Embed Size (px)
Citation preview
DISCLAIMER
ALL THE INFORMATION PROVIDED ON THIS TALK ARE FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OF THE INFORMATION!
MOTIVATION
• REVERSE ENGINEERING ROCKS • YOUR COMPUTER, YOUR RULES • AND ABOVE ALL, CURIOSITY! • JUST TO CLARIFY, NOT A TYPO! • AT LEAST NOT MY TYPO
• INSPIRED IN ZERO WING FAMOUS MISTRANSLATION MEME
OLLYDBG
• OLLYDBG IS A 32-BIT ASSEMBLER LEVEL ANALYZING DEBUGGER FOR WINDOWS. • PRETTY USEFUL TOOL FOR DEBUGGING ON WINDOWS • SUPPORTS PLUGINS, WHICH CAN EXTEND IT’S FEATURES
DEMO TIME!
ANTI-DEBUG
• TOO MANY TECHNIQUES TO DESCRIBE ALL • DEBUGGER DETECTION
• NTSETINFORMATIONTHREAD - THREADHIDEFROMDEBUGGER • ISDEBUGGERPRESENT
• TIMING HOOKS • GETTICKCOUNT • NTQUERYPERFORMANCECOUNTER
• BREAKPOINT DETECTION • GETTHREADCONTEXT • INT3 (0XCC) AND INT 3 (0XCD03)
• …
ANTI-DISASSEMBLE
• JUNK CODE • OVERLAPPING INSTRUCTIONS • CALL/RET ABUSE • SELF-MODIFYING CODE • …
ANTI-ANTI-DEBUG/DISASM
• PLENTY OF OPTIONS! • USER SPACE
• SCYLLAHIDE • KERNEL SPACE
• TITANHIDE
DEMO TIME!
ENCODER /* Parte 1 */ tmp = (data2 << 4) ^ (data2 >> 5); tmp += data2;
j = local2 & 3; tmp2 = c[j] + local2;
data1 += (tmp ^ tmp2);
/* Atualiza local2 */ local2 += local3;
/* Parte 2 */ tmp = (data1 << 4) ^ (data1 >> 5); tmp += data1;
j = (local2 >> 0xb) & 3; tmp2 = c[j] + local2;
data2 += (tmp ^ tmp2);
DEMO TIME!
ROGUE AUTH $state = $_GET["state"]; $name = $_GET["name"]; $pass = $_GET["pass"];
if ($state == "syn") { $session = md5(time()); if (strpos($name,'nullbyte') !== false) { print "ack|" . $session; } else { print "bad|Invalid username or password!"; } } elseif ($state == "synack") { $what1 = md5(time()); $what2 = md5(time() + 1);
print "good|" . $what1 . "|" . $what2 . "|ALL YOUR B1N4R13S ARE BELONG TO US!!!";
}
QUESTIONS?
THANK YOU!
BUT REMEMBER…
DON’T TO THIS AT HOME!!!
