2. Speaker Info
Krishs Patil
Hold master degree in computer application
Computer programmer
Reverser
And hobbyist security researcher
3. Outline
Introduction
Reversing Process
Tools andTechniques
Reversing in different context (Practice)
Lab demonstration
Defeating Reverse Engineering
Resources
4. Introduction
“Reverse engineering is the process of extracting the
knowledge or design blueprints from anything man-
made”.
It is usually conducted to obtain missing knowledge,
ideas and design philosophy when such information is
unavailable.
In computer science, It is the process of dis-
assembling or de-compiling the binary code of
computer program for various purpose.
Requires skills and understanding of computer and
software development
5. Introduction Cont…
Why reverse engineering…
different people do it for different purpose …
But, Specifically in the field of Cyber Security…
… If you want to be serious security researcher, you
must posses skills of reverse code engineering.
6. Reversing Process
Defining scope of reversing…
System Reverse Engineering
Code Reverse Engineering
Data Reverse Engineering
Protocol Reverse Engineering
7. Reversing Process Cont…
Setting up environment…
Setup Isolated environment (VMware,Virtual Box)
System monitoring (SysInternalTools)
Static Analysis
Dynamic Analysis (Debugging/Tracing)
8. Reversing Process Cont…
DisassemblingVs Decompiling…
Native Code – Directly perform operations on CPU
(Compiled with C,C++,Delphi)
IntermediateCode – Interpreter drives it to perform
operations on CPU
(Java byte code, MSIL)
9. Reversing Process Cont…
Program structure…
Higher level perspective …
Modules
Data
Control flow
Lower level perspective …
Just assembly language!!!
10. Reversing Process Cont…
So what I need to know prior reversing binary code ...
Just a computer and brain would be enough but …
… mastering it might take time if you don’t know about
Computer architecture
Programming in Assembly Language and C,C++
Operating System-Platform and HEX numbering
11. Assembly Language
Lowest level in software
Platform specific (IA-32, IA-64,AMD)
Machine code (OpCode) Assembly commands
Assembler converts assembly program into machine
code that is executable by CPU
Dis-assembler is the program that coverts machine
code into textual presentation of assembly
commands
Mastering reversing without knowing assembly is
almost impossible.
13. Assembly Language
Registers
Internal memory in processor
IA-32 has eight generic registers
(EAX,EBX,ECX,EDX,ESI,EDI,EBP and ESP)
Floating point and debug registers
Special register – EFLAGS for flag management
flags
OF, SF, ZF, AF, PF, CF
14. Assembly Language
Basic Instructions
MOV - data copying
LEA – address loading (POINTER)
ADD, SUB, MUL, DIV, IMUL, IDIV – arithmetic
CMP,TEST – comparison
CALL , RET – function call and Return
J** - conditional branching
PUSH/POP - stack management
NOP – do nothing
15. System Calls
Used as interface between application and operating
system.
System calls ask OS to perform specific task
Most operating system are written in “C” language,
so providing SYSTEM Calls as “C” api’s
- NIX system calls – unistd.h
-WINDOWS system calls - windows.h
Studying OS platform and system calls is necessary
part of reverse engineering
17. Tools and Techniques
Various tools helps in reverse-engineering the binary
code/program.
Compiler is the tool used to convert high level language
like C,C++ into machine code.
Assembler is the tool used to convert pseudo-code written
specific to processor into machine code.
At reverse Dis-Assembler and De-Compilers help us in
reversing the process, recovering the high level code from
machine code.
Debuggers are the tools used to debug live running
program.
Virtual machines might help in providing
protective/isolated environment for analysis.
18. Tools and Techniques Cont…
Broad category of tools are divided into two category.
Static AnalysisTools
-Tools helps us to analysis program without even
running it.
-Tools includes Dis-assembler and De-Compilers
Dynamic AnalysisTools
-Tools in this category helps us dive deep into
program by analyzing it while running it.
-Tools includes Debuggers, Loaders and System
Monitoring tools
19. Tools and Techniques Cont…
Compilers
(VC compiler, GCC compiler suite, .NET framework)
Assemblers
(MASM, NASM,TASM, FASM)
Dis-assemblers and Debuggers
(IDAPro, OllyDbg, Immunity Debugger,WinDbg)
Hypervisors
(VMWareWorkstation/Player,VirtualBox,QUEMU)
System monitoring withSysInternals tools
Hex Editors and Other system utilities
24. RCE in various context
Time to understand field work!!!
Cracking (Illegal/Un-Ethical)
Malware analysis
Vulnerability analysis (exploit development)
Clean house RE (ChineseWall)
Recovering lost source code (legacy)
Investigating and solving faults cause in released
software. (Microsoft global escalation support team)
25. Cool Huh …
Lets play around some practical reversing lab exercise
Lets see some cool stuff
26. Lab – Cracking for serial.
This is for purely demonstration and educational
purpose only.
Anything you do to obtain or provide fake registration
key for software is considered cracking and a serious
offense.
In lab we are going to study and recover serial key and
defeat registration mechanism by various ways.
27. Defeating RE
Lot of research has been done, many ways to make it
harden for reversing process.
… But no solution is 100% perfect and secure.
28. Defeating RE Cont…
Software armoring
Obfuscation
“ deliberate act of creating obfuscated code, i.e.
source or machine code that is difficult for human to
understand” --Wikipedia
29. Defeating RE Cont…
Some techniques for anti-analysis …
Packers (Compression)
Protectors (Encryption)
Anti-Debugging
Garbage Code and Code Permutation
Anti-Assembly
Hypervisor/Emulator detection
32. Resources
REVERSING – secrets of reverse engineering (By
Eldad Eilam)
Microsoft windows internals (By Mark Russinovich
and David Solomon)
Reverseme.de – cool reverseme.exe collections
InfoSec Institute Resources. – cool articles on security
NtDebugging blog (Microsoft global escalation
support team) - fine gain exposure in windows insides
And finally some good book on x86 assembly tut and
reference.