Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Mark McGuill
The Me Slide
Virus Analyst with Symantec Corp. (Security Response
Dept.) Hobbyist Programmer from the C64 days Experienced C/C++ developer (Industrial Experience with Microsoft (Yes, The Beast)) NUI Maynooth Grad (CSSE 2004) MSc. in Security & Forensic Computing from DCU How things work (Gory Details) Perhaps a bit anal! Just another bored hacker Not a public speaker! (show me to my cave)
Introduction
"Reverse engineering is the process of
analyzing a subject system to create representations of the system at a higher level of abstraction."
Chikofsky and Cross
Introduction
Reverse Engineering is an Art Reverse Engineering is a Science Reverse Engineering is Fun! Principal: How does that work? Challenge. Remove the black magic, find bugs, crack protection schemes (only unjust ones of course) Get Closer to your machine Very Complex but Rewarding Puzzles
Overview
Not too technical (hopefully) Knowledge of C or Assembly & the x86
architecture would be nice, but well keep it simple Mostly a quick walkthrough & some demos Pique your interest! As Peter from Family Guy would say Im freakin winging this!
Overview
Why RE? Legalities A Brief History of RE Types of RE (Static / Live) Design of a Disassembler for Intel x86 (16/32 bit) (Win32/PE) RE in Action (Simple & Real World Demos) Q&A session
Lost Source Code (This is common) Legacy Code (Original Coder Unavailable, No Source,
Y2K) Bug Hunting (Again, no source. Popular now with malware authors. New Spl01tz!) Virus Analysis
Legalities
US DMCA (Danger Here)
Exemption acts of reverse engineering aimed at interoperability of file formats and protocols The exception allows reverse engineering of computer programs if the reverse engineer lawfully obtains the program, seeks permission from the copyright owner, only uses the results of their efforts to create an interoperable computer program and does not publish the results". Jailed for several weeks, detained for 5 months Advanced E-book Processor (ElcomSoft Co. Ltd) Convert Adobe E-book to PDF (Removing Restrictions) Dec 2002 Jury Acquitted Elcomsoft of all charges
Legalities
EU - COUNCIL DIRECTIVE of 14 May 1991 on the legal protection of computer programs (91/250/EEC)
Article 6 - Decompilation
A Brief History
First real decompilers occur in 1960s
Translation of programs from 2nd to 3rd generation computers (Transistors to ICs)
A Brief History
Zebra, 1981
Designed for Portability Input ULTRA/32 Assembler Output PDP11/70 Assembler Written by J. Reuter for Vax BSD 4.2 Input Object files with symbolic information Output C-like programs
Decomp, 1988
A Brief History
Exe2c, 1990
Implements some modern features Abandoned project
DCC, 1994
Christina Cifuentes excellent decompiler, most modern features, data flow, control flow analysis, data type recognition
Types of RE (Static)
Strings Tool (Unix tool, also Sysinternals) PEDump (Originally by Matt Pietrek) Hiew (Hackers View) Hex Editor Disassemblers
IDA Pro (www.datarescue.com) Commercial Phoenix Disassembler / DSM Studio! (Free!) www.minds.nuim.ie/~phoenix
My Pet Project Intel x86 16/32 bit code FPU / MMX / SSE / SSE2 Extensions PE File Format Only Architecture is Open & Modular C / C++ (possibly C# soon, Analysis Engine) C Code is ANSI C conformant (Have got it working under Linux!) It works!
Structures Load File as OS Loader Would Identify Entry Points (Default & Exported)
Never want to open that file again (~3K LOC excluding tables) Lots of hard coded tables
Future Plans
Graphing (Visual aid to disassembly) Binary Differencing Cross-referencing *nix version Support for other processors Support for other file formats Open source??? (License?) Scripting Developer Components
DEMOZ
// Wait for connection from attacker if(INVALID_SOCKET == (g_current = accept(s,NULL,0))) goto Error_Cleanup;
// Send Welcome Message! if(SOCKET_ERROR == send(g_current,kszWelcome, strlen(kszWelcome),0)) goto Error_Cleanup; // Receive Command recv(g_current,buf,255,0); // Execute Command if('v' == buf[0]) DisplayVersion(); else if('d' == buf[0]) DisplayDiskSpace(); else if('l' == buf[0]) LaunchCalculator(); // Cleanup closesocket(g_current); WSACleanup(); return 0; Error_Cleanup: WSACleanup(); return 1; }
Acknowledgements (greetz!)
Dave Cahill MINDS Crew Christina Cifuentes Phrack Magazine (l33t) Windows Hackers (Pietrek, Richter et al) Mum & Dad God, Buddha, Allah, Krishna, etc
http://www.minds.nuim.ie/~phoenix