Demystifying Binary Reverse Engineering - Pixels Camp

Reverse Engineering
• Uncovering the hidden behaviour of a given
technology, system, program, protocol or device,
by analysing the structure and operation of its
components
• Extracting knowledge about any unknown
engineering invention

Reverse Engineering
“Is biology reverse engineering?”

Reverse Engineering 
History
• Reversing was used to copy inventions from other
countries or business competitors
• Frequently used in the WW2 and Cold war:
• Jerry can
• Panzerschreck
• Tupolev Tu-4 / B-29

Binary Reverse Engineering
Motivation
• Software and hardware cracking
• Malware analysis - botnets, spyware, ransomware
• Finding bugs and developing 0day exploits
• Creating or improving docs
• Interpreting unknown protocols
• Academic purposes
• Industrial or military espionage
• Software interoperability

Who knows how to do this stuff?
• Hackers in general
• Intelligence agencies / cybercrime divisions
• Antivirus companies
• Students and curious people

• It’s the process of getting knowledge about
compiled software, in order to understand how it
works and how it was originally implemented.

Without the source code???

WTF?
WTF?WTF?
Without the source code???Binary Reverse Engineering
WTF?
WTF?
WTF?
WTF? WTF?
WTF?
WTF?
WTF?
WTF?
WTF?
WTF?
WTF?
WTF?
WTF?

Formats of compiled software
• ELF (Linux & UNIX like)
• Mach-O (OSX)
• PE (Windows)
• Class (Java bytecode)
• DEX (Android - Dalvik bytecode)
• PYC (Python bytecode)
• …

• Debugging (GDB, Valgrind, WinDbg)
• Assembly (x86, x64, ARM, MIPS and many others)
• Programming (C, C++, Java, etc)
• Software architecture
• Logic, math, crypto, protocols, networks
• Don’t giving up
Required skills

Awesome tools
• Disassemblers
• Debuggers
• Decompilers
• Patchers

Disassemblers
These programs translate machine code to assembly.

Debuggers
These programs are used to test
other programs.
Debuggers allow us to inspect
memory and CPU registers, modify
of variables in runtime, set
breakpoints and call functions
outside the program ﬂow.
In reverse engineering we usually
use them for dynamic analysis.

Decompilers
These programs try to achieve the
near-impossible task of translating
compiled software to the original
source code.
Sometimes, the generated code is
more than enough to perform
reversing tasks

Patchers
A patcher is very useful for changing binary code in order to modify the
software behaviour. Hex editors can be used as patchers, but there are
better tools in the wild, that allow us to patch assembly instructions.

Badass tools
• Disassemblers, debuggers and patchers
• IDA Pro - https://www.hex-rays.com/products/ida
• Hopper Disassembler - http://www.hopperapp.com
• binary.ninja - https://binary.ninja
• Radare 2 - http://rada.re
• ODA - http://www.onlinedisassembler.com
• OllyDbg - http://www.ollydbg.de
• ILSpy - http://ilspy.net
• Linux tools: objdump, ltrace, strace, readelf, gdb
• Apktool - https://ibotpeaches.github.io/Apktool

Badass tools
• Decompilers
• IDA Pro - https://www.hex-rays.com/products/ida (x86, x64, ARM, MIPS,
Gameboy, etc)
• Hopper Disassembler - http://www.hopperapp.com (x86, x64, ARM)
• Retargetable Decompiler (AVG) - https://retdec.com (x86, ARM, MIPS, Power PC)
• JADX - https://github.com/skylot/jadx (DEX)
• Online android decompilers: http://www.javadecompilers.com/apk | http://
www.decompileandroid.com
• JetBrains dotPeek - https://www.jetbrains.com/decompiler (.NET)
• ILSpy - http://ilspy.net (.NET)
• uncompyle2 - https://github.com/Mysterie/uncompyle2 (Python bytecode)

Static Analysis
• Do not execute the program
• Read the spooky assembly/decompiled code
• Inspect ﬂow charts
• Take lots of notes
• Translate procedures to the programming language of
your choice
• It’s a pain in the ass to reverse obfuscated of very
complex programs

Dynamic Analysis
• Execute the program
• Inspect the program behaviour
• Use a debugger to understand the values of the
CPU registers, memory (stack, heap) and the
guessed arguments for functions calls in a
speciﬁc state of execution
• It’s difﬁcult to achieve if any anti-debugging
protections exist (Some even crash IDA PRO)

Binary RE
https://github.com/RPISEC/MBE

Demo 1 - Dynamic analysis
https://goo.gl/XXoPCV

Cracking
• This demo was a very simple cracking scenario
• The real stuff involves a much more complex task
(static analysis, dynamic analysis, concolic
analysis)
• E.g. If you want to create a keygen you need to
understand the serial number validation algorithm
• You need to be a patching ninja to remove anti-
cracking protections (usually triggered in runtime)

Cracking
• In the good old times: to crack a game you just
needed to patch code to bypass PC-CDROM ID or
Integrity checks
• Reverse engineering is one of the main categories in
Security CTFs
• In CTFs, the contestants are typically challenged to
solve cracking problems
• The simplest case is just like the last demo. Find the
correct input

Cracking
Advanced techniques
🤔

Cracking
Advanced techniques
• Timing attacks
• When a char is correct: one more cycle is executed, i.e.
more instructions
• It’s possible to launch a timing attack, char by char
• The attack complexity is reduced from to
• How can we prevent this kind of attacks?
• Tools for local binary timing attacks: Pin tool, GDB scripts

Cracking
Advanced techniques
• Solvers
• Serial number validation algorithms are usually composed
by complex veriﬁcations, whose components are the
values of certain indexes of the serial number.  
 
E.g.
• These veriﬁcations can be translated to systems of
equations, that can be easily solved by powerful tools like
Z3 Theorem Prover, Sage, Maple, Matlab
• Z3 supports both arithmetic and bitwise operators, and
custom functions as well.

Cracking
Advanced techniques - Z3
Python script Solutions

What about the future?
Predicting the future using Naive Mayes

Let’s get to the powerful stuff

DARPA CGC
• A very important mark in the history of infosec
• It was the ﬁrst-ever all-machine hacking
tournament
• These machines were able to automatically ﬁnd
and patch vulnerabilities in binaries
• The Mechanical Phish project, from the Shellphish
team, was able to identify vulnerabilities using both
fuzzing and symbolic execution techniques.

DARPA CGC
Mechanical Phish - Driller

DARPA CGC
Mechanical Phish - ANGR
• ANGR is a very powerful binary analysis framework. It was
implemented mostly by the Shellphish team and is one of the main
components of Driller
• It’s one of the most recent open source technologies to perform
reversing/cracking tasks
• We can easily accomplish control-ﬂow analysis, i.e., realize the damn
conditions that make the program reach a speciﬁc state of execution
• First, it translates the binary in VEX Intermediate Representation.
Then, simulates instructions in a simulation engine: SimuVEX
• Finally, they use a custom Z3 wrapper. It is called claripy: “a
abstracted constraint-solving wrapper”

Demo 2 - Angr
https://goo.gl/42T4mi

Ponce
IDA plugin contest - 2016
• Taint analysis: this mode is used to understand
and track where a user input occurs inside a
program
• Symbolic analysis: in this mode, the plugin
maintains a symbolic state of registers and
memory at each step in a binary’s execution
path, allowing the user to solve user-controlled
conditions to do manually guided execution

RGAT
An instruction trace visualisation tool

Useful links to fry your brain
(Over 1337 ºC)
• Chill
• https://github.com/RPISEC/MBE (lectures 2 and 3)
• Reddit
• https://reddit.com/r/reverseengineering
• https://reddit.com/r/netsec
• Practice
• http://reversing.kr
• https://ringzer0team.com
• http://crackmes.de
• https://ctftime.org (Read CTF writeups and try to solve some challenges)
• Play CTFs (Hackover CTF just started and HITCON CTF starts in 7 hours)

The end
Why secure 
my code… 
I’ll just hide it!
Security through obscurity

Demystifying Binary Reverse Engineering - Pixels Camp

More Related Content

Demystifying Binary Reverse Engineering - Pixels Camp