Diapositive 1

2013-10-03
Outline
• Today we will go through:
• Definition
• Legal Aspect (42 Slides!)
• Compilation/Decompilation Chain
• PE Format
• x86 ASM (Yes!!)
• PE Protection
• DEMOS (x3)
2
Definition
• Reverse engineering is the process of discovering the
technological principles of a device, object, or system
through analysis of its structure, function, and operation
3
Motivations
•
•
•
•
•
•
•
Interfacing
Military or commercial espionage (PayCheck)
Documentation
Product Security Analysis
Bug fixing
Academic/learning purpose
Competitive technical intelligence
• FUN
• PROFIT
4
Binary Reversing
• So at Securimag we reverse engines?
• GOGOGO Binaries!
5
Legal Aspect (1/42)
• Legality of R.E. is governed by copyright laws
• R.E. for compatibility fixes is legal
• R.E. spyware is illegal in most countries.
• Which are the others countries???
• When in doubt, DO NOT R.E.!
6
Legal Aspect (2/42)
Legal uses of R.E.
• Recovery of own lost source code
• Recovery of data from legacy formats
• Malware analysis and research
• Security and vulnerability research
7
Legal Aspect (3/42)
Illegal Activities
• R.E. and sell a competing product
• Crack copy protections (oooops)
• Distribute a crack for copyrighted software
• …
8
Compilation chain
Linking
Compilation
Source Code (.c)
Object File (.o)
Executable (.exe)
Library
9
Decompilation chain?
Disassembly
Executable
Decompilation
Disassembly
WHAT DID YOU THINK?!
LET’S REVERSE SOME ASSEMBLY CODE!
10
Source Code
Exception…
• Bytecode Languages
• Java
• Python
• .NET
• Visual Basic
• Other languages
• Delphi
• …
11
Executable
Portable Executable (PE)
12
Executable and Linkable Format (ELF)
PE Format
13
PE Format
Portable Executable
• COFF (Common Object File Format)
• Portable on … Windows!
14
PE Format
• e_magic : MZ (Mark Zbikowski)
• e_lfanew : Pointer to the PE Header
15
PE Format
 PE Header
 File Header
 Optional Header
 Data Directories
PE Header:
• Signature : PE
16
PE Format
File Header:
• Number of sections
• Machine characteristics
17
PE Format
Optional Header:
• Address Of Entry Point (EP)
• Image Base
18
PE Format
19
PE Format
Section Header:
• Address and size
20
Tool
• CFF Explorer
21
Basic x86 ASM - Hardware
• Memory
• RAM (Random Access Memory)
• Registers
o EAX / EBX / ECX / EDX / ESI / EDI / … (32 bits)
o RAX / RBX / RCX / RDX / RSI / RDI / … (64 bits)
• ALU (Arithmetic Logic Unit)
22
Basic x86 ASM - Size
• Different size depending on the architecture:
• BYTE = 8 bits
WORD = 16 bits
DWORD = 32 bits
QWORD = 64 bits
23
Basic x86 ASM - Instructions
Intel Syntaxe VS AT/T Syntaxe
Memory deplacement
MOV:
MOV EAX, EBX
 EAX = EBX
MOV EAX, DWORD [EAX]  EAX = *(EAX)
MOV BYTE[EAX], AL
 *(EAX) = AL
Operations
ADD / SUB / MUL / DIV / …
SHL / SHR / SAL / SAR / …
ADD EAX, EBX  EAX = EAX + EBX
24
Basic x86 ASM - Flow
Flags
ZF, SF, CF, OF, …
Update Flags
CMP:
CMP EAX, EBX  ZF = (EAX==EBX)
JCC:
Conditional :JZ / JNZ / JE / JGE / JL / JLE / …
Inconditional : JMP
25
Basic x86 ASM – Example / Exercice
MOV
EAX, 0x13
MOV
EBX, 0x37
SUB
EBX, EAX
CMP
EAX, EBX
JZ
etiq
-- Instructions that display : « Toto! »
JMP
end
etiq:
-- Instructions that display : « Titi! »
end:
-- Instructions which end the program
26
Basic x86 ASM – Stack
Stack Operation:
PUSH
PUSH EAX
POP
POP EBX
ESP = Stack Pointer
EBP = Base Pointer
27
Reminder:
MOV EAX, EBX
|
PUSH EBX
POP EAX
Basic x86 ASM - CALL
void func(arg1, arg2)
{
int x, y, z
…
}
PUSH ARG2
PUSH ARG1
CALL func
ADD
ESP, 0xC
…..
func:
PUSH EBP
MOV
EBP, ESP
SUB
ESP, 0xC
…..
MOV ESP, EBP
POP EBP
28
RET
Parent Function
Var3
Var2
Var1
Children EBP
@Return
Arg1
Arg2
Children Function
Tools
• Disassembler:
• IDA Pro (or not…)
• OllyDbg
• Decompiler:
• Dede
• VB Decompiler
• Binary Analysis
• CFF Explorer (AGAIN?)
• LordPE
• PEiD
29
Protections
• Packers:
30
Demo : Unpack UPX LIVE!
31
Protections
• Virtual Machine:
32
Challenges
Capture DAT Flag!
33
R.E. for work
Reverse DAT Malware!
34
R.E. for work
List of allowed processus:
aeadisrv
alg
audiodg
csrss
conhost
ctfmon
dwm
explorer
httpd
iastoredatamgrsvc
iexplore
iexplorer
lsass
lsm
mfnsvc
mdnsresponder
35
nvspapisvr
nvvsvc
nvsvc
pdagent
searchindexer
services
slsvc
smss
snort
spoolsv
svchost
system
taskhost
wininit
winlogon
wmiprvse
winroute
wscntfy
wuault
rundll32
relver
smartfortress
systeminfo
makecab
tasklist
driverquery
livesp
wlmail
outlook
winmail
Questions & Answers
Thank you for your attention!
Questions?
36
SecurIMAG - title - author - date