Date post: | 04-Apr-2018 |
Category: |
Documents |
Upload: | dinesh-more |
View: | 223 times |
Download: | 0 times |
of 24
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
1/24
Software ReverseEngineering (SRE)
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
2/24
Points to Remember (Exam) About SRESRE Tools with practical examles(Disassembler,Debugger,Hex Editor)SRE ExampleAnti-Disassembly TechiquesAnti-Debugging Techniques
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
3/24
About SRE (Exam)Software Reverse Engineering o Also known as Reverse Code Engineering (RCE)o Or simply reversing
Can be used for good...o Understand malwareo Understand legacy code
ornot-so-good o Remove usage restrictions from softwareo Find and exploit flaws in softwareo Cheat at games, etc.
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
4/24
We assume thato Reverse engineer is an attacker
o Attacker only has exe (no source code)
Attacker might want too Understand the softwareo Modify the software
SRE usually focused on Windows
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
5/24
SRE Tools (Exam)Disassembler (static view of code)o Converts exe to assembly as best it cano Cannot always disassemble correctlyo In general, it is not possible to assemble
disassembly into working exe
Debugger (dynamic view of code)o Must step thru code to completely understand it
o Labor intensive lack of automated tools
Hex Editoro To patch (make changes to) exe file
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
6/24
SRE Tools Examples (Exam) IDA Pro is the top-rated disassemblero Cost is a few hundred dollarso Converts binary to assembly (as best it can)
SoftICE is alpha and omega of debuggerso Can debug anything, even the OS
OllyDbg is a high quality shareware debuggero Includes a good disassembler
UltraEdit is a good Hex editor to view/modifybits of exe
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
7/24
Why is a Debugger Needed?Disassembler gives static resultso Good overview of program logico But need to mentally execute program
o Difficult to jump to specific place in the code
Debugger is dynamic o Can set break pointso Can treat complex code as black box
Note :: Disassembler and debugger both requiredfor any serious SRE task
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
8/24
SRE Necessary SkillsWorking knowledge of target assembly codeExperience with the tools
o IDA Pro sophisticated and complexo SoftICE large two-volume users manual
Knowledge of Windows Portable Executable (PE) file formatBoundless patience and optimismSRE is tedious and labor-intensive process!
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
9/24
SRE ExampleConsider simple exampleThis example only requires disassembler
(IDA Pro) and hex editoro Trudy disassembles to understand codeo Trudy also wants to patch the code
For most real-world code, also need adebugger (SoftICE or OllyDbg)
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
10/24
SRE ExampleProgram requires serial numberBut Trudy doesnt know the serial number!
Can Trudy find the serial number?
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
11/24
SRE ExampleIDA Pro disassembly
Looks like serial number is S123N456
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
12/24
SRE ExampleTry the serial number S123N456
It works!Can Trudy do better?
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
13/24
SRE ExampleAgain, IDA Pro disassembly
And hex view
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
14/24
SRE Example
test eax,eax gives AND of eax with itselfo Result is 0 only if eax is 0o If test returns 0, then jz is true
Trudy wants jz to always be true!Can Trudy patch exe so that jz always true?
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
15/24
SRE ExampleCan Trudy patch exe so that jz always true?
xor jz always true!!!
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
16/24
SRE ExampleEdit serial.exe with hex editor
serial.exe
serialPatch.exe
Save as serialPatch.exe
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
17/24
SRE Example
Any serial number now works! Very convenient for Trudy!
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
18/24
SRE Example
Back to IDA Pro disassembly
serial.exe
serialPatch.exe
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
19/24
SRE Attack MitigationImpossible to prevent SRE on open systemBut can make such attacks more difficultAnti-disassembly techniques
o To confuse static view of codeAnti-debugging techniqueso To confuse dynamic view of code
Tamper-resistanceo Code checks itself to detect tampering
Code obfuscationo Make code more difficult to understand
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
20/24
Anti-disassembly Techniques
(Exam) Anti-disassembly methods include
o Encrypted object code ie. Exe file itselfo It cant be disassembled correctly o But still need code to decrypt the code!
Note :: If attacker gets access to decryptioncode then easily can decrypt the encrypted Exefile
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
21/24
Anti-disassembly Example(Exam)
Suppose actual code instructions are
What the disassembler sees
inst 1 inst 3 jmp junk inst 4
inst 1 inst 5 inst 2 inst 3 inst 4 inst 6
This is example of false disassembly Every inst from inst 3 is incorrectClever attacker will figure it out!
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
22/24
Anti-debugging TechniquesA Program Monitor for
o Use of debug registers if any then stop ito Inserted breakpoints
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
23/24
Anti-debugger Example(series of insts
that are to be executed)
Suppose when program gets inst 1 , it pre-fetches inst 2 , inst 3 and inst 4 o This is done to increase efficiency by processor
Suppose when debugger executes inst 1 , it
does not pre-fetch instructionsHere confuse the debugger as shown innext slide
inst 1 inst 5inst 2 inst 3 inst 4 inst 6
7/31/2019 4 (v.v.imp) Software Reverser Engineering (SRE)
24/24
Anti-debugger Example
Suppose inst 1 overwrites inst 4 in memoryThen program (without debugger) will be OKsince it fetched inst 4 at same time as inst 1 Debugger will be confused when it reaches
junk where inst 4 is supposed to beProblem for program if this segment of codeexecuted more than once!Also, code is very platform-dependentAgain, clever attacker will figure this out!
inst 1 inst 5inst 2 inst 3 inst 4 inst 6 junk