Hacker Disassembling PP
Embed Size (px)
Transcript of Hacker Disassembling PP
Hacker Disassembling Uncovered by Kris Kaspersky (ed) A-LIST Publishing 2003 (584 pages)ISBN:1931769222
This text shows how to analyze programs without its source code, using a debugger and a disassembler, and covers hacking methods including virtual functions, local and global variables, branching, loops, objects and their hierarchy, and more. Table of Contents Hacker Disassembling Uncovered Preface IntroductionPart I - Getting Acquainted with Basic Hacking Techniques
Step One Step Two Step Four Step Five Step Six
- Warming up - Getting Acquainted with the Disassembler - Getting Acquainted with the Debugger - IDA Emerges onto the Scene - Using a Disassembler with a Debugger
Step Three - Surgery
Step Seven - Identifying Key Structures of High-Level LanguagesPart II - Ways of Making Software Analysis Difficult
Introduction Counteracting Debuggers Counteracting Disassemblers An Invitation to the Discussion, or New Protection Tips Hacker Disassembling UncoveredHow to Index List of Figures List of Tables List of Listings
Back Cover This book is dedicated to the basics of hackingmethods of analyzing programs using a debugger and disassembler. There is huge interest in this topic, but in reality, there are very few programmers who have mastered these methods on a professional level. The majority of publications that touch on issues of analyzing and optimizing programs, as well as creating means of protecting information, delicately tiptoe around the fact that in order to competently find "holes" in a program without having its source code, you have to disassemble them. Restoring something that even somewhat resembles the source code is still considered an extremely complex task. In the book, the author describes a technology used by hackers that gives a practically identical source code, and this includes programs in C++ as well, which are particularly difficult to disassemble. The book gives a detailed description of ways to identify and reconstruct key structures of the source languagefunctions (including virtual ones), local and global variables, branching, loops, objects and their hierarchy, mathematical operators, etc. The disassembly methodology that we will look at has been formalizedi.e., it has been translated from an intuitive concept into a complete technology, available and comprehensible to almost anyone. The book contains a large number of unique practical materials. It is organized in such a manner that it will most certainly be useful to the everyday programmer as a manual on optimizing programs for modern intelligent compilers, and to the information protection specialist as a manual on looking for so-called "bugs." The "from simple to complex" style of the book allows it to easily be used as a textbook for beginner analyzers and "code diggers." About the Editor Kris Kaspersky is the author of articles on hacking, disassembling, and code optimization. He has dealt with issues relating to security and system programming including compiler development, optimization techniques, security mechanism research, real-time OS kernel creation, and writing antivirus programs.
Hacker Disassembling UncoveredKris Kaspersky Copyright 2003 A-LIST, LLC All rights reserved. No part of this publication may be reproduced in any way, stored in a retrieval system of any type, or transmitted by any means or media, electronic or mechanical, including, but not limited to, photocopy, recording, or scanning, without prior permission in writing from the publisher. A-LIST, LLC 295 East Swedesford Rd. PMB #285 Wayne, PA 19087 702-977-5377 (FAX) firstname.lastname@example.org http://www.alistpublishing.com All brand names and product names mentioned in this book are trademarks or service marks of their respective companies. Any omission or misuse (of any kind) of service marks or trademarks should not be regarded as intent to infringe on the property of others. The publisher recognizes and respects all marks used by companies, manufacturers, and developers as a means to distinguish their products. Hacker Disassembling Uncovered By Kris Kaspersky 1-931769-22-2 03 04 7 6 5 4 3 2 1 A-LIST, LLC titles are available for site license or bulk purchase by institutions, user groups, corporations, etc. Executive Editor: Natalia Tarkova Book Editor: Julie Laing LIMITED WARRANTY AND DISCLAIMER OF LIABILITY A-LIST, LLC, AND/OR ANYONE WHO HAS BEEN INVOLVED IN THE WRITING, CREATION, OR PRODUCTION OF THE ACCOMPANYING CODE ("THE SOFTWARE") OR TEXTUAL MATERIAL IN THE BOOK, CANNOT AND DO NOT WARRANT THE PERFORMANCE OR RESULTS THAT MAY BE OBTAINED BY USING THE CODE OR CONTENTS OF THE BOOK. THE AUTHORS AND PUBLISHERS HAVE USED THEIR BEST EFFORTS TO ENSURE THE ACCURACY AND FUNCTIONALITY OF THE TEXTUAL MATERIAL AND PROGRAMS CONTAINED HEREIN; WE HOWEVER MAKE NO WARRANTY OF ANY KIND, EXPRESSED OR IMPLIED, REGARDING THE PERFORMANCE OF THESE PROGRAMS OR CONTENTS. THE AUTHORS, THE PUBLISHER, DEVELOPERS OF THIRD PARTY SOFTWARE, AND ANYONE INVOLVED IN THE PRODUCTION AND MANUFACTURING OF THIS WORK SHALL NOT BE LIABLE FOR DAMAGES OF ANY KIND ARISING OUT OF THE USE OF (OR THE INABILITY TO USE) THE PROGRAMS, SOURCE CODE, OR TEXTUAL MATERIAL CONTAINED IN THIS PUBLICATION. THIS INCLUDES, BUT IS NOT LIMITED TO, LOSS OF REVENUE OR PROFIT, OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THE PRODUCT. THE USE OF "IMPLIED WARRANTY" AND CERTAIN "EXCLUSIONS" VARY FROM STATE TO STATE, AND
MAY NOT APPLY TO THE PURCHASER OF THIS PRODUCT.
PrefaceThis book opens the door to the wonderful world of security mechanisms, showing you how protection is created, and then bypassed. It is addressed to anyone who likes captivating puzzles, and to anyone who spends their spare (or office) time rummaging in the depths of programs and operating systems. Lastly, it is for anyone who is engaged constantly or incidentally in writing protections, and who wants to know how to counteract ubiquitous hackers competently and reliably. This book is devoted to hacking basics to the skills needed for working with a debugger and a disassembler. The methods of identifying and reconstructing the key structures of the source language functions (including virtual ones), local and global variables, branches, cycles, objects and their hierarchies, mathematical operators, etc. are described in detail. Choosing the tools you will need to use this book is essentially a matter of your personal preferences. Tastes differ. Therefore, don't take everything that I mention below to be carved in stone, but rather as advice. To use this book, you'll need the following: A debuggerSoftIce, version 3.25 or higher A disassembler IDAversion 3.7x (I recommend 3.8; 4.x is even better) A HEX editor any version of HIEW Development kitsSDK and DDK (the last one isn't mandatory, but is really good to have) An operating system any Windows, but Windows 2000 or later is strongly recommended A compilerwhichever C/C++ or Pascal compiler you like most (in the book, you'll find a detailed description of the particular features of the Microsoft Visual C++, Borland C++, Watcom C, GNU C, and Free Pascal compilers, although we will mostly work with Microsoft Visual C++ 6.0) Now, let's talk about all this in more detail: SoftIce. The SoftIce debugger is the hacker's main weapon. There are also free programs WINDEB from Microsoft, and TRW from LiuTaoTao but SoftIce is much better, and handier, than all these taken together. Almost any version of Ice will suit our purposes; I use version 3.26 it's time-tested, maintains its stability, and gets along wonderfully with Windows 2000. The modern 4.x version isn't very friendly with my video adapter (Matrox Millennium G450), and in general goes belly up from time to time. Apart from this, among all the new capabilities of the fourth version, only the support of Frame Point Omission (FPO) (see the "Local Stack Variables" section) is particularly useful for working with the local variables directly addressed through the ESP register. This is an undoubtedly practical feature, but we can do without it if we must. Buy it; you won't regret it. (Hacking isn't the same as piracy, and nobody has yet cancelled honesty.) IDA Pro. The most powerful disassembler in the world is undoubtedly IDA. It's certainly possible to live without it, but it's much better to live with it. IDA provides convenient facilities for navigating the investigated text; automatically recognizes library functions and local variables, including those addressed through ESP; and supports many processors and file formats. In a word, a hacker without IDA isn't a hacker. But I suppose advertising it really isn't necessary. The only problem is, how do you get this IDA? Pirated discs containing it are extremely rare (the latest version I've seen was 3.74, and it was unstable); Internet sites offer it even less often. IDA's developer quickly stops any attempt at unauthorized distribution of the product. The only reliable way to obtain it is to purchase it from the developer (http//www.idapro.com) or from an official distributor. Unfortunately, no documentation comes with the disassembler (except for the built-in help, which is very terse and unsystematic).
HIEW. HIEW is not only a HEX editor; it is a disassembler, an assembler, and an encrypter all in one. It won't save you from having to buy IDA, but it will more than compensate for IDA in certain cases. (IDA works very slowly, and it's vexing to waste a whole bunch of time if all we need is to take a quick glance at the file under preparation.) However, the main purpose of HIEW isn't disassembling, but bit hacking small surgical interference in a binary file, usually with the aim of cutting off part of the protection mechanism without which it can't function. SDK (Software Development Kit a package for the application developer). The main thing that we need from the SDK package i