Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Reverse Engineering
TDOH x Tigerduck
LegBone
• BY PASS Hackshield
• TDOHacker
• SITCON 2014/2015 short talk
• HITCON 2015
•
• …..
About Me
• Windows XP
• VMware
1.
2.OD/IDA
3. upx asp...
4. ring3 anti debugger
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• , 1010101
• Binary
(* ́∀`*)
(* ́∀`*)
CPU , CPU
VC ,return EAX
ESP,EBP
EIP
AF
CF
OF
SF ( )
PF
ZF
DF
IF
TF
AF
CF
OF
SF ( )
PF
ZF
DF
IF
TF
XD
•
• mov → move EX : mov ecx, 1
• add / sub → EX : add eax,10
• cmp / test →
• jmp →
• push / pop → Stack
XD
•
• mov → move EX : mov ecx, 1
• add / sub → EX : add eax,10
• cmp / test →
• jmp →
• push / pop → Stack
XD
•
• mov → move EX : mov ecx, 1
• add / sub → EX : add eax,10
• cmp / test →
• jmp →
• push / pop → Stack
XD
•
• mov → move EX : mov ecx, 1
• add / sub → EX : add eax,10
• cmp / test →
• jmp →
• push / pop → Stack
XD
•
• mov → move EX : mov ecx, 1
• add / sub → EX : add eax,10
• cmp / test →
• jmp →
• push / pop → Stack
• inc eax → eax+1
• dec eax → eax-1
• xor eax,ebx → eax ebx xor eax
• or eax,ebx → eax ebx or eax
• and eax,ebx → eax ebx ...
• inc eax → eax+1
• dec eax → eax-1
• xor eax,ebx → eax ebx xor eax
• or eax,ebx → eax ebx or eax
• and eax,ebx → eax ebx ...
• inc eax → eax+1
• dec eax → eax-1
• xor eax,ebx → eax ebx xor eax
• or eax,ebx → eax ebx or eax
• and eax,ebx → eax ebx ...
• inc eax → eax+1
• dec eax → eax-1
• xor eax,ebx → eax ebx xor eax
• or eax,ebx → eax ebx or eax
• and eax,ebx → eax ebx ...
• inc eax → eax+1
• dec eax → eax-1
• xor eax,ebx → eax ebx xor eax
• or eax,ebx → eax ebx or eax
• and eax,ebx → eax ebx ...
• byte ptr[ebp+8] → ebp+8 byte
• dword ptr[ebp+8] → ebp+8 dword
• lea , →
• byte ptr[ebp+8] → ebp+8 byte
• dword ptr[ebp+8] → ebp+8 dword
• lea , →
• byte ptr[ebp+8] → ebp+8 byte
• dword ptr[ebp+8] → ebp+8 dword
• lea , →
T_T
(?
(?
•
•
• Code
•
•
•
•
• ollydbg
• ida pro
• cheat engine
• …
OLLYDBG
OD
IDA PRO
DEOM
•
•
•
•
• : (σ ・ω・)σ
/
/
/
or
•
•
• upx mpress
/
or
•
•
• upx mpress
•
• asprotect themida
/
or
•
•
• upx mpress
•
• asprotect themida
• by
• vmprotect
/
/
/
/
•
/
•
•
/
( •̀ . ̫•́)✧
/
/
/
memory
dump
/
memory
dump
/
•
•
• PEID….
/
•
•
• PEID….
•
•
/
/
•
•
•
/
•
•
•
•
•
• oep
•
• ......
/
Delphi
/
BC++
/
VB
/
VC6.0
/
VC7.0
/
http://drops.wooyun.org/binary/8640
/
• memory dump
• memory dump
• code
•
/
• memory dump
• memory dump
• code
•
•
• ollydbg
• LordPE
/
/
/
•
•
•
•
/
•
•
•
•
•
•
•
• ImportRec
• Scylla
•
/
/
/
/
esp
/
• esp
•
•
• pushad popad
/
• esp
•
•
• pushad popad
•
• esp
•
• oep
/
/
DEOM
/
/
/
DEOM
/
/
/
DEOM
/
/
Ring3 anti debugger
Ring3 anti debugger
Ring3 anti debugger
Ring3 anti debugger
Ring3 anti debugger
/
Ring3 anti debugger
Ring3 anti debugger
Ring3 anti debugger
Ring3 anti debugger
Ring0
Ring3 anti debugger
Ring0
Ring3 anti debugger
Ring0
Ring3 anti debugger
anti debugger
debugger
Ring3 anti debugger
deubgger debug
DbgUiRemoteBreakin
DbgUiRemoteBreakin DbgBreakPoint
Ring3 anti debugger
debugger sitcon 2014
https://speakerdeck.com/cowby123/di-ci-zi-gan-
debuggerjiu-shang-shou
Ring3 anti debugger
Ring3 anti debugger
NtCurrentPeb()->BeingDebugged
PEB BeingDebugged
Ring3 anti debugger
Ring3 anti debugger
ret
Ring3 anti debugger
demo
Ring3 anti debugger
demo
Ring3 anti debugger
Ring3 anti debugger
Ring3 anti debugger
anti debugger
Ring3 anti debugger
Ring3 anti debugger
a.exe b.exe
a.exe b.exe
Ring3 anti debugger
Ring3 anti debugger
cmd.exe explorer.exe
debug
Ring3 anti debugger
Ring3 anti debugger
debugger
Ring3 anti debugger
debugger
Ring3 anti debugger
debugger
Ring3 anti debugger
Ring3 anti debugger
Ring3 anti debugger
anti debugger
od
Ring3 anti debugger
Ring3 anti debugger
StrongOD
ring0
Ring3 anti debugger
StrongOD
StrongOD
Ring3 anti debugger
Ring3 anti debugger
Ring3 anti debugger
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
台科逆向簡報
Upcoming SlideShare
Loading in …5
×

台科逆向簡報

4,451 views

Published on

有錯誤煩請聯絡腿骨 感謝
< ( _ _ ) >

Published in: Technology
  • Be the first to comment

台科逆向簡報

  1. 1. Reverse Engineering TDOH x Tigerduck LegBone
  2. 2. • BY PASS Hackshield • TDOHacker • SITCON 2014/2015 short talk • HITCON 2015 • • ….. About Me
  3. 3. • Windows XP • VMware
  4. 4. 1. 2.OD/IDA 3. upx asp... 4. ring3 anti debugger
  5. 5. • • •
  6. 6.
  7. 7.
  8. 8. • •
  9. 9. • • •
  10. 10. • • • •
  11. 11. • , 1010101 • Binary
  12. 12. (* ́∀`*)
  13. 13. (* ́∀`*) CPU , CPU
  14. 14. VC ,return EAX ESP,EBP EIP
  15. 15. AF CF OF SF ( ) PF ZF DF IF TF
  16. 16. AF CF OF SF ( ) PF ZF DF IF TF
  17. 17. XD • • mov → move EX : mov ecx, 1 • add / sub → EX : add eax,10 • cmp / test → • jmp → • push / pop → Stack
  18. 18. XD • • mov → move EX : mov ecx, 1 • add / sub → EX : add eax,10 • cmp / test → • jmp → • push / pop → Stack
  19. 19. XD • • mov → move EX : mov ecx, 1 • add / sub → EX : add eax,10 • cmp / test → • jmp → • push / pop → Stack
  20. 20. XD • • mov → move EX : mov ecx, 1 • add / sub → EX : add eax,10 • cmp / test → • jmp → • push / pop → Stack
  21. 21. XD • • mov → move EX : mov ecx, 1 • add / sub → EX : add eax,10 • cmp / test → • jmp → • push / pop → Stack
  22. 22. • inc eax → eax+1 • dec eax → eax-1 • xor eax,ebx → eax ebx xor eax • or eax,ebx → eax ebx or eax • and eax,ebx → eax ebx and eax
  23. 23. • inc eax → eax+1 • dec eax → eax-1 • xor eax,ebx → eax ebx xor eax • or eax,ebx → eax ebx or eax • and eax,ebx → eax ebx and eax
  24. 24. • inc eax → eax+1 • dec eax → eax-1 • xor eax,ebx → eax ebx xor eax • or eax,ebx → eax ebx or eax • and eax,ebx → eax ebx and eax
  25. 25. • inc eax → eax+1 • dec eax → eax-1 • xor eax,ebx → eax ebx xor eax • or eax,ebx → eax ebx or eax • and eax,ebx → eax ebx and eax
  26. 26. • inc eax → eax+1 • dec eax → eax-1 • xor eax,ebx → eax ebx xor eax • or eax,ebx → eax ebx or eax • and eax,ebx → eax ebx and eax
  27. 27. • byte ptr[ebp+8] → ebp+8 byte • dword ptr[ebp+8] → ebp+8 dword • lea , →
  28. 28. • byte ptr[ebp+8] → ebp+8 byte • dword ptr[ebp+8] → ebp+8 dword • lea , →
  29. 29. • byte ptr[ebp+8] → ebp+8 byte • dword ptr[ebp+8] → ebp+8 dword • lea , →
  30. 30. T_T (?
  31. 31. (?
  32. 32. • • • Code • • •
  33. 33. • • ollydbg • ida pro • cheat engine • …
  34. 34. OLLYDBG
  35. 35. OD
  36. 36. IDA PRO
  37. 37. DEOM
  38. 38. • •
  39. 39. • • • : (σ ・ω・)σ
  40. 40. /
  41. 41. /
  42. 42. / or • • • upx mpress
  43. 43. / or • • • upx mpress • • asprotect themida
  44. 44. / or • • • upx mpress • • asprotect themida • by • vmprotect
  45. 45. /
  46. 46. /
  47. 47. /
  48. 48. / •
  49. 49. / • •
  50. 50. / ( •̀ . ̫•́)✧
  51. 51. /
  52. 52. /
  53. 53. / memory dump
  54. 54. / memory dump
  55. 55. / • • • PEID….
  56. 56. / • • • PEID…. • •
  57. 57. /
  58. 58. / • • •
  59. 59. / • • • • • • oep • • ......
  60. 60. / Delphi
  61. 61. / BC++
  62. 62. / VB
  63. 63. / VC6.0
  64. 64. / VC7.0
  65. 65. / http://drops.wooyun.org/binary/8640
  66. 66. / • memory dump • memory dump • code •
  67. 67. / • memory dump • memory dump • code • • • ollydbg • LordPE
  68. 68. /
  69. 69. /
  70. 70. / • • • •
  71. 71. / • • • • • • • • ImportRec • Scylla •
  72. 72. /
  73. 73. /
  74. 74. /
  75. 75. / esp
  76. 76. / • esp • • • pushad popad
  77. 77. / • esp • • • pushad popad • • esp • • oep
  78. 78. /
  79. 79. / DEOM
  80. 80. /
  81. 81. /
  82. 82. / DEOM
  83. 83. /
  84. 84. /
  85. 85. / DEOM
  86. 86. /
  87. 87. /
  88. 88. Ring3 anti debugger
  89. 89. Ring3 anti debugger
  90. 90. Ring3 anti debugger
  91. 91. Ring3 anti debugger
  92. 92. Ring3 anti debugger
  93. 93. /
  94. 94. Ring3 anti debugger
  95. 95. Ring3 anti debugger
  96. 96. Ring3 anti debugger
  97. 97. Ring3 anti debugger Ring0
  98. 98. Ring3 anti debugger Ring0
  99. 99. Ring3 anti debugger Ring0
  100. 100. Ring3 anti debugger anti debugger debugger
  101. 101. Ring3 anti debugger deubgger debug DbgUiRemoteBreakin DbgUiRemoteBreakin DbgBreakPoint
  102. 102. Ring3 anti debugger debugger sitcon 2014 https://speakerdeck.com/cowby123/di-ci-zi-gan- debuggerjiu-shang-shou
  103. 103. Ring3 anti debugger
  104. 104. Ring3 anti debugger NtCurrentPeb()->BeingDebugged PEB BeingDebugged
  105. 105. Ring3 anti debugger
  106. 106. Ring3 anti debugger ret
  107. 107. Ring3 anti debugger demo
  108. 108. Ring3 anti debugger demo
  109. 109. Ring3 anti debugger
  110. 110. Ring3 anti debugger
  111. 111. Ring3 anti debugger anti debugger
  112. 112. Ring3 anti debugger
  113. 113. Ring3 anti debugger a.exe b.exe a.exe b.exe
  114. 114. Ring3 anti debugger
  115. 115. Ring3 anti debugger cmd.exe explorer.exe debug
  116. 116. Ring3 anti debugger
  117. 117. Ring3 anti debugger debugger
  118. 118. Ring3 anti debugger debugger
  119. 119. Ring3 anti debugger debugger
  120. 120. Ring3 anti debugger
  121. 121. Ring3 anti debugger
  122. 122. Ring3 anti debugger anti debugger od
  123. 123. Ring3 anti debugger
  124. 124. Ring3 anti debugger StrongOD ring0
  125. 125. Ring3 anti debugger StrongOD StrongOD
  126. 126. Ring3 anti debugger
  127. 127. Ring3 anti debugger
  128. 128. Ring3 anti debugger

×