際際滷

際際滷Share a Scribd company logo

Reverse Engineering.pptx

Download as PPTX, PDF
S
Sameer Sapra

Reverse engineering is the process of extracting knowledge or design information from something to understand its workings or recreate it. It often involves disassembling hardware or software and analyzing components. Common tools used are disassemblers to convert binary to assembly code, debuggers to view program state, hex editors to view and edit binary, and decompilers to recreate source code from machine code. The document also discusses security risks of reverse engineering like information disclosure, spoofing, and code modification, as well as some famous legal cases involving reverse engineering.

1 of 22
Downloaded 25 times
Reverse Engineering Tools/Techniques SAMEER SAPRA & MANBIR SINGH
Contents Introduction Requirements Purpose Techniques/Tools Security Risks Famous Cases of Reverse Engineering Activity
Introduction Reverse engineering, also called back engineering, is the processes of extracting knowledge or design information from anything man-made and re-producing it or reproducing anything based on the extracted information. The process often involves disassembling something (a mechanical device, electronic component, computer program, or biological, chemical, or organic matter) and analyzing its components and workings in detail. https://www.youtube.com/watch?v=mwrhRP2PswA
Requirements Need knowledge of assembly language. Reverse Engineering tools.
Purpose Security Auditing, Removal of copy protection, Circumvention of access restrictions, Customization of embedded systems, Enabling additional features like extend a free trial of a software.
Techniques/Tools Disassemblers Used to convert binary code into assembly code and also used to extract strings imported and exported functions, libraries etc. The disassemblers convert the machine language into a user-friendly format. Debuggers This tool expands the functionality of a disassembler by supporting the CPU registers, the hex duping of the program, view of stack etc. Allows the user to view the running state of a program.
Techniques/Tools Hex Editors Allow the binary to be viewed in the editor and change it as per the requirements of the software. PE and Resource Viewer PE is a Portable Executable which is a format for executables, object code, DLLs, FON Font files and others. The viewer allows to read and display the executable file properties and structure. Decompilation Decompilation uses a decompiler tool that tries to recreate the source code in a high level language that can be available in machine code or bytecode.
IDA Pro - Disassembler Performs automatic code analysis, using cross-references between code sections, knowledge of parameters of API calls and other information. System host Windows x86 and ARM Linux x86 Mac OS X x86 Executable file formats COFF and other derivatives, including Win32/64/generic PE ELF and derivatives(generic) MZ (MS-DOS) LC/LE/LX (OS/2 3.x and various DOS extenders) AIM (generic)
IDA Pro - Disassembler Instruction Set ARM Architecture, Motorola 68k and H8, Intel 80x86 family, Java Virtual Machine, and many more... Compiler/libraries (for automatic library function recognition) Borland C++ 5.x for DOS/Windows, Borland C++ 3.1, Microsoft C, Microsoft Visual C++, and many more Supports a number of Debuggers GNU is supported on Linux and OS X, as well as the native Windows debugger An Intel PIN-based debugger
IDA Pro - Demo Wrote a simple console application in C++.
BinDiff - Disassembler BinDiff is an interesting tool used to reverse engineer. BinDiff compares 2 binaries and finds out how similar or how different they are. Example if you have a patch DLL and a unpatched dll you can compare the similarities and the which function have been changed, this is down by highlighting the changes between the two. Does not compare the bytes between the two but uses the disassembler and compares the two call graphs and compare the basic blocks in the instructions within them.
OllyDbg - Disassembler A tool that is common and available online is OllyDbg provides: Ability to decode over 1900 standard API and 400 C functions Attaches and able to view running programs Debugs multi threaded applications Configurable disassembler supporting MASM and IDEAL formats Is also a debugger http://resources.infosecinstitute.com/reverse-engineering-ollydbg/
Immunity Debuggers - Debugger Immunity Debugger is a powerful tool to help taking advantage to write, analyze malware, and help reverse engineer binary files. Has a friendly user interface within functionality such as graphing. Immunity Debugger is a branch tool based off of OllyDbg, but also includes built-in support for python scripting. Using debugger tools like Immunity Debugger can help you find the holes within the program.
PE Explorer - PE and Resource Reader PE Explorer is a multi featured program that is used for inspecting the insides of your own software but what is more important is the ability to inspect the inner workings of a outside Windows applications and libraries which you wouldn't have access to the source code. View and edit different PE files The resource editor provides a fast resource viewer, extractor, and a rebuilder. Win32 Disassembler Digital Signature View
dotPeek - Decompilation dotPeek is a standalone tool. It is able to be a reliable decompiler in any .NET assembly into equivalent C# code. The decompiler can support multiple formats such as exe files, DLLs, and Windows metadata files. The tool is able to view a upload a file and will try to load it so that it can be viewed as source code. This tool is good when trying to view files that you dont have the source code to. dotPeek inherits features from ReSharper. These features extended the tool usage such as usage search and different code structure and hierarchy views.
SECURITY RISKS External systems can use tools within their disposal to view the system and inner workings. Spoofing: The ability to gather credentials about someone to make certain transactions. Code modification: Changing the business logic, control flow, and the programs operations. This can be done by many ways Disabling or circumvent security controls to bypass authentication. Encryption License Management/checking. root/jailbreak detection.
SECURITY RISKS Information Disclosure: Probing the system for digital keys, certificates, credentials, metadata, proprietary algorithms, and other internal logic. Elevation of Privilege: Spreading unauthorized code that would cause disturbance within the system. Inserting malware Exploiting the application and repackaging it.
Atari Games Corp vs Nintendo of America Inc Nintendo designed a program, the 10NES, to prevent unauthorized video games from working on the NES. Their license agreement stated that the company could only make 5 games per year and prevented them from selling the games to other home entertainment system. Attari attempted to crack 10NES in order to bypass any need for a restrictive license agreement. In 1986 they purchased some Nintendos and started reverse engineering.
Sega Enterprises Ltd vs Accolade Inc. The case involved Segs video console and cartridges, which the cartridges had 20-25 byte of code segment that was interrogated by the console as a security measure. Accolade was able to disassemble the code which were also part of three different games. Accolade had fair use of the copyright in the games programs. Under section 107 of the Copyright Act using disassembly of copyrighted games code, it is fair to exam the unprotected ideas and functionalities that are embodied in the code.
Activity Download this executable and try to crack it. http://canyouhack.it/Content/Challenges/Crack/Crack1.exe
REFERENCES https://en.wikipedia.org/wiki/Reverse_engineering https://www.owasp.org/index.php/Technical_Risks_of_Reverse_Engineering_and _Unauthorized_Code_Modification https://www.youtube.com/watch?v=yhlsDBuDG7A https://www.udemy.com/reverse-engineering-and-exploit-development/ https://blog.udemy.com/reverse-engineering-tutorial/ http://programmers.stackexchange.com/questions/160985/reverse-engineering- what-is-it-really-good-for http://reverseengineering.stackexchange.com/questions/4635/whats-the- difference-between-a-disassembler-debugger-and-decompiler https://en.wikipedia.org/wiki/Decompiler https://ethics.csc.ncsu.edu/intellectual/reverse/study.php http://resources.infosecinstitute.com/reverse-engineering-tools/
References https://en.wikibooks.org/wiki/Reverse_Engineering/Legal_Aspects http://www.heaventools.com/overview.htm https://www.jetbrains.com/decompiler/ https://en.wikibooks.org/wiki/Reverse_Engineering/Legal_Aspects

More Related Content

Reverse Engineering.pptx

  • 2. Contents Introduction Requirements Purpose Techniques/Tools Security Risks Famous Cases of Reverse Engineering Activity
  • 3. Introduction Reverse engineering, also called back engineering, is the processes of extracting knowledge or design information from anything man-made and re-producing it or reproducing anything based on the extracted information. The process often involves disassembling something (a mechanical device, electronic component, computer program, or biological, chemical, or organic matter) and analyzing its components and workings in detail. https://www.youtube.com/watch?v=mwrhRP2PswA
  • 4. Requirements Need knowledge of assembly language. Reverse Engineering tools.
  • 5. Purpose Security Auditing, Removal of copy protection, Circumvention of access restrictions, Customization of embedded systems, Enabling additional features like extend a free trial of a software.
  • 6. Techniques/Tools Disassemblers Used to convert binary code into assembly code and also used to extract strings imported and exported functions, libraries etc. The disassemblers convert the machine language into a user-friendly format. Debuggers This tool expands the functionality of a disassembler by supporting the CPU registers, the hex duping of the program, view of stack etc. Allows the user to view the running state of a program.
  • 7. Techniques/Tools Hex Editors Allow the binary to be viewed in the editor and change it as per the requirements of the software. PE and Resource Viewer PE is a Portable Executable which is a format for executables, object code, DLLs, FON Font files and others. The viewer allows to read and display the executable file properties and structure. Decompilation Decompilation uses a decompiler tool that tries to recreate the source code in a high level language that can be available in machine code or bytecode.
  • 8. IDA Pro - Disassembler Performs automatic code analysis, using cross-references between code sections, knowledge of parameters of API calls and other information. System host Windows x86 and ARM Linux x86 Mac OS X x86 Executable file formats COFF and other derivatives, including Win32/64/generic PE ELF and derivatives(generic) MZ (MS-DOS) LC/LE/LX (OS/2 3.x and various DOS extenders) AIM (generic)
  • 9. IDA Pro - Disassembler Instruction Set ARM Architecture, Motorola 68k and H8, Intel 80x86 family, Java Virtual Machine, and many more... Compiler/libraries (for automatic library function recognition) Borland C++ 5.x for DOS/Windows, Borland C++ 3.1, Microsoft C, Microsoft Visual C++, and many more Supports a number of Debuggers GNU is supported on Linux and OS X, as well as the native Windows debugger An Intel PIN-based debugger
  • 10. IDA Pro - Demo Wrote a simple console application in C++.
  • 11. BinDiff - Disassembler BinDiff is an interesting tool used to reverse engineer. BinDiff compares 2 binaries and finds out how similar or how different they are. Example if you have a patch DLL and a unpatched dll you can compare the similarities and the which function have been changed, this is down by highlighting the changes between the two. Does not compare the bytes between the two but uses the disassembler and compares the two call graphs and compare the basic blocks in the instructions within them.
  • 12. OllyDbg - Disassembler A tool that is common and available online is OllyDbg provides: Ability to decode over 1900 standard API and 400 C functions Attaches and able to view running programs Debugs multi threaded applications Configurable disassembler supporting MASM and IDEAL formats Is also a debugger http://resources.infosecinstitute.com/reverse-engineering-ollydbg/
  • 13. Immunity Debuggers - Debugger Immunity Debugger is a powerful tool to help taking advantage to write, analyze malware, and help reverse engineer binary files. Has a friendly user interface within functionality such as graphing. Immunity Debugger is a branch tool based off of OllyDbg, but also includes built-in support for python scripting. Using debugger tools like Immunity Debugger can help you find the holes within the program.
  • 14. PE Explorer - PE and Resource Reader PE Explorer is a multi featured program that is used for inspecting the insides of your own software but what is more important is the ability to inspect the inner workings of a outside Windows applications and libraries which you wouldn't have access to the source code. View and edit different PE files The resource editor provides a fast resource viewer, extractor, and a rebuilder. Win32 Disassembler Digital Signature View
  • 15. dotPeek - Decompilation dotPeek is a standalone tool. It is able to be a reliable decompiler in any .NET assembly into equivalent C# code. The decompiler can support multiple formats such as exe files, DLLs, and Windows metadata files. The tool is able to view a upload a file and will try to load it so that it can be viewed as source code. This tool is good when trying to view files that you dont have the source code to. dotPeek inherits features from ReSharper. These features extended the tool usage such as usage search and different code structure and hierarchy views.
  • 16. SECURITY RISKS External systems can use tools within their disposal to view the system and inner workings. Spoofing: The ability to gather credentials about someone to make certain transactions. Code modification: Changing the business logic, control flow, and the programs operations. This can be done by many ways Disabling or circumvent security controls to bypass authentication. Encryption License Management/checking. root/jailbreak detection.
  • 17. SECURITY RISKS Information Disclosure: Probing the system for digital keys, certificates, credentials, metadata, proprietary algorithms, and other internal logic. Elevation of Privilege: Spreading unauthorized code that would cause disturbance within the system. Inserting malware Exploiting the application and repackaging it.
  • 18. Atari Games Corp vs Nintendo of America Inc Nintendo designed a program, the 10NES, to prevent unauthorized video games from working on the NES. Their license agreement stated that the company could only make 5 games per year and prevented them from selling the games to other home entertainment system. Attari attempted to crack 10NES in order to bypass any need for a restrictive license agreement. In 1986 they purchased some Nintendos and started reverse engineering.
  • 19. Sega Enterprises Ltd vs Accolade Inc. The case involved Segs video console and cartridges, which the cartridges had 20-25 byte of code segment that was interrogated by the console as a security measure. Accolade was able to disassemble the code which were also part of three different games. Accolade had fair use of the copyright in the games programs. Under section 107 of the Copyright Act using disassembly of copyrighted games code, it is fair to exam the unprotected ideas and functionalities that are embodied in the code.
  • 20. Activity Download this executable and try to crack it. http://canyouhack.it/Content/Challenges/Crack/Crack1.exe
  • 21. REFERENCES https://en.wikipedia.org/wiki/Reverse_engineering https://www.owasp.org/index.php/Technical_Risks_of_Reverse_Engineering_and _Unauthorized_Code_Modification https://www.youtube.com/watch?v=yhlsDBuDG7A https://www.udemy.com/reverse-engineering-and-exploit-development/ https://blog.udemy.com/reverse-engineering-tutorial/ http://programmers.stackexchange.com/questions/160985/reverse-engineering- what-is-it-really-good-for http://reverseengineering.stackexchange.com/questions/4635/whats-the- difference-between-a-disassembler-debugger-and-decompiler https://en.wikipedia.org/wiki/Decompiler https://ethics.csc.ncsu.edu/intellectual/reverse/study.php http://resources.infosecinstitute.com/reverse-engineering-tools/
  • 22. References https://en.wikibooks.org/wiki/Reverse_Engineering/Legal_Aspects http://www.heaventools.com/overview.htm https://www.jetbrains.com/decompiler/ https://en.wikibooks.org/wiki/Reverse_Engineering/Legal_Aspects