Upload
elmer-bruce
View
242
Download
4
Embed Size (px)
Citation preview
Tools and Basic Reverse Engineering
Modern Binary ExploitationCSCI 4968 – Spring 2015
Jeremy Blackthorne
MBE - 01/30/2015 Tools and Basic RE 1
Lecture Overview
1. Introduction to Reverse Engineering2. Tools!3. Resources
MBE - 01/30/2015 Tools and Basic RE 2
MBE - 01/30/2015 Tools and Basic RE 3
Compiling
Source Code Assembly Object File Binary File
Compile AssembleLink
Libraries
MBE - 01/30/2015 4
Loading
Source Code Assembly Object File Binary File
Compile Assemble Link
Libraries
Process
Load
MBE - 01/30/2015 5
Running
Process, t=0 Process, t=1 Process, t=i Process, t=n
StepStep Step
MBE - 01/30/2015 Tools and Basic RE 6
RE Domain
Process, t=0 Process, t=i Process, t=nBinary File
Load Step Step
MBE - 01/30/2015 Tools and Basic RE 7
RE Domain
Process, t=0 Process, t=i Process, t=nBinary File
Load Step Step
StaticMBE - 01/30/2015 Tools and Basic RE 8
RE Domain
Process, t=0 Process, t=i Process, t=nBinary File
Load Step Step
Static DynamicMBE - 01/30/2015 9
RE Domain
Process, t=0 Process, t=i Process, t=nBinary File
Load Step Step
StaticMBE - 01/30/2015 Tools and Basic RE 10
Lecture Overview
1. Introduction to Reverse Engineering2. Tools!3. Resources
MBE - 01/30/2015 Tools and Basic RE 11
Tool Color Coding
• Linux Tool– Command
• Windows Tool– ToolName.exe
• Associated Challenges:– ChallengeName
MBE - 01/30/2015 Tools and Basic RE 12
Hex Editor / Viewers
• Hex Editors / Viewers– wxHexEditor (GUI)– xxd
• “-i” option is C include style
• Challenge:– crackme0x00a
MBE - 01/30/2015 Tools and Basic RE 13
ASCII Readable Hex
• strings– Displays ACII strings > 4 characters long
• Challenge:– crackme0x00a– crackme0x00b
MBE - 01/30/2015 Tools and Basic RE 14
ASCII Readable Hex
• strings– Displays ACII strings > 4 characters long
• Challenge:– crackme0x00a– crackme0x00b
• strings –e ? crackme0x00b
MBE - 01/30/2015 Tools and Basic RE 15
File Formats on Disk
• Linux: – ELF-Walkthrough.png– readelf
MBE - 01/30/2015 Tools and Basic RE 16
File Formats on Disk
• Linux: – ELF-Walkthrough.png– readelf
• Windows: – PE-Layout.jpg– Peview.exe
MBE - 01/30/2015 Tools and Basic RE 17
File Formats on Disk
• Linux: – ELF-Walkthrough.png– readelf
• Windows: – PE-Layout.jpg– Peview.exe
• For unknown files / binaries– file
MBE - 01/30/2015 Tools and Basic RE 18
Hashing
• Do we have the same file?– md5sum
• Upload hash to virustotal.com• Google search hash
MBE - 01/30/2015 Tools and Basic RE 19
Hashing
• Do we have the same file?– md5sum
• Upload hash to virustotal.com• Google search hash• Fuzzy hashing:
– ssdeep -b original.elf >hash.txt– ssdeep -bm hash.txt modified.elf
MBE - 01/30/2015 Tools and Basic RE 20
Command Line Disassembly
• crackme0x01
MBE - 01/30/2015 Tools and Basic RE 21
Command Line Disassembly
• crackme0x01• objdump –d
MBE - 01/30/2015 Tools and Basic RE 22
Command Line Disassembly
• crackme0x01• objdump –d• Convert hex to decimal
– echo $((0xDEADBEEF))
MBE - 01/30/2015 Tools and Basic RE 23
Patching Binaries
• It’s your binary, you can patch it if you want to• objdump –d crackme0x00a | grep –A 30 ‘<main>’• wxHexEditor-->Edit-->Find
MBE - 01/30/2015 Tools and Basic RE 24
External Diffing
• Original + modified = HUGE advantage• wxHexEditor-->Tools-->compare files
MBE - 01/30/2015 Tools and Basic RE 25
Disassembly
• objdump –d• IDA Pro.exe
• Challenges:– crackme0x01
MBE - 01/30/2015 Tools and Basic RE 26
Disassembly
• objdump –d• IDA Pro.exe
• Challenges:– crackme0x01– crackme0x02
MBE - 01/30/2015 Tools and Basic RE 27
IDA Pro
• IDA Pro.exe• crackme0x04
MBE - 01/30/2015 Tools and Basic RE 28
IDA Basics• Change between basic and graphic mode (space bar)• Rename variables: (n)• Comment
– Side: (:), (;)– Above/below: (ins)
• Convert const formats: (right-click)• Cross-reference: (x)• Change to array: (a)• IDA->Windows->Reset desktop• IDA->Options->General->auto comment• IDA->Options->General->opcode bytes 8
https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdfMBE - 01/30/2015 Tools and Basic RE 29
The Stack
MBE - 01/30/2015 Tools and Basic RE 30
Foo a b c );, ,( EBPEIPEIP
ESP
EBP
0x03
0x04
0x05
0x06
0x07
MBE - 01/30/2015 Tools and Basic RE 31
The animations on this slide will only work in the .pptx of this lecture
Stack
c
b
a
Old EIP
Old EBP
x
y
z0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
ESP
EBP
MBE - 01/30/2015 Tools and Basic RE 32
Lecture Overview
1. Introduction to Reverse Engineering2. Tools!3. Resources
MBE - 01/30/2015 Tools and Basic RE 33
IDA Pro
• IDA_Pro_Shortcuts.pdf• The book on IDA• IDA Syntax Highlighting:
– http://practicalmalwareanalysis.com/2012/03/25/decorating-your-disassembly/
MBE - 01/30/2015 Tools and Basic RE 34
Additional Resources
• Corkami.com – diagrams of file structures and other interesting trivia
• Crackmes.de – “Reverser’s Playground” • Subreddits
– reddit.com/r/reverseengineering– reddit.com/r/netsec– reddit.com/r/uic
• http://www.bottomupcs.com - Systems background
MBE - 01/30/2015 Tools and Basic RE 35