Introduction to Reverse Engineering
Transcription
Introduction to Reverse Engineering
Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager December 2011 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. aka: Reversing, RE, SRE ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 2 2 Why do it? Discover Trade Secrets Find Vulnerabilities Academic Research (Yeah, right…) Circumvent [Copy] Protection Patch Binary and Alter Behavior Analyse Protocols Pure Curiosity ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 3 3 Sounds awesome, right? ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 4 4 So where’s the catch? Low-level is, well, low level… 00401000 push ebp 00401001 mov ebp, esp 00401003 push ecx 00401004 push ecx 00401005 and dword ptr [ebp-4], 0 00401009 push esi 0040100A mov esi, [ebp+8] for (Serial = 0, i = 0; i < strlen(UserName); 0040100D i++) push { edi CurChar = (int) UserName[i]; 0040100E push esi Serial += CurChar; 0040100F call ds:[00402008h] Serial = (((Serial << 1) && 0xFFFFFFFE) ((Serialedi, >> 31) 00401015|| mov eax && 1)); Serial = (((Serial * CurChar) + CurChar) ^ CurChar); 00401017 xor edx, edx } 00401019 test edi, edi UserSerial = ~((UserSerial ^ 0x1337C0DE) 0xBADC0DE5); 0040101B jle 00401047h 0040101D movsx ecx, byte ptr [edx+esi] 00401021 add [ebp-4], ecx 00401024 mov [ebp-8], ecx 00401027 rol dword ptr [ebp-4], 1 0040102A mov eax, ecx 0040102C imul eax, [ebp-4] 00401030 mov [ebp-4], eax 00401033 mov eax, [ebp-8] 00401036 add [ebp-4], eax 00401039 xor [ebp-4], ecx 0040103C inc edx 0040103D cmp edx, edi jl Ltd. [PROTECTED] 0040101Dh ©2011 Check Point0040103F Software Technologies — All rights reserved. 5 5 So where’s the catch? Low-level is, well, low level… Needle in a haystack – Average opcode size: 3 bytes – Average executable size: 500KB (on WinXP) – There are executables, libraries, drivers…. ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 6 6 So where’s the catch? Low-level is, well, low level… Needle in a haystack Sometimes, the code resists – Packers and compressors – Obfuscators ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 7 7 So where’s the catch? Low-level is, well, low level… Needle in a haystack Sometimes, the code resists Sometimes, the code fights back – Detect reversing tools – Detect VMs and emulators ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 8 8 A Battle of Wits Video clip: The Battle of Wits, “The Princess Bride” ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 9 9 A Battle of Wits Author writes code Reverser reverses it Author creates an anti-reversing technique Reverser bypasses it And so on… ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 10 10 So what do you need in order to be a good reverser? ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 11 11 We’ll come back to this… ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 12 12 Tools of the Trade Debugger (Dynamic code analysis) Disassembler (Static code analysis) Hex Editor PE Analyzer Resource Editor and more… ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 13 13 Debuggers באג בדיזיין – זין בדיבאג ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 14 14 First, there was DEBUG… ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 15 15 GUI and much more: Turbo Debugger ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 16 16 GUI and much more: Turbo Debugger ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 17 17 GUI and much more: Turbo Debugger ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 18 18 Next major step: Soft-ICE ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 19 19 And finally: OllyDbg ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 20 20 Disassemblers ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 21 21 The old world: Sourcer ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 22 22 The old world: Sourcer ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 23 23 Old ages: Sourcer ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 24 24 Old ages: Sourcer ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 25 25 Welcome to Windows: W32DASM ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 26 26 The Holy Grail: IDA-Pro Started as an Interactive Dis-Assembler, enabling user interaction with the disassembler’s decisions. Slowly evolved into an automatic RE tool: – Built-in full-control script language – Library recognition (including user-generated) – Function prototype information – Display – Propagate throughout the code – Support for plug-ins – Support for Python scripting – Multi-architecture, cross-platform support – Full incorporation with built-in and external debuggers ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 27 27 Hex-Editor ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 28 28 PE Analyzer ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 29 29 Resource Editor ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 30 30 Let’s play with them tools… ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 31 31 60 seconds on x86 registers General purpose registers: 32bit/16bit/8bit Index registers: 32bit/16bit Segment registers: 16bit Flags: 32bit/16bit ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 32 32 Exercise 1: Static Reversing ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 33 33 Exercise 1: Static Reversing Target: a 2004 “Crack-Me” Tools: IDA-Pro ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 34 34 Exercise 2: Dynamic Reversing ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 35 35 Exercise 2: Dynamic Reversing Target: a 2004 “Crack-Me” Tools: OllyDbg, IDA-Pro ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 36 36 Exercise 3: Simple Anti-Debugging ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 37 37 Exercise 3: Simple Anti Debugging Target: a 2006 “Crack-Me” Tools: OllyDbg ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 38 38 Reversing Malware Malware is comprised of the following building blocks: – Infection Vector – Concealment – Operation – Communications Check Point’s Anti-Malware Software Blade sits at the gateway Therefore, communications interest us the most ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 39 39 Introducing: Spy Eye A CrimeWare ToolKit, originating in Russia. Used mostly for stealing financial information, but will settle for any other identity information and key logging… Like any serious trojan, Spy Eye compresses its traffic and encrypts it – Compression is performed using a public library (LZO) – Encryption algorithm is proprietary ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 40 40 Act 1: Encryption ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 41 41 Act 2: Configuration Download ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 42 42 Act 3: Another Encryption ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 43 43 So what do you need in order to be a good reverser? ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 44 44 What makes a good reverser? Qualities Knowledge • Patient • Assembly Language • Curious • Some High-Level programming • Best: origin of binary • Persistent • Outside-the-Box Thinking • Operating System Internals • API • Data Structures • File Structures • Good scripting skills • Anti-Debugging Tricks • Optional: Good lookin’ ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 45 45 Outside-the-Box Thinking ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 46 46 And remember, kids: Binary Reverse Engineer + ©2011 Check Point Software Technologies Ltd. =? [PROTECTED] — All rights reserved. 47 47 Which means… ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 48 48 Questions? ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 49 49 Thank you! inbarr@checkpoint.com ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 50 50 Credits All images and videos have their origin URL in the “Alt Text” property. All rights belong to their respective owner. ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 51 51