Tools and Basic Reverse Engineering - Security...
Transcript of Tools and Basic Reverse Engineering - Security...
Tools and Basic Reverse Engineering
Modern Binary Exploitation
CSCI 4968 – Spring 2015
Jeremy Blackthorne
MBE - 01/30/2015 Tools and Basic RE 1
Lecture Overview
1. Introduction to Reverse Engineering 2. Tools! 3. Resources
MBE - 01/30/2015 Tools and Basic RE 2
MBE - 01/30/2015 Tools and Basic RE 3
Compiling
Source Code Assembly Object File Binary File
Compile Assemble Link
Libraries
MBE - 01/30/2015 4
Loading
Source Code Assembly Object File Binary File
Compile Assemble Link
Libraries
Process
Load
MBE - 01/30/2015 5
Running
Process, t=0 Process, t=1 Process, t=i Process, t=n
Step Step Step
MBE - 01/30/2015 Tools and Basic RE 6
RE Domain
Process, t=0 Process, t=i Process, t=n Binary File
Load Step Step
MBE - 01/30/2015 Tools and Basic RE 7
RE Domain
Process, t=0 Process, t=i Process, t=n Binary File
Load Step Step
Static MBE - 01/30/2015 Tools and Basic RE 8
RE Domain
Process, t=0 Process, t=i Process, t=n Binary File
Load Step Step
Static Dynamic MBE - 01/30/2015 9
RE Domain
Process, t=0 Process, t=i Process, t=n Binary File
Load Step Step
Static MBE - 01/30/2015 Tools and Basic RE 10
Lecture Overview
1. Introduction to Reverse Engineering
2. Tools!
3. Resources
MBE - 01/30/2015 Tools and Basic RE 11
Tool Color Coding
• Linux Tool
– Command
• Windows Tool
– ToolName.exe
• Associated Challenges:
– ChallengeName
MBE - 01/30/2015 Tools and Basic RE 12
Hex Editor / Viewers
• Hex Editors / Viewers
– wxHexEditor (GUI)
– xxd • “-i” option is C include style
• Challenge:
– crackme0x00a
MBE - 01/30/2015 Tools and Basic RE 13
ASCII Readable Hex
• strings
– Displays ACII strings > 4 characters long
• Challenge:
– crackme0x00a
– crackme0x00b
MBE - 01/30/2015 Tools and Basic RE 14
ASCII Readable Hex
• strings
– Displays ACII strings > 4 characters long
• Challenge:
– crackme0x00a
– crackme0x00b • strings –e ? crackme0x00b
MBE - 01/30/2015 Tools and Basic RE 15
File Formats on Disk
• Linux:
– ELF-Walkthrough.png
– readelf
MBE - 01/30/2015 Tools and Basic RE 16
File Formats on Disk
• Linux:
– ELF-Walkthrough.png
– readelf
• Windows:
– PE-Layout.jpg
– Peview.exe
MBE - 01/30/2015 Tools and Basic RE 17
File Formats on Disk
• Linux:
– ELF-Walkthrough.png
– readelf
• Windows:
– PE-Layout.jpg
– Peview.exe
• For unknown files / binaries
– file
MBE - 01/30/2015 Tools and Basic RE 18
Hashing
• Do we have the same file?
– md5sum
• Upload hash to virustotal.com
• Google search hash
MBE - 01/30/2015 Tools and Basic RE 19
Hashing
• Do we have the same file?
– md5sum
• Upload hash to virustotal.com
• Google search hash
• Fuzzy hashing:
– ssdeep -b original.elf >hash.txt
– ssdeep -bm hash.txt modified.elf
MBE - 01/30/2015 Tools and Basic RE 20
Command Line Disassembly
• crackme0x01
MBE - 01/30/2015 Tools and Basic RE 21
Command Line Disassembly
• crackme0x01
• objdump –d
MBE - 01/30/2015 Tools and Basic RE 22
Command Line Disassembly
• crackme0x01
• objdump –d
• Convert hex to decimal
– echo $((0xDEADBEEF))
MBE - 01/30/2015 Tools and Basic RE 23
Patching Binaries
• It’s your binary, you can patch it if you want to
• objdump –d crackme0x00a | grep –A 30 ‘<main>’
• wxHexEditor-->Edit-->Find
MBE - 01/30/2015 Tools and Basic RE 24
External Diffing
• Original + modified = HUGE advantage
• wxHexEditor-->Tools-->compare files
MBE - 01/30/2015 Tools and Basic RE 25
Disassembly
• objdump –d • IDA Pro.exe
• Challenges:
– crackme0x01
MBE - 01/30/2015 Tools and Basic RE 26
Disassembly
• objdump –d
• IDA Pro.exe
• Challenges:
– crackme0x01
– crackme0x02
MBE - 01/30/2015 Tools and Basic RE 27
IDA Pro
• IDA Pro.exe
• crackme0x04
MBE - 01/30/2015 Tools and Basic RE 28
IDA Basics
• Change between basic and graphic mode (space bar) • Rename variables: (n) • Comment
– Side: (:), (;) – Above/below: (ins)
• Convert const formats: (right-click) • Cross-reference: (x) • Change to array: (a) • IDA->Windows->Reset desktop • IDA->Options->General->auto comment • IDA->Options->General->opcode bytes 8
https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf
MBE - 01/30/2015 Tools and Basic RE 29
The Stack
MBE - 01/30/2015 Tools and Basic RE 30
Foo a b c ); , , ( EBP EIP EIP
ESP
EBP
0x03
0x04
0x05
0x06
0x07
MBE - 01/30/2015 Tools and Basic RE 31
The animations on this slide will only work in the .pptx of this lecture
Stack
c
b
a
Old EIP
Old EBP
x
y
z 0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
ESP
EBP
MBE - 01/30/2015 Tools and Basic RE 32
Lecture Overview
1. Introduction to Reverse Engineering
2. Tools!
3. Resources
MBE - 01/30/2015 Tools and Basic RE 33
IDA Pro
• IDA_Pro_Shortcuts.pdf
• The book on IDA
• IDA Syntax Highlighting:
– http://practicalmalwareanalysis.com/2012/03/25/decorating-your-disassembly/
MBE - 01/30/2015 Tools and Basic RE 34
Additional Resources
• Corkami.com – diagrams of file structures and other interesting trivia
• Crackmes.de – “Reverser’s Playground”
• Subreddits
– reddit.com/r/reverseengineering
– reddit.com/r/netsec
– reddit.com/r/uic
• http://www.bottomupcs.com - Systems background
MBE - 01/30/2015 Tools and Basic RE 35