View
223
Download
4
Embed Size (px)
Citation preview
K. Salah 1
Software Reverse Engineering Software Reverse Engineering
Software CrackingSoftware Cracking
Sometimes, the best way to advance Sometimes, the best way to advance is in reverseis in reverse
K. Salah 2
What is Reverse Engineering?What is Reverse Engineering?
The process of extracting the knowledge or design blueprints from The process of extracting the knowledge or design blueprints from anything man-made.anything man-made.
It is different than conventional scientific research (e.g, coming up It is different than conventional scientific research (e.g, coming up with blueprints of the atom)with blueprints of the atom) With reverse engineering, the artifact being investigated is man-made With Scientific research, the artifact is a natural phenomenon
Software Reverse EngineeringSoftware Reverse Engineering About opening up a program’s “box” and looking inside No screwdrivers needed, but integrates several arts of
Code breaking Puzzle solving Programming Logical analysis
K. Salah 3
Why Reverse Engineering?Why Reverse Engineering?
Application developmentApplication development Why reinvent the wheel Undocumented API Interoperability with proprietary software
Used enormously for all MS products Software quality and robustness
Security-RelatedSecurity-Related Malicious Software
Black-Hat Hackers• To find vulnerabilities and exploit them
White-Hat Hackers• To identify, dissect and analyze malware
Reversing ciphers Defeating copy right protection Must-do when it comes to propriety software
Really unknown what the code does and how secure
K. Salah 4
Is reversing legal?Is reversing legal?
Jury is still outJury is still out
Bottom lineBottom line What is “reverse engineering” used for?
K. Salah 5
““Software Cracking is a Software Cracking is a scientific processscientific process as as much as it is an much as it is an artart,”,”
Greg HoglundGreg Hoglund
Taking measurements Analysis to draw proper conclusions
K. Salah 6
Reversing 101Reversing 101 BooksBooks
Elad Eilam, “Reversing: Secretes of Reverse Engineering,” Wiley, 2005Elad Eilam, “Reversing: Secretes of Reverse Engineering,” Wiley, 2005 Greg Hoglund, “Exploiting Software: How to Break Code,” Addison-Greg Hoglund, “Exploiting Software: How to Break Code,” Addison-
Wesley, 2004Wesley, 2004 Kris Kaspersky, “Hacker Disassebmling Uncovered,” A-List Publishing, Kris Kaspersky, “Hacker Disassebmling Uncovered,” A-List Publishing,
20032003
Web sitesWeb sites Learn to crackLearn to crack
http://www.learn2crack.com/ http://woodmann.net/krobar/
Crack FindCrack Find http://www.crackfind.com/ http://www.cracksearchengine.net/ http://astalavista.box.sk http://ttdown.com/
K. Salah 7
Approaches to reverse engineeringApproaches to reverse engineering
White Box AnalysisWhite Box Analysis Analyzing and understanding source code Code coverage – walking down dark allies
Black Box AnalysisBlack Box Analysis Analyzing a running program by probing it with various
inputs
Gray Box AnalysisGray Box Analysis A combination
K. Salah 8
Program StructureProgram Structure
Static librariesStatic libraries Third party library external to program Added to program while being built Become integral part of the final executable
Dynamic librariesDynamic libraries Idea is to utilize memory Multiple processes can use the same DLL Remains separate from the executable Update to DLL requires no update to program Simplify the reversing process and give many hints on
program behavior.
K. Salah 9
The .exe format and DLLsThe .exe format and DLLs Before loading DLLs, Before loading DLLs,
addresses of functions in DLL addresses of functions in DLL are pointing to dummy are pointing to dummy addresses in an import tableaddresses in an import table
When process is loaded, the When process is loaded, the OS loader loads every module OS loader loads every module listed in the imported table, listed in the imported table, and resolves the addresses of and resolves the addresses of each of the functions listed in each of the functions listed in each modules. The addresses each modules. The addresses are found in the exported table are found in the exported table of the module.of the module.
K. Salah 11
Reversing ToolsReversing Tools No all-in-oneNo all-in-one Disassemblers and low-level debuggersDisassemblers and low-level debuggers
IDA Pro ILDasm OllyDbg Win32Dasm WinDbg Numega SoftICE
Decompilers Decompilers Dream to come true In development: Andromeda and Boomerang For Java and C#, the dream has come true
System monitorsSystem monitors FileMon, TCPView, TDIMon, RegMon, PortMon, WinObj, Process Exporer
Hex EditorsHex Editors Hex Workshop Hiew WinHex
K. Salah 13
IDA-generated function interactions at high levelIDA-generated function interactions at high level
K. Salah 14
Copyright ProtectionCopyright Protection
Open ArchitectureOpen Architecture CPU can not check “authorized” or “legal” code Only execution mode and process memory protection by OS–
useless When program runs, its data and code has to be exposed or
decrypted Decryption key or decrypted data are impossible to hide – It is
the CPU that does the decryption operation
Make no mistake:Make no mistake: It is virtually impossible to create a It is virtually impossible to create a totally totally uncrackableuncrackable copy protection scheme copy protection scheme
One crack is not the issue, “One crack is not the issue, “class breaksclass breaks” is” is
K. Salah 15
Design ConsiderationsDesign Considerations
Resistance to attack
End-user transparency The annoyance factor
K. Salah 16
Types of ProtectionTypes of Protection Media-Based ProtectionsMedia-Based Protections
Deliberately writing bad sectors on floppy Easy to break
WatermarkingWatermarking Check for watermark on media before running Can be broken
Serial NumbersSerial Numbers Program has “secret validation algorithm” to check for good serial numbers Easy to break
ChecksumChecksum Check for valid checksum before or during running Can be broken
Challenge Response and Online ActivationsChallenge Response and Online Activations A step up Can be broken
Hardware-Based ProtectionsHardware-Based Protections Program runs or keeps running if a dongle is attached Can be broken
Software as a ServiceSoftware as a Service Highly secure Vendor is in control
Advanced Protection Concepts -- Crypto-ProcessorsAdvanced Protection Concepts -- Crypto-Processors Violates Open Architecture
K. Salah 17
Crypto ProcessorsCrypto Processors
Originated by Robert M. Best in his patent, “Executing Enciphered Originated by Robert M. Best in his patent, “Executing Enciphered Programs.”Programs.”
Decrypt code then Execute Decrypt code then Execute Each Crypto-Each Crypto-P has P has (assigned by CA)(assigned by CA)
Two pair of keys A serial number
The StepsThe Steps Software is shipped by the vendor with binary executable encrypted P decrypts with private key Machine code is placed in a special memory not software-
accessable Similar to macrocode for each machine instruction Only accessed by the process itself. Any other access by OS or IDT or any software is
a violation. Code is executed from this (theoretically) inaccessable memory
K. Salah 18
Is this unbreakable?Is this unbreakable?
Power usage analysis attacks Power usage analysis attacks Differential power analysisDifferential power analysis
by by
Paul Kocher, Joshu Jaffe, and Benjamin Jun
Watch the power consumption to ascertain the value of the key being used
K. Salah 19
Antireversing TechniquesAntireversing Techniques
Lets get one thing out of the wayLets get one thing out of the way
It is never possible to entirely prevent reversing
What is possible is to hinder and obstruct reversers by wearing them out and making it so slow and painful.
drown the reverser into a sea of irrelevant information Outcome: they give up
K. Salah 20
Basic Approaches to AntireversingBasic Approaches to Antireversing Eliminate Symbolic AntireversingEliminate Symbolic Antireversing
Non-byte-code Imported and exported and internal Function names. String names.
Byte-code (Java and .NET) Intermediate code of a compiler Uses internal cross-references than addresses Make it so easy to decompile to source code! More: class names, class member names, names of instantiated global objects
Use inlining & addresses for function names Obfuscating the programObfuscating the program
Functionally identical yet far less readable E.g. rename all symbolic links into meaningless symbols
Code EncryptionCode Encryption Part of the binary executable is encrypted and is decrypted at runtime Only hinders static analysis
Embedding Antidebuggers CodeEmbedding Antidebuggers Code Check for debugger existence. If so, terminate or better yet confuse it! Workaround is using static analysis Powerful combinationPowerful combination: use encryption with antidebugging. Why?
K. Salah 21
Detecting DebuggerDetecting Debugger TF set in EFLAGSTF set in EFLAGS Check handlers in IDTCheck handlers in IDT Enable TF and see if exception is swallowed by debuggerEnable TF and see if exception is swallowed by debugger Code checksumCode checksum
Slowdown runtime Use only for sensitive functions
Use a special thread to see if program was stopped for Use a special thread to see if program was stopped for long timelong time
Inserting junk bytes into code Inserting junk bytes into code Use opcode: db or ds Disassemblers get confused
Linear sweep vs. recursive traversal
K. Salah 23
KeygenningKeygenning
DefinitionDefinition: The process of creating programs that : The process of creating programs that mimic the key-generation algorithm for everyone mimic the key-generation algorithm for everyone to useto use
Software can be blacklisted if it always works Software can be blacklisted if it always works with same pair of (serialnumber or username.) with same pair of (serialnumber or username.)
Better yet:Better yet: Key depends on pair of username plus computer-
specific info (disk driver serial number) Ripping Keygen AlgorithmsRipping Keygen Algorithms
The process is somewhat easy Locate/copy/paste/modify
K. Salah 24
JAVA, C#, and .NETJAVA, C#, and .NET
Reversing is Reversing is incrediblyincredibly trivial task trivial task Bytecode and MSIL is highly detailedBytecode and MSIL is highly detailed
Full definition of every data structure Name of every symbol
Every object, data member, and member function Decompile and modifyDecompile and modify CountermeasuresCountermeasures
Renaming symbols Control flow obfuscation Breaking decompilation and disassembley
Corrupting the metadata with bogus references, strings, methods, etc.