMe)
Presentation for STAB Annual Seminar Weekday 14 What if you can’t decompile? • Well .. The fun begins!  • Disassemblers and debuggers transform the binary machine code to assembly instructions. Debuggers offer additional features like setting break points, stepping through the code etc… • OllyDbg is one of the best light-weight debuggers available. IDA Pro is a heavy-weight and paid debugger (but it’s worth it!). • OllyDbg supports external plugins and that makes it an even more powerful tool. • IDA Pro has the power of recognizing “known” library functions by their signatures. It can highly simplify the assembly dump.
Presentation for STAB Annual Seminar Weekday 15 More about OllyDbg… • Emphasizes on code analysis. • Olly contains description of about 2200 standard C/C++ library and Win32 API functions. It also contains 7800 symbolic constants (grouped into 490 types). • Olly can detect nested loops, switches and cascaded ifs. It can also predict register usage. • You can add comments at each assembly line. • You can assemble your own expressions instantly and re-build the program. (Great for patching!) KeyGenMe #2 OllyDbg(KeyGenMe #2)
Presentation for STAB Annual Seminar Weekday 16 Finding the needle(s) in a haystack… • Patience and lateral thinking! • Examine “All referenced strings” • Locality of Good Boy or Bad boy • Examine “All inter-modular calls” • Get used to Windows API (Olly does provide context sensitive help) • I/O calls are a usual starting point for examination • msvcrt.printf • msvcrt.scanf • USER32.GetMessageX • USER32.GetDlgItemTextX • Use breakpoints at suspicious DLL calls • Use memory breakpoint at addresses storing the entered key
Presentation for STAB Annual Seminar Weekday 17 A (very) simple example string username, password, therealpass; Case_1 Olly(Case_1) cout << “USERNAME : ”; cin >> username; cout << “PASSWORD : ”; cin >> password; threalpass = “TOP_SECRET”; if(password == therealpass) cout << “You deserve an award!n”; else cout << “Y U No Give up?n”; • Suspicious entities in dump: (good starting points) • both the final messages, • therealpass “TOP_SECRET”. • Just the hex dump gives some hints about a “possible” password and trying this out gives good boy already!
Presentation for STAB Annual Seminar Weekday 18 Another example (Patching) while(username.length() > 99 || username.length() < 10) { cout << “USERNAME : ”; cin >> username;} Case_2 cin >> password; therealpass = username.substr(username.length() - 4) + “-”; therealpass += (‘0’ + (username.length()%10)); therealpass += (‘0’ + (username.length()/10)); Olly(Case_2) therealpass += “-” + username.substr(0,4); Case_2_PATCHED if(password == therealpass) cout << “You deserve an award!n”; else cout << “Y U No Give up?n”; • Patch JZ after TEST AL,AL to bypass the check and always output good boy. • When trying to analyze, “what” is done with the password (KeyGen-ing), more interesting aspects like why BPs at strcmp are useless; why some passwords hit no BPs at memcmp but others hit a BP on memcmp… • Not only helps you make a KeyGen; but helps you discover low level GCC implementation details as well!
Presentation for STAB Annual Seminar Weekday 19 Some awesome links… • AMD - Rise & Fall: http://www.techspot.com/article/599-amd-rise-and-fall / • ..cantor.dust..: http://www.toolswatch.org/2012/08/blackhat-arsenal- 2012-releases-cantor-dust-next-generation-of-visualization-tools/ • ReactOS project: http://www.reactos.org • OllyDbg: http://ollydbg.de http://crackmes.de
Presentation for STAB Annual Seminar Weekday 20 Phew… Thank you! Any questions?

Empfohlen

Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringHicube Infosec
 
Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Prakashchand Suthar
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampAndré Baptista
 
Reverse Engineering of Software Architecture
Reverse Engineering of Software ArchitectureReverse Engineering of Software Architecture
Reverse Engineering of Software ArchitectureDharmalingam Ganesan
 
6 MONTH INTERNSHIP AT
6 MONTH INTERNSHIP AT6 MONTH INTERNSHIP AT
6 MONTH INTERNSHIP ATAditya Thombare
 
Introduction To Software Reverse Engineering
Introduction To Software Reverse EngineeringIntroduction To Software Reverse Engineering
Introduction To Software Reverse EngineeringSinaRostami7
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextLokendra Rawat
 
Software Reverse Engineering in a Security Context (ncrisc 2018)
Software Reverse Engineering in a Security Context (ncrisc 2018)Software Reverse Engineering in a Security Context (ncrisc 2018)
Software Reverse Engineering in a Security Context (ncrisc 2018)Lokendra Rawat
 

Empfohlen

Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringHicube Infosec
 
Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Prakashchand Suthar
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampAndré Baptista
 
Reverse Engineering of Software Architecture
Reverse Engineering of Software ArchitectureReverse Engineering of Software Architecture
Reverse Engineering of Software ArchitectureDharmalingam Ganesan
 
6 MONTH INTERNSHIP AT
6 MONTH INTERNSHIP AT6 MONTH INTERNSHIP AT
6 MONTH INTERNSHIP ATAditya Thombare
 
Introduction To Software Reverse Engineering
Introduction To Software Reverse EngineeringIntroduction To Software Reverse Engineering
Introduction To Software Reverse EngineeringSinaRostami7
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextLokendra Rawat
 
Software Reverse Engineering in a Security Context (ncrisc 2018)
Software Reverse Engineering in a Security Context (ncrisc 2018)Software Reverse Engineering in a Security Context (ncrisc 2018)
Software Reverse Engineering in a Security Context (ncrisc 2018)Lokendra Rawat
 
John_resume2016_hw
John_resume2016_hwJohn_resume2016_hw
John_resume2016_hwJohn Goss
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringTeodoro Cipresso
 
Reverse code engineering
Reverse code engineeringReverse code engineering
Reverse code engineeringKrishs Patil
 
Maintenance, Re-engineering &Reverse Engineering in Software Engineering
Maintenance, Re-engineering &Reverse Engineering in Software EngineeringMaintenance, Re-engineering &Reverse Engineering in Software Engineering
Maintenance, Re-engineering &Reverse Engineering in Software EngineeringManish Kumar
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
 
Software reverse engineering
Software reverse engineeringSoftware reverse engineering
Software reverse engineeringParminder Singh
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineeringsiddu019
 
Safe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereSafe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereAdaCore
 
Reverse Engineering for Documenting Software Architectures, a Literature Review
Reverse Engineering for Documenting Software Architectures, a Literature ReviewReverse Engineering for Documenting Software Architectures, a Literature Review
Reverse Engineering for Documenting Software Architectures, a Literature ReviewEditor IJCATR
 
Pf Day4
Pf Day4Pf Day4
Pf Day4guest2abee9
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
Overview of digital design with Verilog HDL
Overview of digital design with Verilog HDLOverview of digital design with Verilog HDL
Overview of digital design with Verilog HDLanand hd
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
 
2007 - nxp chliopanos
2007 - nxp chliopanos2007 - nxp chliopanos
2007 - nxp chliopanosAthanasios (Sakis) Chliopanos
 
SANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame GraphsSANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame Graphscorpaulbezemer
 
Reverse engineering in software engineering vaibhav
Reverse engineering in software engineering vaibhavReverse engineering in software engineering vaibhav
Reverse engineering in software engineering vaibhavMani Kanth
 
Ghoshal_resume_LinkedIn_20160705
Ghoshal_resume_LinkedIn_20160705Ghoshal_resume_LinkedIn_20160705
Ghoshal_resume_LinkedIn_20160705Siddhartha Ghoshal
 
Validation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentValidation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentObsidian Software
 
Service Operation - Manajemen Layanan Teknologi Informasi
Service Operation - Manajemen Layanan Teknologi InformasiService Operation - Manajemen Layanan Teknologi Informasi
Service Operation - Manajemen Layanan Teknologi InformasiMuhammad Idil Haq Amir
 
Legacy Software Maintenance And Management
Legacy Software Maintenance And ManagementLegacy Software Maintenance And Management
Legacy Software Maintenance And ManagementValueCoders
 

Weitere ähnliche Inhalte

Was ist angesagt?

John_resume2016_hw
John_resume2016_hwJohn_resume2016_hw
John_resume2016_hwJohn Goss
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringTeodoro Cipresso
 
Reverse code engineering
Reverse code engineeringReverse code engineering
Reverse code engineeringKrishs Patil
 
Maintenance, Re-engineering &Reverse Engineering in Software Engineering
Maintenance, Re-engineering &Reverse Engineering in Software EngineeringMaintenance, Re-engineering &Reverse Engineering in Software Engineering
Maintenance, Re-engineering &Reverse Engineering in Software EngineeringManish Kumar
 
Software reverse engineering
Software reverse engineeringSoftware reverse engineering
Software reverse engineeringParminder Singh
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineeringsiddu019
 
Safe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereSafe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereAdaCore
 
Reverse Engineering for Documenting Software Architectures, a Literature Review
Reverse Engineering for Documenting Software Architectures, a Literature ReviewReverse Engineering for Documenting Software Architectures, a Literature Review
Reverse Engineering for Documenting Software Architectures, a Literature ReviewEditor IJCATR
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
Overview of digital design with Verilog HDL
Overview of digital design with Verilog HDLOverview of digital design with Verilog HDL
Overview of digital design with Verilog HDLanand hd
 
SANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame GraphsSANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame Graphscorpaulbezemer
 
Reverse engineering in software engineering vaibhav
Reverse engineering in software engineering vaibhavReverse engineering in software engineering vaibhav
Reverse engineering in software engineering vaibhavMani Kanth
 
Ghoshal_resume_LinkedIn_20160705
Ghoshal_resume_LinkedIn_20160705Ghoshal_resume_LinkedIn_20160705
Ghoshal_resume_LinkedIn_20160705Siddhartha Ghoshal
 
Validation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentValidation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentObsidian Software
 

Was ist angesagt? (20)

John_resume2016_hw
John_resume2016_hwJohn_resume2016_hw
John_resume2016_hw
 
Introduction to Software Reverse Engineering
Introduction to Software Reverse EngineeringIntroduction to Software Reverse Engineering
Introduction to Software Reverse Engineering
 
Reverse code engineering
Reverse code engineeringReverse code engineering
Reverse code engineering
 
Maintenance, Re-engineering &Reverse Engineering in Software Engineering
Maintenance, Re-engineering &Reverse Engineering in Software EngineeringMaintenance, Re-engineering &Reverse Engineering in Software Engineering
Maintenance, Re-engineering &Reverse Engineering in Software Engineering
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resume
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resume
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resume
 
Software reverse engineering
Software reverse engineeringSoftware reverse engineering
Software reverse engineering
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineering
 
Safe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereSafe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get There
 
Reverse Engineering for Documenting Software Architectures, a Literature Review
Reverse Engineering for Documenting Software Architectures, a Literature ReviewReverse Engineering for Documenting Software Architectures, a Literature Review
Reverse Engineering for Documenting Software Architectures, a Literature Review
 
Pf Day4
Pf Day4Pf Day4
Pf Day4
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
Overview of digital design with Verilog HDL
Overview of digital design with Verilog HDLOverview of digital design with Verilog HDL
Overview of digital design with Verilog HDL
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resume
 
2007 - nxp chliopanos
2007 - nxp chliopanos2007 - nxp chliopanos
2007 - nxp chliopanos
 
SANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame GraphsSANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame Graphs
 
Reverse engineering in software engineering vaibhav
Reverse engineering in software engineering vaibhavReverse engineering in software engineering vaibhav
Reverse engineering in software engineering vaibhav
 
Ghoshal_resume_LinkedIn_20160705
Ghoshal_resume_LinkedIn_20160705Ghoshal_resume_LinkedIn_20160705
Ghoshal_resume_LinkedIn_20160705
 
Validation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentValidation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environment
 

Andere mochten auch

Service Operation - Manajemen Layanan Teknologi Informasi
Service Operation - Manajemen Layanan Teknologi InformasiService Operation - Manajemen Layanan Teknologi Informasi
Service Operation - Manajemen Layanan Teknologi InformasiMuhammad Idil Haq Amir
 
Legacy Software Maintenance And Management
Legacy Software Maintenance And ManagementLegacy Software Maintenance And Management
Legacy Software Maintenance And ManagementValueCoders
 
Measuring capacity lesson3
Measuring capacity lesson3Measuring capacity lesson3
Measuring capacity lesson3Lidia Marie
 
Unit 1 Service Operations Management
Unit 1 Service Operations ManagementUnit 1 Service Operations Management
Unit 1 Service Operations ManagementGopinath Guru
 
intra and inter personal relations
intra and inter personal relationsintra and inter personal relations
intra and inter personal relationsGanesh Sahu
 
reverse engineering
reverse engineeringreverse engineering
reverse engineeringayush_nitt
 
Tools for capacity planning, measurement of capacity, capacity planning process
Tools for capacity planning, measurement of capacity, capacity planning processTools for capacity planning, measurement of capacity, capacity planning process
Tools for capacity planning, measurement of capacity, capacity planning processRohan Monis
 
Measurement System Analysis
Measurement System AnalysisMeasurement System Analysis
Measurement System AnalysisRonald Shewchuk
 
Capacity Planning with Free Tools
Capacity Planning with Free ToolsCapacity Planning with Free Tools
Capacity Planning with Free ToolsAdrian Cockcroft
 
Service Operation Processes
Service Operation ProcessesService Operation Processes
Service Operation Processesnuwulang
 
10. measurement system analysis (msa)
10. measurement system analysis (msa)10. measurement system analysis (msa)
10. measurement system analysis (msa)Hakeem-Ur- Rehman
 
ITIL Service Design dan Service Operation
ITIL Service Design dan Service OperationITIL Service Design dan Service Operation
ITIL Service Design dan Service OperationMuh Husain noor Hidayat
 
Service Operation
Service OperationService Operation
Service OperationPeleg
 
Assembly Line Balancing -Example
Assembly Line Balancing -ExampleAssembly Line Balancing -Example
Assembly Line Balancing -ExampleJoseph Konnully
 
Capacity Requirement Planning
Capacity Requirement PlanningCapacity Requirement Planning
Capacity Requirement Planningsenthil.G
 

Andere mochten auch (20)

Service Operation - Manajemen Layanan Teknologi Informasi
Service Operation - Manajemen Layanan Teknologi InformasiService Operation - Manajemen Layanan Teknologi Informasi
Service Operation - Manajemen Layanan Teknologi Informasi
 
Legacy Software Maintenance And Management
Legacy Software Maintenance And ManagementLegacy Software Maintenance And Management
Legacy Software Maintenance And Management
 
Measuring capacity lesson3
Measuring capacity lesson3Measuring capacity lesson3
Measuring capacity lesson3
 
Unit 1 Service Operations Management
Unit 1 Service Operations ManagementUnit 1 Service Operations Management
Unit 1 Service Operations Management
 
intra and inter personal relations
intra and inter personal relationsintra and inter personal relations
intra and inter personal relations
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
reverse engineering
reverse engineeringreverse engineering
reverse engineering
 
Capacity 1
Capacity 1Capacity 1
Capacity 1
 
Line balancing
Line balancing Line balancing
Line balancing
 
Tools for capacity planning, measurement of capacity, capacity planning process
Tools for capacity planning, measurement of capacity, capacity planning processTools for capacity planning, measurement of capacity, capacity planning process
Tools for capacity planning, measurement of capacity, capacity planning process
 
Measurement System Analysis
Measurement System AnalysisMeasurement System Analysis
Measurement System Analysis
 
Capacity Planning with Free Tools
Capacity Planning with Free ToolsCapacity Planning with Free Tools
Capacity Planning with Free Tools
 
Facility layout
Facility layoutFacility layout
Facility layout
 
Capacity Management
Capacity ManagementCapacity Management
Capacity Management
 
Service Operation Processes
Service Operation ProcessesService Operation Processes
Service Operation Processes
 
10. measurement system analysis (msa)
10. measurement system analysis (msa)10. measurement system analysis (msa)
10. measurement system analysis (msa)
 
ITIL Service Design dan Service Operation
ITIL Service Design dan Service OperationITIL Service Design dan Service Operation
ITIL Service Design dan Service Operation
 
Service Operation
Service OperationService Operation
Service Operation
 
Assembly Line Balancing -Example
Assembly Line Balancing -ExampleAssembly Line Balancing -Example
Assembly Line Balancing -Example
 
Capacity Requirement Planning
Capacity Requirement PlanningCapacity Requirement Planning
Capacity Requirement Planning
 

Ähnlich wie Reverse engineering

Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodeKris Buytaert
 
Database Refactoring
Database RefactoringDatabase Refactoring
Database RefactoringAnton Keks
 
Dynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open ChallengesDynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open Challengesbcantrill
 
Continuous Delivery of (y)our infrastructure.
Continuous Delivery of (y)our infrastructure.Continuous Delivery of (y)our infrastructure.
Continuous Delivery of (y)our infrastructure.Kris Buytaert
 
Challenges in Maintaining a High Performance Search Engine Written in Java
Challenges in Maintaining a High Performance Search Engine Written in JavaChallenges in Maintaining a High Performance Search Engine Written in Java
Challenges in Maintaining a High Performance Search Engine Written in Javalucenerevolution
 
Time Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETTTime Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETTMarco Parenzan
 
Introduction to Java Part-2
Introduction to Java Part-2Introduction to Java Part-2
Introduction to Java Part-2RatnaJava
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Creating a reasonable project boilerplate
Creating a reasonable project boilerplateCreating a reasonable project boilerplate
Creating a reasonable project boilerplateStanislav Petrov
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Introduction to Java
Introduction to Java Introduction to Java
Introduction to Java Hitesh-Java
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxShivashankarHR1
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.David Nuescheler
 
A Java Implementer's Guide to Boosting Apache Spark Performance by Tim Ellison.
A Java Implementer's Guide to Boosting Apache Spark Performance by Tim Ellison.A Java Implementer's Guide to Boosting Apache Spark Performance by Tim Ellison.
A Java Implementer's Guide to Boosting Apache Spark Performance by Tim Ellison.J On The Beach
 
The View - The top 30 Development tips
The View - The top 30 Development tipsThe View - The top 30 Development tips
The View - The top 30 Development tipsBill Buchan
 

Ähnlich wie Reverse engineering (20)

Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as Code
 
Database Refactoring
Database RefactoringDatabase Refactoring
Database Refactoring
 
Dynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open ChallengesDynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open Challenges
 
Continuous Delivery of (y)our infrastructure.
Continuous Delivery of (y)our infrastructure.Continuous Delivery of (y)our infrastructure.
Continuous Delivery of (y)our infrastructure.
 
Challenges in Maintaining a High Performance Search Engine Written in Java
Challenges in Maintaining a High Performance Search Engine Written in JavaChallenges in Maintaining a High Performance Search Engine Written in Java
Challenges in Maintaining a High Performance Search Engine Written in Java
 
Time Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETTTime Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETT
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
Introduction to Java Part-2
Introduction to Java Part-2Introduction to Java Part-2
Introduction to Java Part-2
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Creating a reasonable project boilerplate
Creating a reasonable project boilerplateCreating a reasonable project boilerplate
Creating a reasonable project boilerplate
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Introduction to Java
Introduction to Java Introduction to Java
Introduction to Java
 
Surge2012
Surge2012Surge2012
Surge2012
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptx
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code Recovery
 
Resume S
Resume SResume S
Resume S
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.
 
A Java Implementer's Guide to Boosting Apache Spark Performance by Tim Ellison.
A Java Implementer's Guide to Boosting Apache Spark Performance by Tim Ellison.A Java Implementer's Guide to Boosting Apache Spark Performance by Tim Ellison.
A Java Implementer's Guide to Boosting Apache Spark Performance by Tim Ellison.
 
The View - The top 30 Development tips
The View - The top 30 Development tipsThe View - The top 30 Development tips
The View - The top 30 Development tips
 

Reverse engineering

  • 1. REVERSE ENGINEERING An Introduction to Cracking Windows Applications Saswat Padhi 3rd Year UG, CSE Hostel 8, IIT Bombay
  • 2. Presentation for STAB Annual Seminar Weekday 2 DISCLAIMER • This presentation is intended for educational purposes only. • Reverse engineering of copyrighted material is illegal and unethical and in no way, do I encourage this. • Playing with malware is not a good idea, unless you take proper precautionary measures. Always work within sandboxed environment. For example, in a virtual OS. • Malware analysis is “advanced” stuff. And when you choose to mess with a nasty app, it is expected that you know what you are doing. Only you are responsible for what happens to your system.
  • 3. Presentation for STAB Annual Seminar Weekday 3 What is this heavy term? • Reverse Engineering simply aims at “understanding” a system through analysis of its structure, function and operation. • We try to go backwards in the development cycle: having an implementation, we try to go back to the analysis stage, with a high level understanding. • With the abstract understanding, we try to modify parts of existing implementation or implement on Complete disassembly of a Pentax K1000 camera. our own! Image borrowed from bitrebel.com.
  • 4. Presentation for STAB Annual Seminar Weekday 4 And why should someone learn this? • Malware analysis: Analyzing malware to build anti-malware • Bug fixing: Fixing bugs in legacy software • Personalization/Customizations • Academic/Learning purposes • Removing access restrictions • Removal of copy protection • Compatibility • Just for fun!  • Convey the message “Go Open Source”! :-P
  • 5. Presentation for STAB Annual Seminar Weekday 5 Wait … Isn’t this “illegal”!? • Public release of information obtained through reversing a proprietary application or sharing the application after modifying it to remove/reduce security is illegal. • DMCA allows, reverse engineering applications for achieving interoperability. • Analysis of malware is of course legal!  • “Clean room” design is perfectly legal. • A team of examiners write a specification for target the software. • Several reviews ensure exclusion of any copyrighted materials. • A separate team of developers re-implement the software.
  • 6. Presentation for STAB Annual Seminar Weekday 6 A bit of history… • AMD had reverse engineered Intel’s early processors (and had outperformed all of them!). • ReactOS, an open source clone of Windows is still under active development. It’s not based on *nix systems at all. • Phoenix developed it’s BIOS chip by reverse engineering IBM’s BIOS, with a clean room approach. Phoenix BIOS gave birth to the first IBM-compatible PCs. • Wine is reverse engineering Windows for supporting Win API. • OpenOffice.org is reverse engineering Microsoft Office for supporting the proprietary file formats. • Samba enables file sharing between Windows and non- Windows systems. But they had to reverse engineer Windows file sharing.
  • 7. Presentation for STAB Annual Seminar Weekday 7 What we would be discussing today… Reverse Engineering is a whole different branch by itself. We would only be touching upon a few important fundamental points that would give you the basic feel of it (and hopefully motivate you  to dig further into it)… •PE Identification: Packers, Identifying the source language •Decompilers; Disassemblers and Debuggers •Introduction to OllyDbg’s Features •Where to start? & Where to focus? •Patching with OllyDbg •Phishing and KeyGening
  • 8. Presentation for STAB Annual Seminar Weekday 8 PEiD • Identification of PE (Portable Executable) is an important step. It involves identification of compilers, cryptors, packers etc… • Gives you a starting point to look for a solution. • Unpacking needed? • De-compilation possible? • Crypto libraries used? • PEiD is by far the best PE Identification tool (470+ signatures and can be extended with external signatures). • If PEiD says “Nothing Found”, the application might be using a custom packer. PEiD (PEiD) PEiD (OllyDbg) PEiD (KeyGenMe_#6) X
  • 9. Presentation for STAB Annual Seminar Weekday 9 Packers ?! • Packers compress the compiled program, much like data. • They compress either or both code and data sections and can additionally encrypt them. Compiled Packed Packers Executable Executable Unpacking CODE DATA The extractor stub Unpackers CODE DATA STUB decompresses and/or decrypts the data and code. Writes them to a separate file or does it in-memory. OEP: Original Entry Point Entry Point • Several packers exist. Most of them are selective about the type of PE they support.
  • 10. Presentation for STAB Annual Seminar Weekday 10 Packers ?! • Some of the most popular (and thus most wanted targets for unpackers) are ASPack, Enigma, Themida, MPRESS, UPX etc. • Most packed PEs are manually customized to avoid usage of direct unpackers. • Customized executables might not even be recognized by PE Identifiers! So, might not have any idea of the “behavior” of the packer. • Without direct unpackers, we have to manually step through the executable, and find out the original entry point. (When we step through code in a debugger, the application is actually in execution, so take precaution while trying this with malware).
  • 11. Presentation for STAB Annual Seminar Weekday 11 Why should you know the compiler? • Java and Python compile sources to byte code instead of machine code, which runs on a virtual machine. • Same is the case with managed code like .NET. C#, VB and all .NET languages compile the code to MSIL (MicroSoft Intermediate Language). • The meta-data present with the intermediate byte code is enough to make satisfactory “de-compilation” possible. • For example, Java byte code contains names of classes and all members; types and modifiers of fields; signatures of methods. Even names of local variables and line numbers can be saved optionally, by setting specific attributes.
  • 12. Presentation for STAB Annual Seminar Weekday 12 Why should you know the compiler? • Some of the things de-compilers need to be “smart” about are: • Structured control flow (loops and conditionals) from gotos in byte code. • Type inference for locals, especially for generics as they are generated at compile time. • This is very different from the compilation with debug info (-g) that can be used with C/C++ compilers. • Debug info is just a mapping from binary to source file. • If the sources are missing, debugger would not “magically” show them! • Machine code is so much “reduced” that it’s almost impossible to “grow” it back to a high level source code.
  • 13. Presentation for STAB Annual Seminar Weekday 13 Some Available Decompilers… • .NET MSIL Decompiler: Reflector (Freeware till 6.x) KeyGenMe #6 Reflector(KeyGenMe #6) UnpackMe Reflector(UnpackMe) • Java Decompiler: JD (Freeware and Decent, there are dozen others!) SK_CrackMe JD(SK_CrackMe)
  • 14. Presentation for STAB Annual Seminar Weekday 14 What if you can’t decompile? • Well .. The fun begins!  • Disassemblers and debuggers transform the binary machine code to assembly instructions. Debuggers offer additional features like setting break points, stepping through the code etc… • OllyDbg is one of the best light-weight debuggers available. IDA Pro is a heavy-weight and paid debugger (but it’s worth it!). • OllyDbg supports external plugins and that makes it an even more powerful tool. • IDA Pro has the power of recognizing “known” library functions by their signatures. It can highly simplify the assembly dump.
  • 15. Presentation for STAB Annual Seminar Weekday 15 More about OllyDbg… • Emphasizes on code analysis. • Olly contains description of about 2200 standard C/C++ library and Win32 API functions. It also contains 7800 symbolic constants (grouped into 490 types). • Olly can detect nested loops, switches and cascaded ifs. It can also predict register usage. • You can add comments at each assembly line. • You can assemble your own expressions instantly and re-build the program. (Great for patching!) KeyGenMe #2 OllyDbg(KeyGenMe #2)
  • 16. Presentation for STAB Annual Seminar Weekday 16 Finding the needle(s) in a haystack… • Patience and lateral thinking! • Examine “All referenced strings” • Locality of Good Boy or Bad boy • Examine “All inter-modular calls” • Get used to Windows API (Olly does provide context sensitive help) • I/O calls are a usual starting point for examination • msvcrt.printf • msvcrt.scanf • USER32.GetMessageX • USER32.GetDlgItemTextX • Use breakpoints at suspicious DLL calls • Use memory breakpoint at addresses storing the entered key
  • 17. Presentation for STAB Annual Seminar Weekday 17 A (very) simple example string username, password, therealpass; Case_1 Olly(Case_1) cout << “USERNAME : ”; cin >> username; cout << “PASSWORD : ”; cin >> password; threalpass = “TOP_SECRET”; if(password == therealpass) cout << “You deserve an award!n”; else cout << “Y U No Give up?n”; • Suspicious entities in dump: (good starting points) • both the final messages, • therealpass “TOP_SECRET”. • Just the hex dump gives some hints about a “possible” password and trying this out gives good boy already!
  • 18. Presentation for STAB Annual Seminar Weekday 18 Another example (Patching) while(username.length() > 99 || username.length() < 10) { cout << “USERNAME : ”; cin >> username;} Case_2 cin >> password; therealpass = username.substr(username.length() - 4) + “-”; therealpass += (‘0’ + (username.length()%10)); therealpass += (‘0’ + (username.length()/10)); Olly(Case_2) therealpass += “-” + username.substr(0,4); Case_2_PATCHED if(password == therealpass) cout << “You deserve an award!n”; else cout << “Y U No Give up?n”; • Patch JZ after TEST AL,AL to bypass the check and always output good boy. • When trying to analyze, “what” is done with the password (KeyGen-ing), more interesting aspects like why BPs at strcmp are useless; why some passwords hit no BPs at memcmp but others hit a BP on memcmp… • Not only helps you make a KeyGen; but helps you discover low level GCC implementation details as well!
  • 19. Presentation for STAB Annual Seminar Weekday 19 Some awesome links… • AMD - Rise & Fall: http://www.techspot.com/article/599-amd-rise-and-fall / • ..cantor.dust..: http://www.toolswatch.org/2012/08/blackhat-arsenal- 2012-releases-cantor-dust-next-generation-of-visualization-tools/ • ReactOS project: http://www.reactos.org • OllyDbg: http://ollydbg.de http://crackmes.de
  • 20. Presentation for STAB Annual Seminar Weekday 20 Phew… Thank you! Any questions?