Welcome to Intro. to Reverse Engineering!

Chris & Drake

Chris

  • Interested in Offensive Cyber
  • Sublime is best text editor
  • This semester: Crypto, Net Sec, Pen Testing, and Research with Northrop Grumman. 

Drake

  • Graduating this Semester!
  • Faithful to the Church of Emacs (Evil mode)
  • Linux Enthusiast
  • This semester: OS, Game Theory, Signals, Volatility, and this class! 

Who are we?

Faculty

adviser

Dr. Jonathan Katz

Grading

Grades will only be homework and quizzes!

 

3 Quizzes 9% each

  • Static Analysis
  • Dynamic Analysis
  • Applied RE

 

12 Homeworks 73% total

  • See syllabus

Academic Integrity

See syllabus!!!

 

Don't cheat, don't copy, do your own work! Otherwise it's more work for all of us -___-

Ethics

Do not attempt to use what you learn in this class to commit illegal acts. 

 

You will learn things in this course that you potentially can use to 'steal' intellectual property, and it is not our intent that you become criminals.

 

Use your best judgement, what you choose to do with this knowledge is on you.  

In the United States even if an artifact or process is protected by trade secrets, reverse-engineering the artifact or process is often lawful as long as it has been legitimately obtained.

Reverse engineering of computer software in the US often falls under both contract law as a breach of contract as well as any other relevant laws. This is because most EULAs (end user license agreement) specifically prohibit it, and U.S. courts have ruled that if such terms are present, they override the copyright law which expressly permits it (see Bowers v. Baystate Technologies). Sec. 103(f) of the DMCA (17 U.S.C. § 1201 (f)) says that a person who is in legal possession of a program, is permitted to reverse-engineer and circumvent its protection if this is necessary in order to achieve "interoperability" — a term broadly covering other devices and programs being able to interact with it, make use of it, and to use and transfer data to and from it, in useful ways. A limited exemption exists that allows the knowledge thus gained to be shared and used for interoperability purposes.[35]

What is RE?

Reverse Enginnering

The process by which a man-made object is deconstructed to reveal its designs, architecture, or to extract knowledge from the object

Scope of the class

Linux Binary Analysis

  • ELF 
  • Static/Dynamic
  • Malware
  • Legacy Code bases

 

Some Windows 

  • PE vs ELF
  • Calling conventions

Class VM (Kali)

Link is provided on the class GitLab. We recommend you make a shared folder! 

 

If using virtual-box, install the virtualbox-guest-x11

 

if using vmware, open-vm-tools is already installed

 

If you are not comfortable with Linux, please ask questions!

Installed

  • Binaryninja 32-bit (demo)
  • IDA 7 Free (64/32)
  • Radare2 *
  • Edb - GUI for gdb 
  • Ollydebug * (wine32 required)
  • Shellen (python3)

  • Readelf
  • Objdump
  • Binwalk

Install scripts used are provided, for updating radare2 and python

$ pyenv install [-l]     #to install or see available 
$ pyenv global [Version] #to set or see global version

What is C?

C

General-purpose, imperative, low-level, memory management, compiled

Control Statements

  • If-statements
  • While-loops
  • Do-Whiles
  • For-loops
  • Switch-statements
if ( 1 && !0 ){
    printf("Non-zero is true\n");
} else {
    printf("!0 is 1\n");
}
while ("Is this non-zero?") {
    printf("Who thinks yes?\n");
} 
int i; /* C99 */
for (; i < 10; i++) {
    print("What is wrong with this?\n");
}
/* What might this snipped be used for? */
switch(ast_node->type) {
    case INT:
        return atoi(ast_node->data);
    case PLUS:
        int a = process(ast_node->left);
        int b = process(ast_node->right);
        return a + b
    default:
        printf("There was an error\n");
        exit(1); /* What does exit 1 mean? */
}

Pointers & Dynamic Memory

What are pointers used for in C?

  • referencing memory on the stack or heap
  • referencing arrays
  • extra return values

What are pointers used for in Java?

  • Objects, Objects, Objects

Stack and Heap

What is the Stack?

 

 

 

 

 

What is the Heap?

*if you know where to look

  • Memory used to separate function frames for local memory usage
  • Starts at a high address and grows down
  • Dynamic memory that is globally accessible*
  • Must be allocated & freed manually

C experts now?

/* 1. What is wrong here? */
int *foo(){
    int i = 10;
    return &i;
}
/* 2. Is this valid? */
int *foo() {
    static int i = 5;
    return &i;
}    
/* 3. Is this valid? */
int *foo() {
    void *yeet = malloc(sizeof(double)*10);
    return (int *)yeet;
}

/* 4. Is this valid? */
int main() {
    char *yeett = (char *)foo();
    printf(yeett);
    
    /* 5. Missing something? */
    return 0;
}

Why do we care about details like these?

What does the stack look like?

int *foo(c,d) {
    char e;
    void *yeet = malloc(sizeof(c)*d);
    /* Stop! */
    return (int *)yeet;
}

int main(int argc, char *argv[]) {
    int a = 5, 3;
    int b = 7;
    char *bar = foo((b,a),b);
    
    return 0;
}
Bottom of Stack
(High address)
argv
argc
init main stuff

EBP

ESP

What does the stack look like?

int *foo(c,d) {
    char e;
    void *yeet = malloc(sizeof(c)*d);
    /* Stop! */
    return (int *)yeet;
}

int main(int argc, char *argv[]) {
    int a = 5, 3;
    int b = 7;
    char *bar = foo((b,a),b);
    
    return 0;
}
Bottom of Stack
(High address)
argv
argc
init main stuff
a = 5
b = 7
d = 7
c = 5
return address
old ebp
e = ?
yeet

main

foo

EBP

ESP

Take note of argc and argv!! *hint hint*...

What is Assembly?

Assembly

Low-level programming language that is translated into the the architecture's byte-code. Here we will use the x86_64 architecture.

What is x86_64?

64-bit architecture that supports 32-bit. Used by most modern computers.

Registers x86

  • eax - accumulator
  • ebx - base
  • ecx - counter
  • edx - data
  • edi - destination
  • esi - source
  • esp - stack
  • ebp - base stack     
          frame pointer 
  • eip* - instruction pointer
  • Flags - set from instructions

High speed memory used to store information temporarily

* not accessible like the other registers

The names do not matter for the use of the registers, but sometimes are hints to how they are used.

Registers x64

Same as x86 but now we have more and larger registers! 

Heres the big picture, but we don't need all these!

Floating Point Registers

Flags

And a bunch of other stuff...

Sizes

  • rax   - 64-bits, 8-bytes, quad-word (qword) 
  • eax   - 32-bits, 4-bytes, double-word (dword)
  • ax    - 16-bits, 2-bytes, word   
  • al/ah - 8-bits,  1-byte,  byte

- eax is the lower 32-bits of rax

- ax is the lower 16-bits of eax and rax

- And so on

- This is true for ebx, ecx, edx, and the numbered registers as well. 

- Not all registers have byte sized references, such as esp and ebp

Intel vs AT&T

We will focus on Intel syntax, but know that AT&T syntax exists.

 

Main difference is in the source and destination operand order

 

edi - destination
esi - source
mov edi, esi

Intel

mov %esi, %edi

AT&T

In both examples, the contents of the esi register are copied to the edi register

Instruction types

If interested in disassembly then this diagram is useful to you!

 

Otherwise just know there are a lot ways to use instructions and each way gets encoded differently in bytecode!

mov & push/pop

mov eax, 0x01        ;put 1 into eax
mov [eax], 0x01      ;put 1 into the address in eax
mov eax, [esi]       ;put contents of address (esi)

push eax             ;put contents of eax on top of stack
push 0x01            ;put 1 on top of stack
                     ; and inc the stack pointer

pop eax              ;put contents top of the stack into eax,
                     ; and dec the stack pointer 

Displacement

[] indicates a access to memory*

[base + index*size + offset]

[arr + esi*4 + 0]     ;array of int

*does not mean the memory is actually accessed

What could the offset be used for?

Branching

jmp addr     ;addr could be a register
             ; with an address or a label

this_is_a_label:

call addr    ; functions are just labels (addresses), with a calling convention
ret          ; using the correct calling convention, 
             ;  ret returns from the called function
syscall      ; more commonly seen as 'int' for interrupt
je addr  ; or jz  -- if zero flag is set
jg addr  ; or ja  -- if greater - signed or unsigned 
jl addr  ; or jb  -- if less    - signed or unsigned
jge addr ;        -- if greater or equal to
jle addr ;        -- if less or equal to
js addr  ;        -- if sign bit is set (if negative)

Conditional branching

Flags

carry    -- used to indicate carry in arithmetic operation                    
zero     -- if a value is zero or comparison equals 0
sign     -- if negative
overflow -- if overflow occurred

Each flag is set from certain instructions

Resources to help when reversing x86_64

Week 0

By Drake P

Week 0

Welcome to RE, C, Assembly

  • 183