2. Speaker
Info
Krishs
Patil
Hold
master
degree
in
computer
application
Computer
programmer
Reverser
And
hobbyist
security
researcher
3. Outline
— Introduction
— Reversing
Process
— Tools
and
Techniques
— Reversing
in
different
context
(Practice)
— Lab
demonstration
— Defeating
Reverse
Engineering
— Resources
4. Introduction
—
“Reverse
engineering
is
the
process
of
extracting
the
knowledge
or
design
blueprints
from
anything
man-‐
made”.
— It
is
usually
conducted
to
obtain
missing
knowledge,
ideas
and
design
philosophy
when
such
information
is
unavailable.
— In
computer
science,
It
is
the
process
of
dis-‐
assembling
or
de-‐compiling
the
binary
code
of
computer
program
for
various
purpose.
— Requires
skills
and
understanding
of
computer
and
software
development
5. Introduction
Cont…
Why
reverse
engineering…
different
people
do
it
for
different
purpose
…
But,
Specifically
in
the
field
of
Cyber
Security…
…
If
you
want
to
be
serious
security
researcher,
you
must
posses
skills
of
reverse
code
engineering.
6. Reversing
Process
Defining
scope
of
reversing…
— System
Reverse
Engineering
— Code
Reverse
Engineering
— Data
Reverse
Engineering
— Protocol
Reverse
Engineering
7. Reversing
Process
Cont…
Setting
up
environment…
— Setup
Isolated
environment
(VMware,
Virtual
Box)
— System
monitoring
(SysInternal
Tools)
— Static
Analysis
— Dynamic
Analysis
(Debugging/Tracing)
8. Reversing
Process
Cont…
Disassembling
Vs
Decompiling…
— Native
Code
–
Directly
perform
operations
on
CPU
(Compiled
with
C,C++,Delphi)
— Intermediate
Code
–
Interpreter
drives
it
to
perform
operations
on
CPU
(Java
byte
code,
MSIL)
9. Reversing
Process
Cont…
Program
structure…
Higher
level
perspective
…
— Modules
— Data
— Control
flow
Lower
level
perspective
…
— Just
assembly
language!!!
10. Reversing
Process
Cont…
So
what
I
need
to
know
prior
reversing
binary
code
...
Just
a
computer
and
brain
J
would
be
enough
but
…
…
mastering
it
might
take
time
if
you
don’t
know
about
— Computer
architecture
—
Programming
in
Assembly
Language
and
C,C++
— Operating
System-‐Platform
and
HEX
numbering
11. Assembly
Language
— Lowest
level
in
software
— Platform
specific
(IA-‐32,
IA-‐64,AMD)
— Machine
code
(OpCode)
ó
Assembly
commands
— Assembler
converts
assembly
program
into
machine
code
that
is
executable
by
CPU
— Dis-‐assembler
is
the
program
that
coverts
machine
code
into
textual
presentation
of
assembly
commands
— Mastering
reversing
without
knowing
assembly
is
almost
impossible.
13. Assembly
Language
Registers
— Internal
memory
in
processor
— IA-‐32
has
eight
generic
registers
(EAX,EBX,ECX,EDX,ESI,EDI,EBP
and
ESP)
— Floating
point
and
debug
registers
— Special
register
–
EFLAGS
for
flag
management
flags
— OF,
SF,
ZF,
AF,
PF,
CF
14. Assembly
Language
Basic
Instructions
— MOV
-‐
data
copying
— LEA
–
address
loading
(POINTER)
— ADD,
SUB,
MUL,
DIV,
IMUL,
IDIV
–
arithmetic
— CMP,
TEST
–
comparison
— CALL
,
RET
–
function
call
and
Return
— J**
-‐
conditional
branching
— PUSH/POP
-‐
stack
management
— NOP
–
do
nothing
15. System
Calls
— Used
as
interface
between
application
and
operating
system.
— System
calls
ask
OS
to
perform
specific
task
— Most
operating
system
are
written
in
“C”
language,
so
providing
SYSTEM
Calls
as
“C”
api’s
-‐
NIX
system
calls
–
unistd.h
-‐
WINDOWS
system
calls
-‐
windows.h
— Studying
OS
platform
and
system
calls
is
necessary
part
of
reverse
engineering
17. Tools
and
Techniques
— Various
tools
helps
in
reverse-‐engineering
the
binary
code/program.
— Compiler
is
the
tool
used
to
convert
high
level
language
like
C,C++
into
machine
code.
— Assembler
is
the
tool
used
to
convert
pseudo-‐code
written
specific
to
processor
into
machine
code.
— At
reverse
Dis-‐Assembler
and
De-‐Compilers
help
us
in
reversing
the
process,
recovering
the
high
level
code
from
machine
code.
— Debuggers
are
the
tools
used
to
debug
live
running
program.
— Virtual
machines
might
help
in
providing
protective/
isolated
environment
for
analysis.
18. Tools
and
Techniques
Cont…
Broad
category
of
tools
are
divided
into
two
category.
q Static
Analysis
Tools
-‐Tools
helps
us
to
analysis
program
without
even
running
it.
-‐
Tools
includes
Dis-‐assembler
and
De-‐Compilers
q Dynamic
Analysis
Tools
-‐
Tools
in
this
category
helps
us
dive
deep
into
program
by
analyzing
it
while
running
it.
-‐
Tools
includes
Debuggers,
Loaders
and
System
Monitoring
tools
19. Tools
and
Techniques
Cont…
— Compilers
(VC
compiler,
GCC
compiler
suite,
.NET
framework)
— Assemblers
(MASM,
NASM,
TASM,
FASM)
— Dis-‐assemblers
and
Debuggers
(IDAPro,
OllyDbg,
Immunity
Debugger,
WinDbg)
— Hypervisors
(VMWare
Workstation/Player,
VirtualBox,QUEMU)
— System
monitoring
withSysInternals
tools
— Hex
Editors
and
Other
system
utilities
24. RCE
in
various
context
Time
to
understand
field
work!!!
— Cracking
(Illegal/Un-‐Ethical)
— Malware
analysis
— Vulnerability
analysis
(exploit
development)
— Clean
house
RE
(Chinese
Wall)
— Recovering
lost
source
code
(legacy)
— Investigating
and
solving
faults
cause
in
released
software.
(Microsoft
global
escalation
support
team)
25. Cool
Huh
…
Lets
play
around
some
practical
reversing
lab
exercise
Lets
see
some
cool
stuff
J
26. Lab
–
Cracking
for
serial.
— This
is
for
purely
demonstration
and
educational
purpose
only.
— Anything
you
do
to
obtain
or
provide
fake
registration
key
for
software
is
considered
cracking
and
a
serious
offense.
— In
lab
we
are
going
to
study
and
recover
serial
key
and
defeat
registration
mechanism
by
various
ways.
27. Defeating
RE
— Lot
of
research
has
been
done,
many
ways
to
make
it
harden
for
reversing
process.
…
But
no
solution
is
100%
perfect
and
secure.
28. Defeating
RE
Cont…
Software
armoring
Obfuscation
“
deliberate
act
of
creating
obfuscated
code,
i.e.
source
or
machine
code
that
is
difficult
for
human
to
understand”
-‐-‐
Wikipedia
29. Defeating
RE
Cont…
Some
techniques
for
anti-‐analysis
…
— Packers
(Compression)
— Protectors
(Encryption)
—
Anti-‐Debugging
— Garbage
Code
and
Code
Permutation
— Anti-‐Assembly
— Hypervisor/Emulator
detection
32. Resources
— REVERSING
–
secrets
of
reverse
engineering
(By
Eldad
Eilam)
— Microsoft
windows
internals
(By
Mark
Russinovich
and
David
Solomon)
— Reverseme.de
–
cool
reverseme.exe
collections
— InfoSec
Institute
Resources.
–
cool
articles
on
security
— NtDebugging
blog
(Microsoft
global
escalation
support
team)
-‐
fine
gain
exposure
in
windows
insides
— And
finally
some
good
book
on
x86
assembly
tut
and
reference.