Introduction to Reverse Engineering

Transcription

1 Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager December 2011

2 What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. aka: Reversing, RE, SRE 2

3 Why do it? Discover Trade Secrets Find Vulnerabilities Academic Research (Yeah, right ) Circumvent [Copy] Protection Patch Binary and Alter Behavior Pure Curiosity Analyse Protocols 3

4 Sounds awesome, right? 4

5 So where s the catch? Low-level is, well, low level push ebp mov ebp, esp push ecx push ecx and dword ptr [ebp-4], push esi A mov esi, [ebp+8] for (Serial = 0, i = 0; i < strlen(username); D i++) push { edi CurChar = (int) UserName[i]; E push esi Serial += CurChar; F call ds:[ h] Serial = (((Serial << 1) && 0xFFFFFFFE) mov ((Serial edi, >> 31) eax && 1)); Serial = (((Serial * CurChar) + CurChar) ^ xor CurChar); edx, edx } test edi, edi UserSerial = ~((UserSerial ^ 0x1337C0DE) B - 0xBADC0DE5); jle h D movsx ecx, byte ptr [edx+esi] add [ebp-4], ecx mov [ebp-8], ecx rol dword ptr [ebp-4], A mov eax, ecx C imul eax, [ebp-4] mov [ebp-4], eax mov eax, [ebp-8] add [ebp-4], eax xor [ebp-4], ecx C inc edx D cmp edx, edi F jl Dh 5

6 So where s the catch? Low-level is, well, low level Needle in a haystack Average opcode size: 3 bytes Average executable size: 500KB (on WinXP) There are executables, libraries, drivers. 6

7 So where s the catch? Low-level is, well, low level Needle in a haystack Sometimes, the code resists Packers and compressors Obfuscators 7

8 So where s the catch? Low-level is, well, low level Needle in a haystack Sometimes, the code resists Sometimes, the code fights back Detect reversing tools Detect VMs and emulators 8

9 A Battle of Wits Video clip: The Battle of Wits, The Princess Bride 9

10 A Battle of Wits Author writes code Reverser reverses it Author creates an anti-reversing technique Reverser bypasses it And so on 10

11 So what do you need in order to be a good reverser? 11

12 We ll come back to this 12

13 Tools of the Trade Debugger (Dynamic code analysis) Disassembler (Static code analysis) Hex Editor PE Analyzer Resource Editor and more 13

14 Debuggers באג בדיזיין זין בדיבאג 14

15 First, there was DEBUG 15

16 GUI and much more: Turbo Debugger 16

17 GUI and much more: Turbo Debugger 17

18 GUI and much more: Turbo Debugger 18

19 Next major step: Soft-ICE 19

20 And finally: OllyDbg 20

21 Disassemblers 21

22 The old world: Sourcer 22

23 The old world: Sourcer 23

24 Old ages: Sourcer 24

25 Old ages: Sourcer 25

26 Welcome to Windows: W32DASM 26

27 The Holy Grail: IDA-Pro Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler s decisions. Slowly evolved into an automatic RE tool: Built-in full-control script language Library recognition (including user-generated) Function prototype information Display Propagate throughout the code Support for plug-ins Support for Python scripting Multi-architecture, cross-platform support Full incorporation with built-in and external debuggers 27

28 Hex-Editor 28

29 PE Analyzer 29

30 Resource Editor 30

31 Let s play with them tools 31

32 60 seconds on x86 registers General purpose registers: 32bit/16bit/8bit Index registers: 32bit/16bit Segment registers: 16bit Flags: 32bit/16bit 32

33 Exercise 1: Static Reversing 33

34 Exercise 1: Static Reversing Target: a 2004 Crack-Me Tools: IDA-Pro 34

35 Exercise 2: Dynamic Reversing 35

36 Exercise 2: Dynamic Reversing Target: a 2004 Crack-Me Tools: OllyDbg, IDA-Pro 36

37 Exercise 3: Simple Anti-Debugging 37

38 Exercise 3: Simple Anti Debugging Target: a 2006 Crack-Me Tools: OllyDbg 38

39 Reversing Malware Malware is comprised of the following building blocks: Infection Vector Concealment Operation Communications Check Point s Anti-Malware Software Blade sits at the gateway Therefore, communications interest us the most 39

40 Introducing: Spy Eye A CrimeWare ToolKit, originating in Russia. Used mostly for stealing financial information, but will settle for any other identity information and key logging Like any serious trojan, Spy Eye compresses its traffic and encrypts it Compression is performed using a public library (LZO) Encryption algorithm is proprietary 40

41 Act 1: Encryption 41

42 Act 2: Configuration Download 42

43 Act 3: Another Encryption 43

44 So what do you need in order to be a good reverser? 44

45 What makes a good reverser? Qualities Patient Curious Persistent Outside-the-Box Thinking Knowledge Assembly Language Some High-Level programming Best: origin of binary Operating System Internals API Data Structures File Structures Good scripting skills Anti-Debugging Tricks Optional: Good lookin 45

46 Outside-the-Box Thinking 46

47 And remember, kids: Binary Reverse Engineer + =? 47

48 Which means 48

49 Questions? 49

50 Thank you! 50

51 Credits All images and videos have their origin URL in the Alt Text property. All rights belong to their respective owner. 51