U Reverse Engineering

Similar documents
CSC 405 Computer Security Reverse Engineering Part 1

Intro x86 Part 3: Linux Tools & Analysis

Rev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html

Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

Jackson State University Department of Computer Science CSC / Advanced Information Security Spring 2013 Lab Project # 5

Exercise Session 6 Computer Architecture and Systems Programming

Compilation, Disassembly, and Profiling (in Linux)

CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM

Instruction Set Architectures

CSC 591 Systems Attacks and Defenses Reverse Engineering Part 1

Instruction Set Architectures

Buffer Overflow Attack

Compila(on, Disassembly, and Profiling

238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018

Buffer-Overflow Attacks on the Stack

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Mitchell Adair January, 2014

Buffer-Overflow Attacks on the Stack

Intro to Segmentation Fault Handling in Linux. By Khanh Ngo-Duy

Intro to x86 Binaries. From ASM to exploit

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

CS/COE 0449 term 2174 Lab 5: gdb

Lecture 2 Assembly Language

1. A student is testing an implementation of a C function; when compiled with gcc, the following x86-32 assembly code is produced:

CSE 351. GDB Introduction

Reviewing gcc, make, gdb, and Linux Editors 1

Recitation: Bomb Lab. September 17 th 2018

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

buffer overflow exploitation

Practical Malware Analysis

Systems I. Machine-Level Programming I: Introduction

CMSC Lecture 03. UMBC, CMSC313, Richard Chang

Using the GNU Debugger

Using the GNU Debugger

18-600: Recitation #3

MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION

CPS104 Recitation: Assembly Programming

Introduction Presentation A

Simple C Program. Assembly Ouput. Using GCC to produce Assembly. Assembly produced by GCC is easy to recognize:

CS356: Discussion #5 Debugging with GDB. Marco Paolieri

Machine Language, Assemblers and Linkers"

Project 1 Notes and Demo

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed

1. Allowed you to see the value of one or more variables, or 2. Indicated where you were in the execution of a program

Assembly Language Programming Debugging programs

Stack overflow exploitation

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

Lab 3. The Art of Assembly Language (II)

Program Exploitation Intro

CSC 405 Computer Security Reverse Engineering

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Source level debugging. October 18, 2016

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

CSE 361S Intro to Systems Software Lab Assignment #4

CS354 gdb Tutorial Written by Chris Feilbach

Lab 10: Introduction to x86 Assembly

Debugging. ICS312 Machine-Level and Systems Programming. Henri Casanova

Return Oriented Programming

Roadmap. Java: Assembly language: OS: Machine code: Computer system:

CS 270 Systems Programming. Debugging Tools. CS 270: Systems Programming. Instructor: Raphael Finkel

Machine Programming 1: Introduction

System calls and assembler

ANITA S SUPER AWESOME RECITATION SLIDES

ROP It Like It s Hot!

CS 261 Fall Machine and Assembly Code. Data Movement and Arithmetic. Mike Lam, Professor

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

Labeling Library Functions in Stripped Binaries

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

MACHINE-LEVEL PROGRAMMING I: BASICS

Lecture 4 Processes. Dynamic Analysis. GDB

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta

Machine-Level Programming I: Introduction Jan. 30, 2001

GDB Tutorial. Young W. Lim Tue. Young W. Lim GDB Tutorial Tue 1 / 32

Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p

Link 2. Object Files

U23 - Binary Exploitation

CSE 361 Fall 2017 Lab Assignment L2: Defusing a Binary Bomb Assigned: Wednesday Sept. 20 Due: Wednesday Oct. 04 at 11:59 pm

GDB cheatsheet - page 1

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Profilers and Debuggers. Introductory Material. One-Slide Summary

Link 2. Object Files

CSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II

T Jarkko Turkulainen, F-Secure Corporation

ECE 3210 Laboratory 1: Develop an Assembly Program

FLARE-On 4: Challenge 3 Solution greek_to_me.exe

Today: Machine Programming I: Basics. Machine Level Programming I: Basics. Intel x86 Processors. Intel x86 Evolution: Milestones

CSE 351: Week 4. Tom Bergan, TA

Exercise 6: Buffer Overflow and return-into-libc Attacks

A short session with gdb verifies a few facts; the student has made notes of some observations:

Università Ca Foscari Venezia

Sungkyunkwan University

CSE 351 Section 4 GDB and x86-64 Assembly Hi there! Welcome back to section, we re happy that you re here

Overview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin

Programming Studio #9 ECE 190

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

CS 105 Lab 2: Debugger Playing with X86-64 Assembly

Transcription:

U23 2016 - Reverse Engineering Andy andy@koeln.ccc.de November 15, 2016

Introduction Static program analysis Dynamic program analysis Tools strings objdump IDA Hopper gdb Live Reversing Exercises

Section 1 Introduction

Introduction Reverse Engineering is the process of analyzing a design to figure out exactly how it works and re-produce the analyzed design as a 1:1 copy - not only a functional copy which behaves like the original but is designed exactly like the original Not only applicable to software. Also all kinds of hardware: Chips, PCBs, Trains, Planes, Cars etc. Also maybe only parts of a whole system like the engine, suspension, certain control mechanisms etc.

Introduction Reverse Engineering is the process of analyzing a design to figure out exactly how it works and re-produce the analyzed design as a 1:1 copy - not only a functional copy which behaves like the original but is designed exactly like the original Not only applicable to software. Also all kinds of hardware: Chips, PCBs, Trains, Planes, Cars etc. Also maybe only parts of a whole system like the engine, suspension, certain control mechanisms etc. We are only interested in software here

When do we reverse engineer software? Malware analysis Lost source code of an original product Compatibility of file formats / network protocols Security analysis Debugging Curiosity (not 100% legal, but most of the time this can be twisted to be about security or compatibility - situation between EU and US is different!)

Static program analysis Look at the code, but don t execute it This is what you do when you disassemble a program and stare at the code Also possible on source code, but not important here

Dynamic program analysis Execute the code you want to analyze Instrument it while it s being executed Figure out what s going on either automatically using a tool or by hand This is what you do if you debug a program using gdb/msvc or run it in an emulator with augmentation capabilities (Unicorn, PIN etc.)

Section 2 Tools

strings Easiest tool ever Just dumps all printable character sequences longer than n characters (default is 4) Example: $ strings test / lib64 /ld -linux -x86-64. so.2 libc.so.6 puts libc_start_main gmon_start GLIBC_2.2.5 UH -0 AWAVA AUATL []A\A]A^A_ Hello, World! ;*3 $" GCC : ( GNU ) 6.1.1 20160802 [...]

objdump Very simple disassembler Installed everywhere because it s part of binutils -d disassembles a binary Example: $ objdump -d test [...] 0804840b <main >: 804840 b: 8d 4c 24 04 lea 0x4 (% esp ),%ecx 804840 f: 83 e4 f0 and $0xfffffff0,% esp 8048412: ff 71 fc pushl -0x4 (% ecx ) 8048415: 55 push % ebp 8048416: 89 e5 mov %esp,% ebp 8048418: 51 push % ecx 8048419: 83 ec 04 sub $0x4,% esp 804841c: 83 ec 0c sub $0xc,% esp 804841 f: 68 c0 84 04 08 push $0x80484c0 8048424: e8 b7 fe ff ff call 80482e0 <puts@plt > 8048429: 83 c4 10 add $0x10,% esp 804842c: b8 00 00 00 00 mov $0x0,% eax 8048431: 8b 4d fc mov -0x4 (% ebp ),%ecx 8048434: c9 leave 8048435: 8d 61 fc lea -0x4 (% ecx ),%esp 8048438: c3 ret 8048439: 66 90 xchg %ax,% ax 804843b: 66 90 xchg %ax,% ax 804843d: 66 90 xchg %ax,% ax 804843 f: 90 nop [...]

IDA The mother of disassemblers Very powerful tool Quite costly Free version is available for Windows but quite outdated. Rumors tell there will be an update sometime soon Runs in wine on Mac OS and Linux Not really much to know about, I ll show the basic features later If you have the money, it even has a decompiler for certain architectures Point to take away: It s the tool to do reversing https://www.hex-rays.com/products/ida/index.shtml

Figure: IDA

Hopper A bit like IDA Demo version available Not quite that expensive Also not that powerful https://www.hopperapp.com/

Figure: Hopper

gdb Standard Debugger for unix environments Has a textinterface Different addons available like peda (https://github.com/longld/peda) specifically for exploitation/reversing

gdb Cheat Sheet 1 Start gdb: gdb./myfile Running the binary: run Setting breakpoints on symbols: break main Setting breakpoints on addresses: break *0x4004fa Listing breakpoints: info breakpoints Delete breakpoints: del <n> (n = number from info breakpoints) Show registers: info registers Disassemble things: disassemble main Disassemble things without symbols: disassemble 0x4004fa,+0x20 (disassemble 0x20 bytes starting from 0x4004fa)

gdb Cheat Sheet 2 Show backtrace: backtrace Single step instruction: si Single step instruction while not entering subroutines: ni Forward to end of function: finish Continue until next breakpoint: continue Examine memory: x - Example: x/32wx $esp - Look into a pointer at esp and dump 32 words in hexadecimal representation Print strings: print - Example: print (char*)0x80484c0 - Take address 0x80484c0, cast it into a char pointer and print the string it points to Help: help <command>

gdb peda peda is a nice addon for GDB Get it from https://github.com/longld/peda See Readme.md on how to install it

Section 3 Live Reversing

Section 4 Exercises

Exercises 1. Solve the three exercises in /u23/reversing 2. Find out what they do 3. Reverse engineer 4.??? 5. Profit! Hint: If you encounter unknown C-functions, check the man-pages! Example: man 3 strlen Copying files to/from the remote machine: scp -P 8523 user@u23.labor.koeln.ccc.de:/u23/reversing/*.elf /local/directory Windows users: Use WinSCP

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback