Upload
leah-mcclain
View
43
Download
0
Embed Size (px)
DESCRIPTION
Introduction to Reverse Engineering. Inbar Raz Malware Research Lab Manager December 2011. What is Reverse Engineering?. - PowerPoint PPT Presentation
Citation preview
©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Introduction to Reverse Engineering
Inbar RazMalware Research Lab ManagerDecember 2011
22©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
What is Reverse Engineering?
Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.
aka: Reversing, RE, SRE
33©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Why do it?
Discover Trade Secrets
FindVulnerabilities
AcademicResearch
(Yeah, right…)
Circumvent[Copy]
Protection
AnalyseProtocolsPure
CuriosityPatch Binary
andAlter Behavior
44©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Sounds awesome,
right?
55©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
So where’s the catch?
Low-level is, well, low level…00401000 push ebp00401001 mov ebp, esp00401003 push ecx00401004 push ecx00401005 and dword ptr [ebp-4], 000401009 push esi0040100A mov esi, [ebp+8]0040100D push edi0040100E push esi0040100F call ds:[00402008h]00401015 mov edi, eax00401017 xor edx, edx00401019 test edi, edi0040101B jle 00401047h0040101D movsx ecx, byte ptr [edx+esi]00401021 add [ebp-4], ecx00401024 mov [ebp-8], ecx00401027 rol dword ptr [ebp-4], 10040102A mov eax, ecx0040102C imul eax, [ebp-4]00401030 mov [ebp-4], eax00401033 mov eax, [ebp-8]00401036 add [ebp-4], eax00401039 xor [ebp-4], ecx0040103C inc edx0040103D cmp edx, edi0040103F jl 0040101Dh00401041 cmp dword ptr [ebp-4], 000401045 jnz 00401063h00401047 push 000401049 push 40230Ch0040104E push 4022CCh00401053 push ds:[004023ACh]00401059 call ds:[00402010h]0040105F xor eax, eax00401061 jmp 0040107Fh00401063 xor dword ptr [ebp+0Ch], 01337C0DEh0040106A sub dword ptr [ebp+0Ch], 0BADC0DE5h00401071 mov eax, [ebp-4]00401074 not dword ptr [ebp+0Ch]00401077 xor eax, [ebp+0Ch]0040107A neg eax0040107C sbb eax, eax0040107E inc eax0040107F pop edi00401080 pop esi00401081 leave00401082 retn
for (Serial = 0, i = 0; i < strlen(UserName); i++) { CurChar = (int) UserName[i]; Serial += CurChar; Serial = (((Serial << 1) && 0xFFFFFFFE) || ((Serial >> 31) && 1)); Serial = (((Serial * CurChar) + CurChar) ^ CurChar);}UserSerial = ~((UserSerial ^ 0x1337C0DE) - 0xBADC0DE5);
66©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
So where’s the catch?
Low-level is, well, low level…
Needle in a haystack– Average opcode size:
3 bytes– Average executable size:
500KB (on WinXP)– There are executables,
libraries, drivers….
77©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
So where’s the catch?
Low-level is, well, low level…
Needle in a haystack
Sometimes, the code resists– Packers and compressors– Obfuscators
88©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
So where’s the catch?
Low-level is, well, low level…
Needle in a haystack
Sometimes, the code resists
Sometimes, the code fights back– Detect reversing tools– Detect VMs and emulators
99©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
A Battle of Wits
Video clip: The Battle of Wits, “The Princess Bride”
1010©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
A Battle of Wits
Author writes code
Reverser reverses it
Author creates an anti-reversing technique
Reverser bypasses it
And so on…
1111©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
So what do you need
in order to be a good reverser?
1212©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
We’ll come backto this…
1313©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Tools of the Trade
Debugger (Dynamic code analysis)
Disassembler (Static code analysis)
Hex Editor
PE Analyzer
Resource Editor
and more…
1414©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Debuggers
באג בדיזיין –
זין בדיבאג
1515©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
First, there was DEBUG…
1616©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
GUI and much more: Turbo Debugger
1717©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
GUI and much more: Turbo Debugger
1818©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
GUI and much more: Turbo Debugger
1919©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Next major step: Soft-ICE
2020©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
And finally: OllyDbg
2121©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Disassemblers
2222©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
The old world: Sourcer
2323©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
The old world: Sourcer
2424©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Old ages: Sourcer
2525©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Old ages: Sourcer
2626©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Welcome to Windows: W32DASM
2727©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
The Holy Grail: IDA-Pro
Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler’s decisions.
Slowly evolved into an automatic RE tool:– Built-in full-control script language– Library recognition (including user-generated)– Function prototype information
– Display– Propagate throughout the code
– Support for plug-ins– Support for Python scripting– Multi-architecture, cross-platform support– Full incorporation with built-in and external debuggers
2828©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Hex-Editor
2929©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
PE Analyzer
3030©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Resource Editor
3131©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Let’s play with them tools…
3232©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
60 seconds on x86 registers
General purpose registers:32bit/16bit/8bit
Index registers:32bit/16bit
Segment registers:16bit
Flags:32bit/16bit
3333©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Exercise 1:Static Reversing
3434©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Exercise 1: Static Reversing
Target: a 2004 “Crack-Me”
Tools: IDA-Pro
3535©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Exercise 2:Dynamic Reversing
3636©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Exercise 2: Dynamic Reversing
Target: a 2004 “Crack-Me”
Tools: OllyDbg, IDA-Pro
3737©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Exercise 3:Simple Anti-Debugging
3838©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Exercise 3: Simple Anti Debugging
Target: a 2006 “Crack-Me”
Tools: OllyDbg
3939©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Reversing Malware
Malware is comprised of the following building blocks:– Infection Vector– Concealment– Operation– Communications
Check Point’s Anti-Malware Software Blade sits at the gateway
Therefore, communications interest us the most
4040©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Introducing: Spy Eye
A CrimeWare ToolKit, originating in Russia.
Used mostly for stealing financial information, but will settle for any other identity information and key logging…
Like any serious trojan, Spy Eye compresses its traffic and encrypts it
– Compression is performed using a public library (LZO)– Encryption algorithm is proprietary
4141©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Act 1:Encryption
4242©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Act 2:Configuration Download
4343©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Act 3:Another Encryption
4444©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
So what do you need
in order to be a good reverser?
4545©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
What makes a good reverser?
Qualities
• Patient
• Curious
• Persistent
• Outside-the-Box Thinking
• Optional: Good lookin’
Knowledge
• Assembly Language
• Some High-Level programming• Best: origin of binary
• Operating System Internals• API• Data Structures• File Structures
• Good scripting skills
• Anti-Debugging Tricks
4646©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Outside-the-Box Thinking
4747©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
And remember, kids:
Binary Reverse Engineer
+ =?
4848©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Which means…
F A I
L
4949©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Questions?
5050©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Thank you!
5151©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Credits
All images and videos have their origin URL in the “Alt Text” property.All rights belong to their respective owner.