REVERSE ENGINEERING
What is a C.T.F. ?
Competion with multiple security challenges. The goal is to retrieve the flag of a challenge to earn the corresponding points.
What is R.E. ?
consiste à étudier un objet pour en déterminer le fonctionnement interne ou la méthode de fabrication.
Wikipedia
What is R.E. ?
What is R.E. ?
- Cheats
- Malware analysis
- Vulnerability Research
Segmentation mémoire
Le binaire
Segmentation mémoire
Le binaire
Variables globales / statiques initialisées
Segmentation mémoire
Le binaire
Variables globales / statiques initialisées
Variables globales / statiques non initialisées
Segmentation mémoire
Le binaire
Variables globales / statiques initialisées
Variables globales / statiques non initialisées
Heap : mémoire gérée dynamiquement (malloc, realloc, free...)
Segmentation mémoire
Le binaire
Variables globales / statiques initialisées
Variables globales / statiques non initialisées
Heap : mémoire gérée dynamiquement (malloc, realloc, free...)
Stack : variables locales
Registres
Emplacement mémoire interne à un processeur
Registres
Registres
EBP : BASE POINTER
ESP : STACK POINTER
EIP : INSTRUCTION POINTER
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}0
...
ESP
EBP
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}0
[1, 1, 1, ..., 1]
...
ESP
EBP
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}0
[1, 1, 1, ..., 1]
...
ESP
EBP
EIP
0
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}0
[1, 1, 1, ..., 1]
...
ESP
EBP
EIP
EBP
0
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}...
0
[1, 1, 1, ..., 1]
ESP
EBP
EIP
EBP
0
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}0
[1, 1, 1, ..., 1]
...
EIP
EBP
...
0
[1, 1, 1, ..., 1]
ESP
EBP
EIP
EBP
0
STACKFRAME
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}0
[1, 1, 1, ..., 1]
...
EIP
EBP
...
0
[1, 1, 1, ..., 1]
ESP
EBP
EIP
EBP
0
0
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}0
[1, 1, 1, ..., 1]
...
EIP
EBP
...
0
[1, 1, 1, ..., 1]
ESP
EBP
EIP
EBP
0
0
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}...
0
[1, 1, 1, ..., 1]
EIP
EBP
0
[1, 1, 1, ..., 1]
ESP
EBP
EIP
EBP
0
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}...
0
[1, 1, 1, ..., 1]
EIP
EBP
0
[1, 1, 1, ..., 1]
ESP
EBP
EIP
0
La Stack
static int increment(int number)
{
return number + 1;
}
int main(void)
{
int index = 0;
char buffer[10] = {1};
index = increment(index);
...
...
return index;
}...
0
[1, 1, 1, ..., 1]
EIP
EBP
0
[1, 1, 1, ..., 1]
ESP
EBP
EIP
0
Le boutisme
ASM : la base
Intel syntax
instruction destination, source
ASM : la base
mov eax, 0x1
sub esp, 0xc
ASM : la base
jmp 0x080494ab
cmp eax,0x5
jne 0x804948e
ASM : la base
mov eax, DWORD PTR [ebx+0x4]
mov eax, BYTE PTR [ebx]
GDB / PEDA
DEMO TIME
Ready ? Steady ? Reverse !
Challenges
https://challs.poc-innovation.com
Slides
http://slides.pwnh4.com/reverse
@PoCInnovation