REVERSE ENGINEERING

What is a C.T.F. ?

Competion with multiple security challenges. The goal is to retrieve the flag of a challenge to earn the corresponding points.

What is R.E. ?

consiste à étudier un objet pour en déterminer le fonctionnement interne ou la méthode de fabrication.

Wikipedia

What is R.E. ?

What is R.E. ?

  • Cheats
  • Malware analysis
  • Vulnerability Research

Segmentation mémoire

Le binaire

Segmentation mémoire

Le binaire

Variables globales / statiques initialisées

Segmentation mémoire

Le binaire

Variables globales / statiques initialisées

Variables globales / statiques non initialisées

Segmentation mémoire

Le binaire

Variables globales / statiques initialisées

Variables globales / statiques non initialisées

Heap : mémoire gérée dynamiquement (malloc, realloc, free...)

Segmentation mémoire

Le binaire

Variables globales / statiques initialisées

Variables globales / statiques non initialisées

Heap : mémoire gérée dynamiquement (malloc, realloc, free...)

Stack : variables locales

Registres

Emplacement mémoire interne à un processeur

Registres

Registres

EBP : BASE POINTER

ESP : STACK POINTER

EIP : INSTRUCTION POINTER

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

0

...

ESP

EBP

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

0

[1, 1, 1, ..., 1]

...

ESP

EBP

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

0

[1, 1, 1, ..., 1]

...

ESP

EBP

EIP

0

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

0

[1, 1, 1, ..., 1]

...

ESP

EBP

EIP

EBP

0

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

...

0

[1, 1, 1, ..., 1]

ESP

EBP

EIP

EBP

0

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

0

[1, 1, 1, ..., 1]

...

EIP

EBP

...

0

[1, 1, 1, ..., 1]

ESP

EBP

EIP

EBP

0

STACKFRAME

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

0

[1, 1, 1, ..., 1]

...

EIP

EBP

...

0

[1, 1, 1, ..., 1]

ESP

EBP

EIP

EBP

0

0

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

0

[1, 1, 1, ..., 1]

...

EIP

EBP

...

0

[1, 1, 1, ..., 1]

ESP

EBP

EIP

EBP

0

0

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

...

0

[1, 1, 1, ..., 1]

EIP

EBP

0

[1, 1, 1, ..., 1]

ESP

EBP

EIP

EBP

0

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

...

0

[1, 1, 1, ..., 1]

EIP

EBP

0

[1, 1, 1, ..., 1]

ESP

EBP

EIP

0

La Stack

static int increment(int number)
{
    return number + 1;
}

int main(void)
{
    int index = 0;
    char buffer[10] = {1};
    
    index = increment(index);
    ...
    ...
    return index;
}

...

0

[1, 1, 1, ..., 1]

EIP

EBP

0

[1, 1, 1, ..., 1]

ESP

EBP

EIP

0

Le boutisme

ASM : la base

Intel syntax

instruction    destination, source

ASM : la base

mov  eax, 0x1

sub  esp, 0xc

ASM : la base

jmp  0x080494ab


cmp    eax,0x5
jne    0x804948e

ASM : la base

mov    eax, DWORD PTR [ebx+0x4]


mov    eax, BYTE PTR [ebx]

GDB / PEDA

DEMO TIME

Ready ? Steady ? Reverse !

Challenges

https://challs.poc-innovation.com

Slides

http://slides.pwnh4.com/reverse

@PoCInnovation

Reverse Engineering

By pwnh4

Reverse Engineering

In this workshop, we are going to use GDB and PEDA to reverse engineer simple binaries. We are going to learn about memory segmentation, stack, registers and endianness !

  • 1,381