Reverse Enginnering

Introduction to Reverse
Engineering
Gergely Erdlyi
Research Manager
Agenda
Reverse Engineering Intro
Ethical and Legal Aspects
Process of Reverse Engineering
Tools of the Trade
February 02, 09 Page
What is Reverse Engineering? 1/2
Image Copyright 2005 BAE Systems



Reverse Code Engineering

Reverse Engineering is also known as RE or RCE
RE:
RCE:
Reverse Engineering
Reverse Code Engineering
RE is the process of understanding an existing product

Malware analysis and security research often involves RE
Compilation Process
Compilation
Linking
Source Code
Object File
Executable
Human readable
Binary code with
Binary code with
text file
readable symbols
no symbols
Code Readability
Compilation Results
Compilation Results
int ExecFile(char *FileName)
{
PyObject* PyFileObject = PyFile_FromString(FileName, "r");
if (!PyFileObject)
{
return 0;
}
if (PyRun_SimpleFile(PyFile_AsFile(PyFileObject), FileName) == 0)
{
Py_DECREF(PyFileObject);
return 1;
}
else
{
return 0;
}
}
Compilation Results
int ExecFile(char *FileName)
{
PyObject* PyFileObject
.text:00401250
= PyFile_FromString(FileName,
E8 BB DA 0E 00 89 44 24 04 A1 2C A3 57
"r");
00 8B
if
{
}
if
{
.text:00401260 10 89 04 24 E8 27 D5 0E 00 8B 15
.text:00401270 4B FF FF FF 8D B6 00 00 00 00 8D
(!PyFileObject)
.text:00401280 55 89 E5 83 EC 08 C7 04 24 01 00
.text:00401290 A3 57 00 E8 B8 FE FF FF 90 8D B4
return 0; .text:004012A0 55 89 E5 83 EC 08 C7 04 24 02 00
.text:004012B0 A3 57 00 E8 98 FE FF FF 90 8D B4
.text:004012C0 55 8B 0D 54 A3 57 00 89 E5 5D FF
.text:004012D0 55 8B 0D 34 A3 57 00 89 E5 5D FF
.text:004012E0 83 EC 7C B8 70 B5 4E 00 89 44 24
(PyRun_SimpleFile(PyFile_AsFile(PyFileObject),
.text:004012F0 00 89 44 24 38 8D 44 24 60 89 44
.text:00401300
40 00 89
89
3A
.text:00401330 84 8B 00
}
.text:00401340 00 00 00
else
.text:00401350 31 DB 89
{
.text:00401360 5C 24 58
.text:00401370 C7 04 24
.text:00401310 24 6C
return 1; .text:00401320 24 E8
return 0;
}
}
.text:00401380
.text:00401390
.text:004013A0
.text:004013B0
.text:004013C0
.text:004013D0
.text:004013E0
8B
B8
B8
EC
31
0E
24
40
E8
FF
56
C0
00
74
08
EC
FF
00
89
8B
8B
40 F++a
.D$ ,W.@
2C A3 57 00 E9
$F'+a
.,W.T
BF 00 00 00 00 K....+....
00 00 FF 15 18 Us8 $ ...
26 00 00 00 00 W.F+&....
00 00 FF 15 18 Us8 $ ...
26 00 00 00 00 W.F&....
E1 8D 74 26 00 UTW.s]t&.
E1 90 90 90 90 U4W.s]
34 B8 74 30 4F==8|+pN.D$4+t0O
FileName)
0)
24 3C B8 90 13 .D$8D$`D$<+
44
74
BE
00
8D
74
89
10
24
24
0E
00
44
24
4C
20
40
70
00
C7
24
50
24
57
8D
89
8B
04
50
B9
20
00
44
6C
BC
24
89
01
E8
E8
24
24
24
10
44
00
D4
B4
1C
78
80
20
24
00
59
5A
89
89
00
57
04
00
00
00
7C
64
00
00
BE
89
00
00
24
24
00
8B
88
54
89
85
74
44
85
94
E1
24
44
C0
89
89
FF
24
56
54
24
74
5C
04
0F
80
00
89
04
2E
@.D$@D$ |$t\
$lt$pl$xd$D
$F:+a
.+$...
... $ W.$
...D$PD$ +V.
1t$P ...T$T
\$XL$ F+Y..D$
$ W.FZ..+t.
BA
56
FF
89
44
44
6C
E8
00
FF
44
24
24
24
EC
89
89
24
18
18
78
56
44
44
50
8D
8B
83
00
24
24
89
44
5C
C4
89
50
20
F6
24
24
7C
54
8B
E8
8D
1C
6C
C3
24
44
72
BC
89
8B
8D
50
24
C4
27
04
74
B6
EB
24
0E
00
24
24
00
34
89
00
00
E8
70
00
66
04
B8
00
6E
8B
00
90
24
E8
00
BE
7C
00
@F8V.T$Pd4f
+F8V.D$PD$$ $
+D$ Fr-a
.+F
8V.D$P+'....
1+D$ D$ $Fn+
.
aD$ \$lt$p|
$tl$x-|+....
Uses of Reverse Engineering

Malware analysis
Security / vulnerability research
Driver development
Compatibility fixes
Legacy application support
Disclaimer: I am not a lawyer, but here we go

Image: Public Domain

Legality of reverse engineering is governed by copyright laws
Copyright laws differ from country to country
Reverse engineering is legal only is few specific cases
Black box testing does not constitute reverse engineering
Reverse engineering for compatibility fixes is legal
Reverse engineering spyware is illegal in most countries
When in doubt, do not reverse engineer!
Legal Uses of Reverse Engineering

Recovery of own lost source code
Recovery of data from legacy formats
Malware analysis and research
Security and vulnerability research
Copyright infringement investigations
Finding out the contents of any database you legally purchased
Illegal Activities
Image Copyright 2005 Klaus with K

Illegal Activities
Illegal to reverse engineer and sell a competing product
Illegal to crack copy protections
Illegal to distribute a crack/registration for copyrighted software
Illegal to gain unauthorized access to any computer system
Copyright protected software is off-limits in most cases
Spyware/Adware with companies behind them are included
Decompilation Process
Disassembly
Decompilation
Executable
Disassembly
Source Code
Binary code with
Reverse engineer
Human
no symbols
readable code
readable code
Code Readability
Disassembly Results
Disassembly Results
.text:00401250
.text:00401260
.text:00401270
.text:00401280
.text:00401290
.text:004012A0
.text:004012B0
.text:004012C0
.text:004012D0
.text:004012E0
.text:004012F0
E8
10
4B
55
A3
55
A3
55
55
83
00
BB
89
FF
89
57
89
57
8B
8B
EC
89
DA
04
FF
E5
00
E5
00
0D
0D
7C
44
0E
24
FF
83
E8
83
E8
54
34
B8
24
00
E8
8D
EC
B8
EC
98
A3
A3
70
38
89
27
B6
08
FE
08
FE
57
57
B5
8D
44
D5
00
C7
FF
C7
FF
00
00
4E
44
24
0E
00
04
FF
04
FF
89
89
00
24
04
00
00
24
90
24
90
E5
E5
89
60
A1
8B
00
01
8D
02
8D
5D
5D
44
89
2C
15
8D
00
B4
00
B4
FF
FF
24
44
A3
2C
BF
00
26
00
26
E1
E1
34
24
57
A3
00
00
00
00
00
8D
90
B8
3C
00
57
00
FF
00
FF
00
74
90
74
B8
8B
00
00
15
00
15
00
26
90
30
90
40
E9
00
18
00
18
00
00
90
4F
13
F++a
.D$ ,W.@
$F'+a
.,W.T
K....+....
Us8 $ ...
W.F+&....
Us8 $ ...
W.F&....
UTW.s]t&.
U4W.s]
8|+pN.D$4+t0O
.D$8D$`D$<+
.text:00401300
.text:00401310
.text:00401320
.text:00401330
.text:00401340
.text:00401350
.text:00401360
.text:00401370
40
24
24
84
00
31
5C
C7
00
6C
E8
8B
00
DB
24
04
89
89
3A
00
00
89
58
24
44
74
BE
00
8D
74
89
10
24
24
0E
00
44
24
4C
20
40
70
00
C7
24
50
24
57
8D
89
8B
04
50
B9
20
00
44
6C
BC
24
89
01
E8
E8
24
24
24
10
44
00
D4
B4
1C
78
80
20
24
00
59
5A
89
89
00
57
04
00
00
00
7C
64
00
00
BE
89
00
00
24
24
00
8B
88
54
89
85
74
44
85
94
E1
24
44
C0
89
89
FF
24
56
54
24
74
5C
04
0F
80
00
89
04
2E
@.D$@D$ |$t\
$lt$pl$xd$D
$F:+a
.+$...
... $ W.$
...D$PD$ +V.
1t$P ...T$T
\$XL$ F+Y..D$
$ W.FZ..+t.
.text:00401380
.text:00401390
.text:004013A0
.text:004013B0
.text:004013C0
.text:004013D0
.text:004013E0
8B
B8
B8
EC
31
0E
24
40
E8
FF
56
C0
00
74
08
EC
FF
00
89
8B
8B
BA
56
FF
89
44
44
6C
E8
00
FF
44
24
24
24
EC
89
89
24
18
18
78
56
44
44
50
8D
8B
83
00
24
24
89
44
5C
C4
89
50
20
F6
24
24
7C
54
8B
E8
8D
1C
6C
C3
24
44
72
BC
89
8B
8D
50
24
C4
27
04
74
B6
EB
24
0E
00
24
24
00
34
89
00
00
E8
70
00
66
04
B8
00
6E
8B
00
90
24
E8
00
BE
7C
00
@F8V.T$Pd4f
+F8V.D$PD$$ $
+D$ Fr-a
.+F
8V.D$P+'....
1+D$ D$ $Fn+
.
aD$ \$lt$p|
$tl$x-|+....
Disassembly Results
.text:004013F0
sub_4013F0
near
CODE
sub_406AB0+6F" p
.text:00401250 E8
BB DA 0E 00 89 44proc
24 04
A1 2C A3 57 00 8B 40 ; F++a
.D$XREF:
,W.@
.text:00401260 10 89 04 24 E8 27 D5 0E 00 8B 15 2C A3 57 00 E9 ; sub_4601D0+5D"
$F'+a
.,W.T
.text:004013F0
p
.text:00401270 4B FF FF FF 8D B6 00 00 00 00 8D BF 00 00 00 00 K....+....
.text:004013F0
.text:00401280 55
89 E5 83 EC 08 C7=04dword
24 01ptr
00 00
00 FF 15 18 Us8 $ ...
.text:004013F0
var_1C
-1Ch
.text:00401290
A3
57
00
E8
B8
FE
FF
FF
90
8D
B4
26
00 00 00 00 W.F+&....
.text:004013F0 var_18
= dword ptr -18h
.text:004012A0
55
89
E5
83
EC
08
C7
04
24
02
00
00
.text:004013F0 arg_0
= dword ptr 4 00 FF 15 18 Us8 $ ...
.text:004012B0 A3 57 00 E8 98 FE FF FF 90 8D B4 26 00 00 00 00 W.F&....
.text:004013F0
.text:004012C0 55 8B 0D 54 A3 57 00 89 E5 5D FF E1 8D 74 26 00 UTW.s]t&.
.text:004013F0
.text:004012D0 55 8B 0D 34 A3 57 00push
89 E5 5Dedi
FF E1 90 90 90 90 U4W.s]
.text:004012E0
83
EC
7C
B8
70
B5
4E
00 89 44esi
24 34 B8 74 30 4F 8|+pN.D$4+t0O
.text:004013F1
push
.text:004012F0
00
89
44
24
38
8D
44
24
60
89
44 24 3C B8 90 13 .D$8D$`D$<+
.text:004013F2
push
ebx
.text:00401300 40 00 89 44 24 40 8Dsub
44 24 1Cesp,
89 7C10h
24 74 89 5C @.D$@D$ |$t\
.text:004013F3
.text:00401310 24 6C 89 74 24 70 89mov
6C 24 78edi,
89 64[esp+1Ch+arg_0]
24 44 89 04 $lt$pl$xd$D
.text:004013F6
.text:00401320 24 E8 3A BE 0E 00 8B BC 24 80 00 00 00 85 FF 0F $F:+a
.+$...
.text:004013FA
.text:00401330 84 8B 00 00 00 C7 04test
24 10 20edi,
57 00edi
8B 94 24 80 ... $ W.$
.text:004013FC
jz
short loc_40143D
.text:00401340 00 00 00 8D 44 24 50 89 44 24 04 BE 88 E1 56 00 ...D$PD$ +V.
.text:004013FE
offset...T$T
dword_572010
.text:00401350 31 DB 89 74 24 50 B9mov
01 00 00[esp+1Ch+var_1C],
00 89 54 24 54 89 1t$P
.text:00401405
call
sub_406F80
.text:00401360 5C 24 58 89 4C 24 20 E8 D4 59 00 00 89 44 24 04 \$XL$ F+Y..D$
.text:00401370 C7 04 24 10 20 57 00mov
E8 B4 5Aebx,
00 00eax
85 C0 74 2E $ W.FZ..+t.
.text:0040140A
.text:0040140C
jmp
short
loc_401439
.text:00401380 8B 40 08 BA E8 EC 56 00 89 54 24 50 EB 34 66 90 @F8V.T$Pd4f
.text:00401390 B8
EC 56 00 89 44 24 50 8B 44 24 24 89 04 24 +F8V.D$PD$$ $
.text:0040140C
; E8
--------------------------------------------------------------------------.text:004013A0 B8 FF FF FF FF 89 44 24 20 E8 72 C4 0E 00 B8 E8 +D$ Fr-a
.+F
.text:0040140E
.text:004013B0 EC 56 00 89 44 24 50align
89 F610h
8D BC 27 00 00 00 00 8V.D$P+'....
.text:00401410
.text:004013C0 31 C0 89 44 24 18 8D 44 24 1C 89 04 24 E8 6E BE 1+D$ D$ $Fn+
.text:00401410
loc_401410:
XREF: sub_4013F0+4B" j
.text:004013D0 0E
00 8B 44 24 18 8B 5C 24 6C 8B 74 24 70 8B 7C ; .
aCODE
D$ \$lt$p|
.text:00401410
ebx
.text:004013E0 24 74 8B 6C 24 78 83mov
C4 7C C3[esp+1Ch+var_18],
8D B6 00 00 00 00 $tl$x-|+....
.text:00401414
mov
[esp+1Ch+var_1C], offset dword_572010
.text:0040141B
call
sub_406E30
.text:00401420
mov
[esp+1Ch+var_18], ebx
Required Skills
General computer architecture knowledge
Assembly programming of target processors
Operating systems
File formats
Information search skills
...real persistence...
Most Commonly Used Tools

Hex editor/viewer
Disassembler
Search engine
Debugger
Script language

Hex editor/viewer
Disassembler
Search engine
Debugger
Script language

Hex editor/viewer
Disassembler
Search engine
Debugger
Script language

Hex editor/viewer
Disassembler
Search engine
Debugger
Script language

Hex editor/viewer
Disassembler
Search engine
Debugger
Script language

Hex editor/viewer
Disassembler
Search engine
Debugger
Script language
Getting Started
Master your tools
Identify the target binary format
Identify the target processor
Identify the target operating system
dig in and find out as much as you can

Reverse Enginnering

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Reverse Enginnering

Caricato da

Copyright:

Formati disponibili

Introduction to Reverse

February 02, 09 Page

What is Reverse Engineering? 1/2

February 02, 09 Page

What is Reverse Engineering? 1/2

Image Copyright 2005 BAE Systems

What is Reverse Engineering? 1/2

Image Copyright 2005 BAE Systems

Image Copyright 2005 BAE Systems

What is Reverse Engineering? 2/2

Image Copyright 2005 BAE Systems

Reverse Code Engineering

RE is the process of understanding an existing product

February 02, 09 Page

Binary code with

Binary code with

February 02, 09 Page

February 02, 09 Page

February 02, 09 Page

February 02, 09 Page

Uses of Reverse Engineering

February 02, 09 Page

Ethical and Legal Aspects

Disclaimer: I am not a lawyer, but here we go

Ethical and Legal Aspects

February 02, 09 Page

Legal Uses of Reverse Engineering

February 02, 09 Page

Image Copyright 2005 Klaus with K

February 02, 09 Page

Binary code with

February 02, 09 Page

February 02, 09 Page

February 02, 09 Page

February 02, 09 Page

February 02, 09 Page

February 02, 09 Page

Most Commonly Used Tools

February 02, 09 Page

Most Commonly Used Tools

February 02, 09 Page

Most Commonly Used Tools

February 02, 09 Page

Most Commonly Used Tools

February 02, 09 Page

Most Commonly Used Tools

February 02, 09 Page

Most Commonly Used Tools

February 02, 09 Page

February 02, 09 Page

Potrebbero piacerti anche