Reverser  view  to  application  security  

Reverse  Code  Engineering  

Speaker  Info    Krishs  Patil  Hold  master  degree  in  computer  application  Computer  programmer  Reverser  And  hobbyist  security  researcher  

Outline  �  Introduction  �  Reversing  Process  �  Tools  and  Techniques  �  Reversing  in  different  context  (Practice)  �  Lab  demonstration  �  Defeating  Reverse  Engineering  �  Resources  

Introduction  �   “Reverse  engineering  is  the  process  of  extracting  the  knowledge  or  design  blueprints  from  anything  man-­‐made”.    

�  It  is  usually  conducted  to  obtain  missing  knowledge,  ideas  and  design  philosophy  when  such  information  is  unavailable.  

�  In  computer  science,  It  is  the  process  of  dis-­‐assembling  or  de-­‐compiling  the  binary  code  of  computer  program  for  various  purpose.  

�  Requires  skills  and  understanding  of  computer  and  software  development  

Introduction  Cont…      Why  reverse  engineering…  

 different  people  do  it  for  different  purpose  …        But,  Specifically  in  the  field  of  Cyber  Security…  

   …  If  you  want  to  be  serious  security  researcher,  you  must  posses  skills  of  reverse  code  engineering.  

Reversing  Process    Defining  scope  of  reversing…  

�  System  Reverse  Engineering  �  Code  Reverse  Engineering  �  Data  Reverse  Engineering  �  Protocol  Reverse  Engineering      

Reversing  Process  Cont…      Setting  up  environment…    �  Setup  Isolated  environment  (VMware,  Virtual  Box)  �  System  monitoring  (SysInternal  Tools)  �  Static  Analysis  �  Dynamic  Analysis    (Debugging/Tracing)  

Reversing  Process  Cont…      Disassembling  Vs  Decompiling…    �  Native  Code  –  Directly  perform  operations  on  CPU      (Compiled  with  C,C++,Delphi)  

�  Intermediate  Code  –  Interpreter  drives  it  to  perform  operations  on  CPU    (Java  byte  code,  MSIL)  

Reversing  Process  Cont…      Program  structure…      Higher  level  perspective  …  � Modules  �  Data  �  Control  flow        Lower  level  perspective  …  �  Just  assembly  language!!!  

Reversing  Process  Cont…        So  what  I  need  to  know  prior  reversing  binary  code  ...              Just  a  computer  and  brain  J  would  be  enough  but  …        …  mastering  it    might  take  time  if  you  don’t  know  about      �  Computer  architecture    �   Programming  in  Assembly  Language  and  C,C++  �  Operating  System-­‐Platform  and  HEX  numbering        

Assembly  Language  �  Lowest  level  in  software    �  Platform  specific  (IA-­‐32,    IA-­‐64,AMD)  � Machine  code  (OpCode)  ó  Assembly  commands  �  Assembler  converts  assembly  program  into  machine  code  that  is  executable  by  CPU  

�  Dis-­‐assembler  is  the  program  that  coverts  machine  code  into  textual  presentation  of  assembly  commands  

� Mastering  reversing  without  knowing  assembly  is  almost  impossible.  

Assembly  Language  

Assembly  Language    Registers  

�  Internal  memory  in  processor  �  IA-­‐32  has  eight  generic  registers  (EAX,EBX,ECX,EDX,ESI,EDI,EBP  and  ESP)  

�  Floating  point  and  debug  registers  �  Special  register  –  EFLAGS  for  flag  management  

 flags  �  OF,  SF,  ZF,  AF,  PF,  CF    

Assembly  Language    Basic  Instructions  

� MOV    -­‐  data  copying  �  LEA  –  address  loading  (POINTER)  �  ADD,  SUB,  MUL,  DIV,  IMUL,  IDIV  –  arithmetic  �  CMP,  TEST  –  comparison  �  CALL  ,  RET  –  function  call  and  Return  �  J**    -­‐  conditional  branching  �  PUSH/POP    -­‐  stack  management  �  NOP  –  do  nothing    

System  Calls  �  Used  as  interface  between  application  and  operating  system.  

�  System  calls  ask  OS  to  perform  specific  task  � Most  operating  system  are  written  in  “C”  language,  so  providing  SYSTEM  Calls  as  “C”  api’s        -­‐  NIX  system  calls  –  unistd.h  

   -­‐  WINDOWS  system  calls    -­‐  windows.h  �  Studying  OS  platform  and  system  calls  is  necessary  part  of  reverse  engineering  

PE  –  Portable  Executable  file  

Tools  and  Techniques  �  Various  tools  helps  in  reverse-­‐engineering  the  binary  code/program.  

�  Compiler  is  the  tool  used  to  convert  high  level  language  like  C,C++  into  machine  code.  

�  Assembler  is  the  tool  used  to  convert  pseudo-­‐code  written  specific  to  processor  into  machine  code.  

�  At  reverse  Dis-­‐Assembler  and  De-­‐Compilers  help  us  in  reversing  the  process,  recovering  the  high  level  code  from  machine  code.  

�  Debuggers  are  the  tools  used  to  debug  live  running  program.  

�  Virtual  machines  might  help  in  providing  protective/isolated  environment  for  analysis.  

Tools  and  Techniques  Cont…    Broad  category  of  tools  are  divided  into  two  category.  q Static  Analysis  Tools              -­‐Tools  helps  us  to  analysis  program  without  even  running  it.    

           -­‐  Tools  includes  Dis-­‐assembler  and  De-­‐Compilers  q Dynamic  Analysis  Tools  -­‐  Tools  in  this  category  helps  us  dive  deep  into  program  by  analyzing  it  while  running  it.    

       -­‐  Tools  includes  Debuggers,  Loaders  and  System  Monitoring  tools  

Tools  and  Techniques  Cont…  �  Compilers            (VC  compiler,  GCC  compiler  suite,  .NET  framework)  �  Assemblers          (MASM,  NASM,  TASM,  FASM)  �  Dis-­‐assemblers  and  Debuggers          (IDAPro,  OllyDbg,  Immunity  Debugger,  WinDbg)  �  Hypervisors          (VMWare  Workstation/Player,  VirtualBox,QUEMU)  �  System  monitoring  withSysInternals  tools  �  Hex  Editors  and  Other  system  utilities  

Tools  and  Techniques  Cont…  

Tools  and  Techniques  Cont…  

Tools  and  Techniques  Cont…  

Tools  and  Techniques  Cont…  

RCE  in  various  context  Time  to  understand  field  work!!!  �  Cracking  (Illegal/Un-­‐Ethical)  � Malware  analysis  �  Vulnerability  analysis  (exploit  development)  �  Clean  house  RE  (Chinese  Wall)  �  Recovering  lost  source  code  (legacy)  �  Investigating  and  solving  faults  cause  in  released  software.  (Microsoft  global  escalation  support  team)  

Cool  Huh  …    Lets  play  around  some  practical  reversing  lab  exercise      Lets  see  some  cool  stuff  J  

Lab  –  Cracking  for  serial.  �  This  is  for  purely  demonstration  and  educational  purpose  only.    

�  Anything  you  do  to  obtain  or  provide  fake  registration  key  for  software  is  considered  cracking  and  a  serious  offense.  

�  In  lab  we  are  going  to  study  and  recover  serial  key  and  defeat  registration  mechanism  by  various  ways.  

Defeating  RE  �  Lot  of  research  has  been  done,  many  ways  to  make  it  harden  for  reversing  process.    

         …  But  no  solution  is  100%  perfect  and  secure.    

Defeating  RE  Cont…          Software  armoring              Obfuscation              “  deliberate  act  of  creating  obfuscated  code,  i.e.  source  or  machine  code  that  is  difficult  for  human  to  understand”  -­‐-­‐  Wikipedia  

 

Defeating  RE  Cont…    Some  techniques  for  anti-­‐analysis  …      �  Packers    (Compression)  �  Protectors  (Encryption)    �   Anti-­‐Debugging  �  Garbage  Code  and  Code  Permutation  �  Anti-­‐Assembly  �  Hypervisor/Emulator  detection  

Defeating  RE  Cont…  

Defeating  RE  Cont…          Advanced  technologies…  

� Mutation  �  Code  Virtualization  

Resources  �  REVERSING  –  secrets  of  reverse  engineering  (By  Eldad  Eilam)  

� Microsoft  windows  internals  (By  Mark  Russinovich  and  David  Solomon)  

�  Reverseme.de  –  cool  reverseme.exe  collections  �  InfoSec  Institute  Resources.  –  cool  articles  on  security    �  NtDebugging  blog  (Microsoft  global  escalation  support  team)    -­‐  fine  gain  exposure  in  windows  insides  

�  And  finally  some  good  book  on  x86  assembly  tut  and  reference.  

Questions???  Still  there  anything  struggling  in  your  mind.    

Hope  you  enjoyed  it.  

Thank  you!!!