A presentation about the glasgow university reversing club

1. Glasgow Reversing Club
 Are you an experienced reverser?
 Do you want to learn how to reverse?
 You even don't know what reversing is?
JOIN the Glasgow reversing club:
send an empty email to: revinkilt-subscribe@quebbyworld.com
 If you want to know more:
 A short introduction to reversing
 Club activities
 Subscribe to the mailing list
 About me

2. Reversing in brief
 Reverse Engineering is also known as RE or RCE
 RE: Reverse Engineering
 RCE: Reverse Code Engineering
 RE is the process of understanding an existing
product
 Malware analysis and security research often
involves RE
 The next step of RE is patching: modifying the
existing product
 Product: any software program or hardware
device

3. Uses of Reverse Engineering
 Malware analysis
 Security / vulnerability research
 Driver development
 Compatibility fixes
 Legacy application support

4. Legal use of REV
 Recovery of own lost source code
 Recovery of data from legacy formats
 Malware analysis and research
 Security and vulnerability research
 Copyright infringement investigations
 Finding out the contents of any database
you legally purchased

5. Illegal use of REV
 Illegal to reverse engineer and sell a
competing product
 Illegal to crack copy protections
 Illegal to distribute a crack/registration for
copyrighted software
 Illegal to gain unauthorized access to any
computer system
 Copyright protected software is off-limits
in most cases
 Spyware/Adware with companies behind
them are included

6. An easy example:
Banload Malware analisys
 Banload is a malware that was spreading on
Msn Messanger.
 Banload's main purpose: steal spanish bank
accounts and of course replicates!
 Reverse engineering it with a debugger
(OllyDbg) you discover that Banload:
 it's packed with UPX (binary compression)
 it deletes the icpldrvx.js from the system directory
 it downloads the real malware icpldrvx.exe
 set the registry key for autorun
 and then find existing msn opened windows and
inject malicious url to download the malware

7. Debugger snippet of code
Run time string decrypt Malware exe download by
URLMON.DLL!URLDownloadToFileA
Execute the malware process and set the
registry key for autorun

8. Club work in progress
 What we are doing now:
 setting up an online wiki to share reversing
tutorials
 setting up the forum
 register to the SRC (session is october)
 What has already done:
 server setup
 subdomain registration

9. Planned local activities
 Online articles and tutorials
 Live reversing tutorials
 Seminars hold by experts of the reversing
panorama (which I personally know)
 Antivirus companies (Symantec)
 Hacking Security Teams
 Reversing challenges (on the style of)
 hacking jeopardy
 hacker challenge

10. Social nerd activities
 Social activities are a must for a nerd
community
 lock 'a pick
 brew your beer
 multi player games
 hack your favourite console and show off
 example: I connected my wiimote to my lego nxt
via bluetooth (no really I did it ... )
 hack your favourite something and show off
 example: I connected my toaster online using a
webservice (I'm serious I did it ...)

11. European hack meetings
 The most important hack meetings in
Europe:
 Chaos Computer Club
 What the hack
 Moca
 Cebit
 And in USA:
 Defcon
 BlackHat

12. About epokh
 Has spent his life in reversing hardware devices
and software programs and enjoyed it (still ...).
 Grow in the top reverser community in europe:
quequero
 Member of one of the best c******g team on the
net for release statistics.
 Proud to be:
 the first java bytecode cracker (it's actually a bit
lame ....)
 the first skype filter logger (this is very lame )
 ... better to stop :-)