Reverse engineering is not just about uncovering the hidden behaviour of a given technology, system, program or device. It's actually an art and a mindset. Reversing is used by some government agencies, secret services, antivirus software companies, hackers and students. It can be used for many purposes: cracking/bypassing software, botnet analysis, finding 0day exploits, interpreting unknown protocols, understanding malware or finding bugs in apps.
3. Reverse Engineering
• Uncovering the hidden behaviour of a given
technology, system, program, protocol or device,
by analysing the structure and operation of its
components
• Extracting knowledge about any unknown
engineering invention
6. Reverse Engineering
History
• Reversing was used to copy inventions from other
countries or business competitors
• Frequently used in the WW2 and Cold war:
• Jerry can
• Panzerschreck
• Tupolev Tu-4 / B-29
7. Binary Reverse Engineering
Motivation
• Software and hardware cracking
• Malware analysis - botnets, spyware, ransomware
• Finding bugs and developing 0day exploits
• Creating or improving docs
• Interpreting unknown protocols
• Academic purposes
• Industrial or military espionage
• Software interoperability
8. Who knows how to do this stuff?
• Hackers in general
• Intelligence agencies / cybercrime divisions
• Antivirus companies
• Students and curious people
9. Binary Reverse Engineering
• It’s the process of getting knowledge about
compiled software, in order to understand how it
works and how it was originally implemented.
10. Binary Reverse Engineering
• It’s the process of getting knowledge about
compiled software, in order to understand how it
works and how it was originally implemented.
Without the source code???
11. • It’s the process of getting knowledge about
compiled software, in order to understand how it
works and how it was originally implemented.
WTF?
WTF?WTF?
Without the source code???Binary Reverse Engineering
WTF?
WTF?
WTF?
WTF? WTF?
WTF?
WTF?
WTF?
WTF?
WTF?
WTF?
WTF?
WTF?
WTF?
17. Debuggers
These programs are used to test
other programs.
Debuggers allow us to inspect
memory and CPU registers, modify
of variables in runtime, set
breakpoints and call functions
outside the program flow.
In reverse engineering we usually
use them for dynamic analysis.
18. Decompilers
These programs try to achieve the
near-impossible task of translating
compiled software to the original
source code.
Sometimes, the generated code is
more than enough to perform
reversing tasks
19. Patchers
A patcher is very useful for changing binary code in order to modify the
software behaviour. Hex editors can be used as patchers, but there are
better tools in the wild, that allow us to patch assembly instructions.
22. Static Analysis
• Do not execute the program
• Read the spooky assembly/decompiled code
• Inspect flow charts
• Take lots of notes
• Translate procedures to the programming language of
your choice
• It’s a pain in the ass to reverse obfuscated of very
complex programs
23. Dynamic Analysis
• Execute the program
• Inspect the program behaviour
• Use a debugger to understand the values of the
CPU registers, memory (stack, heap) and the
guessed arguments for functions calls in a
specific state of execution
• It’s difficult to achieve if any anti-debugging
protections exist (Some even crash IDA PRO)
27. Cracking
• This demo was a very simple cracking scenario
• The real stuff involves a much more complex task
(static analysis, dynamic analysis, concolic
analysis)
• E.g. If you want to create a keygen you need to
understand the serial number validation algorithm
• You need to be a patching ninja to remove anti-
cracking protections (usually triggered in runtime)
28. Cracking
• In the good old times: to crack a game you just
needed to patch code to bypass PC-CDROM ID or
Integrity checks
• Reverse engineering is one of the main categories in
Security CTFs
• In CTFs, the contestants are typically challenged to
solve cracking problems
• The simplest case is just like the last demo. Find the
correct input
30. Cracking
Advanced techniques
• Timing attacks
• When a char is correct: one more cycle is executed, i.e.
more instructions
• It’s possible to launch a timing attack, char by char
• The attack complexity is reduced from to
• How can we prevent this kind of attacks?
• Tools for local binary timing attacks: Pin tool, GDB scripts
31. Cracking
Advanced techniques
• Solvers
• Serial number validation algorithms are usually composed
by complex verifications, whose components are the
values of certain indexes of the serial number.
E.g.
• These verifications can be translated to systems of
equations, that can be easily solved by powerful tools like
Z3 Theorem Prover, Sage, Maple, Matlab
• Z3 supports both arithmetic and bitwise operators, and
custom functions as well.
37. DARPA CGC
• A very important mark in the history of infosec
• It was the first-ever all-machine hacking
tournament
• These machines were able to automatically find
and patch vulnerabilities in binaries
• The Mechanical Phish project, from the Shellphish
team, was able to identify vulnerabilities using both
fuzzing and symbolic execution techniques.
39. DARPA CGC
Mechanical Phish - ANGR
• ANGR is a very powerful binary analysis framework. It was
implemented mostly by the Shellphish team and is one of the main
components of Driller
• It’s one of the most recent open source technologies to perform
reversing/cracking tasks
• We can easily accomplish control-flow analysis, i.e., realize the damn
conditions that make the program reach a specific state of execution
• First, it translates the binary in VEX Intermediate Representation.
Then, simulates instructions in a simulation engine: SimuVEX
• Finally, they use a custom Z3 wrapper. It is called claripy: “a
abstracted constraint-solving wrapper”
41. Ponce
IDA plugin contest - 2016
• Taint analysis: this mode is used to understand
and track where a user input occurs inside a
program
• Symbolic analysis: in this mode, the plugin
maintains a symbolic state of registers and
memory at each step in a binary’s execution
path, allowing the user to solve user-controlled
conditions to do manually guided execution
44. Useful links to fry your brain
(Over 1337 ºC)
• Chill
• https://github.com/RPISEC/MBE (lectures 2 and 3)
• Reddit
• https://reddit.com/r/reverseengineering
• https://reddit.com/r/netsec
• Practice
• http://reversing.kr
• https://ringzer0team.com
• http://crackmes.de
• https://ctftime.org (Read CTF writeups and try to solve some challenges)
• Play CTFs (Hackover CTF just started and HITCON CTF starts in 7 hours)