Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy...

Tools and Basic Reverse Engineering

Modern Binary ExploitationCSCI 4968 – Spring 2015

Jeremy Blackthorne

MBE - 01/30/2015 Tools and Basic RE 1

Lecture Overview

1. Introduction to Reverse Engineering2. Tools!3. Resources

MBE - 01/30/2015 Tools and Basic RE 2

MBE - 01/30/2015 Tools and Basic RE 3

Compiling

Source Code Assembly Object File Binary File

Compile AssembleLink

Libraries

MBE - 01/30/2015 4

Loading

Source Code Assembly Object File Binary File

Compile Assemble Link

Libraries

Process

Load

MBE - 01/30/2015 5

Running

Process, t=0 Process, t=1 Process, t=i Process, t=n

StepStep Step

MBE - 01/30/2015 Tools and Basic RE 6

RE Domain

Process, t=0 Process, t=i Process, t=nBinary File

Load Step Step

MBE - 01/30/2015 Tools and Basic RE 7

RE Domain

Process, t=0 Process, t=i Process, t=nBinary File

Load Step Step

StaticMBE - 01/30/2015 Tools and Basic RE 8

RE Domain

Process, t=0 Process, t=i Process, t=nBinary File

Load Step Step

Static DynamicMBE - 01/30/2015 9

RE Domain

Process, t=0 Process, t=i Process, t=nBinary File

Load Step Step

StaticMBE - 01/30/2015 Tools and Basic RE 10

Lecture Overview

1. Introduction to Reverse Engineering2. Tools!3. Resources

MBE - 01/30/2015 Tools and Basic RE 11

Tool Color Coding

• Linux Tool– Command

• Windows Tool– ToolName.exe

• Associated Challenges:– ChallengeName

MBE - 01/30/2015 Tools and Basic RE 12

Hex Editor / Viewers

• Hex Editors / Viewers– wxHexEditor (GUI)– xxd

• “-i” option is C include style

• Challenge:– crackme0x00a

MBE - 01/30/2015 Tools and Basic RE 13

ASCII Readable Hex

• strings– Displays ACII strings > 4 characters long

• Challenge:– crackme0x00a– crackme0x00b

MBE - 01/30/2015 Tools and Basic RE 14

ASCII Readable Hex

• strings– Displays ACII strings > 4 characters long

• Challenge:– crackme0x00a– crackme0x00b

• strings –e ? crackme0x00b

MBE - 01/30/2015 Tools and Basic RE 15

File Formats on Disk

• Linux: – ELF-Walkthrough.png– readelf

MBE - 01/30/2015 Tools and Basic RE 16

File Formats on Disk

• Linux: – ELF-Walkthrough.png– readelf

• Windows: – PE-Layout.jpg– Peview.exe

MBE - 01/30/2015 Tools and Basic RE 17

File Formats on Disk

• Linux: – ELF-Walkthrough.png– readelf

• Windows: – PE-Layout.jpg– Peview.exe

• For unknown files / binaries– file

MBE - 01/30/2015 Tools and Basic RE 18

Hashing

• Do we have the same file?– md5sum

• Upload hash to virustotal.com• Google search hash

MBE - 01/30/2015 Tools and Basic RE 19

Hashing

• Do we have the same file?– md5sum

• Upload hash to virustotal.com• Google search hash• Fuzzy hashing:

– ssdeep -b original.elf >hash.txt– ssdeep -bm hash.txt modified.elf

MBE - 01/30/2015 Tools and Basic RE 20

Command Line Disassembly

• crackme0x01

MBE - 01/30/2015 Tools and Basic RE 21

Command Line Disassembly

• crackme0x01• objdump –d

MBE - 01/30/2015 Tools and Basic RE 22

Command Line Disassembly

• crackme0x01• objdump –d• Convert hex to decimal

– echo $((0xDEADBEEF))

MBE - 01/30/2015 Tools and Basic RE 23

Patching Binaries

• It’s your binary, you can patch it if you want to• objdump –d crackme0x00a | grep –A 30 ‘<main>’• wxHexEditor-->Edit-->Find

MBE - 01/30/2015 Tools and Basic RE 24

External Diffing

• Original + modified = HUGE advantage• wxHexEditor-->Tools-->compare files

MBE - 01/30/2015 Tools and Basic RE 25

Disassembly

• objdump –d• IDA Pro.exe

• Challenges:– crackme0x01

MBE - 01/30/2015 Tools and Basic RE 26

Disassembly

• objdump –d• IDA Pro.exe

• Challenges:– crackme0x01– crackme0x02

MBE - 01/30/2015 Tools and Basic RE 27

IDA Pro

• IDA Pro.exe• crackme0x04

MBE - 01/30/2015 Tools and Basic RE 28

IDA Basics• Change between basic and graphic mode (space bar)• Rename variables: (n)• Comment

– Side: (:), (;)– Above/below: (ins)

• Convert const formats: (right-click)• Cross-reference: (x)• Change to array: (a)• IDA->Windows->Reset desktop• IDA->Options->General->auto comment• IDA->Options->General->opcode bytes 8

https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdfMBE - 01/30/2015 Tools and Basic RE 29

The Stack

MBE - 01/30/2015 Tools and Basic RE 30

Foo a b c );, ,( EBPEIPEIP

ESP

EBP

0x03

0x04

0x05

0x06

0x07

MBE - 01/30/2015 Tools and Basic RE 31

The animations on this slide will only work in the .pptx of this lecture

Stack

c

b

a

Old EIP

Old EBP

x

y

z0x00

0x01

0x02

0x03

0x04

0x05

0x06

0x07

ESP

EBP

MBE - 01/30/2015 Tools and Basic RE 32

Lecture Overview

1. Introduction to Reverse Engineering2. Tools!3. Resources

MBE - 01/30/2015 Tools and Basic RE 33

IDA Pro

• IDA_Pro_Shortcuts.pdf• The book on IDA• IDA Syntax Highlighting:

– http://practicalmalwareanalysis.com/2012/03/25/decorating-your-disassembly/

MBE - 01/30/2015 Tools and Basic RE 34

Additional Resources

• Corkami.com – diagrams of file structures and other interesting trivia

• Crackmes.de – “Reverser’s Playground” • Subreddits

– reddit.com/r/reverseengineering– reddit.com/r/netsec– reddit.com/r/uic

• http://www.bottomupcs.com - Systems background

MBE - 01/30/2015 Tools and Basic RE 35