4 (v.v.imp) Software Reverser Engineering (SRE)

7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)

1/24

Software ReverseEngineering (SRE)


2/24

Points to Remember (Exam) About SRESRE Tools with practical examles(Disassembler,Debugger,Hex Editor)SRE ExampleAnti-Disassembly TechiquesAnti-Debugging Techniques


3/24

About SRE (Exam)Software Reverse Engineering o Also known as Reverse Code Engineering (RCE)o Or simply reversing

Can be used for good...o Understand malwareo Understand legacy code

ornot-so-good o Remove usage restrictions from softwareo Find and exploit flaws in softwareo Cheat at games, etc.


4/24

We assume thato Reverse engineer is an attacker

o Attacker only has exe (no source code)

Attacker might want too Understand the softwareo Modify the software

SRE usually focused on Windows


5/24

SRE Tools (Exam)Disassembler (static view of code)o Converts exe to assembly as best it cano Cannot always disassemble correctlyo In general, it is not possible to assemble

disassembly into working exe

Debugger (dynamic view of code)o Must step thru code to completely understand it

o Labor intensive lack of automated tools

Hex Editoro To patch (make changes to) exe file


6/24

SRE Tools Examples (Exam) IDA Pro is the top-rated disassemblero Cost is a few hundred dollarso Converts binary to assembly (as best it can)

SoftICE is alpha and omega of debuggerso Can debug anything, even the OS

OllyDbg is a high quality shareware debuggero Includes a good disassembler

UltraEdit is a good Hex editor to view/modifybits of exe


7/24

Why is a Debugger Needed?Disassembler gives static resultso Good overview of program logico But need to mentally execute program

o Difficult to jump to specific place in the code

Debugger is dynamic o Can set break pointso Can treat complex code as black box

Note :: Disassembler and debugger both requiredfor any serious SRE task


8/24

SRE Necessary SkillsWorking knowledge of target assembly codeExperience with the tools

o IDA Pro sophisticated and complexo SoftICE large two-volume users manual

Knowledge of Windows Portable Executable (PE) file formatBoundless patience and optimismSRE is tedious and labor-intensive process!


9/24

SRE ExampleConsider simple exampleThis example only requires disassembler

(IDA Pro) and hex editoro Trudy disassembles to understand codeo Trudy also wants to patch the code

For most real-world code, also need adebugger (SoftICE or OllyDbg)


10/24

SRE ExampleProgram requires serial numberBut Trudy doesnt know the serial number!

Can Trudy find the serial number?


11/24

SRE ExampleIDA Pro disassembly

Looks like serial number is S123N456


12/24

SRE ExampleTry the serial number S123N456

It works!Can Trudy do better?


13/24

SRE ExampleAgain, IDA Pro disassembly

And hex view


14/24

SRE Example

test eax,eax gives AND of eax with itselfo Result is 0 only if eax is 0o If test returns 0, then jz is true

Trudy wants jz to always be true!Can Trudy patch exe so that jz always true?


15/24

SRE ExampleCan Trudy patch exe so that jz always true?

xor jz always true!!!


16/24

SRE ExampleEdit serial.exe with hex editor

serial.exe

serialPatch.exe

Save as serialPatch.exe


17/24

SRE Example

Any serial number now works! Very convenient for Trudy!


18/24

SRE Example

Back to IDA Pro disassembly

serial.exe

serialPatch.exe


19/24

SRE Attack MitigationImpossible to prevent SRE on open systemBut can make such attacks more difficultAnti-disassembly techniques

o To confuse static view of codeAnti-debugging techniqueso To confuse dynamic view of code

Tamper-resistanceo Code checks itself to detect tampering

Code obfuscationo Make code more difficult to understand


20/24

Anti-disassembly Techniques

(Exam) Anti-disassembly methods include

o Encrypted object code ie. Exe file itselfo It cant be disassembled correctly o But still need code to decrypt the code!

Note :: If attacker gets access to decryptioncode then easily can decrypt the encrypted Exefile


21/24

Anti-disassembly Example(Exam)

Suppose actual code instructions are

What the disassembler sees

inst 1 inst 3 jmp junk inst 4

inst 1 inst 5 inst 2 inst 3 inst 4 inst 6

This is example of false disassembly Every inst from inst 3 is incorrectClever attacker will figure it out!


22/24

Anti-debugging TechniquesA Program Monitor for

o Use of debug registers if any then stop ito Inserted breakpoints


23/24

Anti-debugger Example(series of insts

that are to be executed)

Suppose when program gets inst 1 , it pre-fetches inst 2 , inst 3 and inst 4 o This is done to increase efficiency by processor

Suppose when debugger executes inst 1 , it

does not pre-fetch instructionsHere confuse the debugger as shown innext slide

inst 1 inst 5inst 2 inst 3 inst 4 inst 6


24/24

Anti-debugger Example

Suppose inst 1 overwrites inst 4 in memoryThen program (without debugger) will be OKsince it fetched inst 4 at same time as inst 1 Debugger will be confused when it reaches

junk where inst 4 is supposed to beProblem for program if this segment of codeexecuted more than once!Also, code is very platform-dependentAgain, clever attacker will figure this out!

inst 1 inst 5inst 2 inst 3 inst 4 inst 6 junk

Date post:	04-Apr-2018
Category:	Documents
Upload:	dinesh-more
View:	223 times
Download:	0 times

4 (v.v.imp) Software Reverser Engineering (SRE)

Documents