SlideShare une entreprise Scribd logo

Reverse Engineering Presentation.pdf

A
AbdelrahmanShaban3

Microprocessor

Ingénierie
1  sur  33
Télécharger pour lire hors ligne
Reverse Engineering AN INTRODUCTION TO REVERSE ENGINEERING, THE TOOLS AND ASSEMBLY Ali Mohamed
What is Reverse Engineering? • When you take a final product (e.g. a compiled program) and attempt to break it down and understand what it’s doing, and possibly modifying it for a new purpose. • This involves the use of specialized tools such as debuggers and disassemblers • Debuggers allow you monitor things live as they happen • Disassemblers attempt to analyze the program and show you what it looks like in assembly
Why would you need to reverse engineer something? • When you have a program that you don’t have the source code for but what to find out how it does things • Improving/modifying something you don’t have the source code for • This may not be legal for every program out there, so exercise it with caution
We’ll be looking at reverse engineering through “romhacking”
Why romhacking? • It’s in a bit of a grey area, however, many hobbyists have written highly specialized and useful debuggers/emulators that can help one learn this process • A game is a good way to break into reverse engineering (and by extension assembly) • It’ll be easier to work with gameplay concepts as things we want to find/alter
Why does it have to be in assembly? • There is no real way to convert something back from a compiled format to the original source code • The best we can manage is turning it back into assembly • Don’t be scared of assembly! It is daunting at first but it’s a good skill to have High Level Language Compiler Executable File (Machine Code /Assembly)
The CPU Registers – storage locations, values move around here Processor Status/Flag Register – keeps track of flags that are set during calculations Program Counter – address of current instruction Stack Pointer – keeps track of call stack
Assembly Basics A very basic example. Basic operators: add, sub, mul*, div* mov (move): copies value from source and puts it into the destination. You will probably see this instruction a lot. jmp (jump) and other conditional jumps: used to hop to certain addresses nop: no operation (I believe it’s used for when you need to wait) *older, simpler CPUs might not have those luxuries, you may have to do your multiplication/division through bit-shifting I highly recommend keeping a reference document up while working on assembly to make it simpler.
Basic approach to reverse engineering Task we want to accomplish -> hunt for relevant info (such as RAM addresses & values) -> set breakpoints (freeze CPU during a certain action) -> slowly trace through instructions and attempting to figure things out -> modify (test & check) OR document how it works
Our Target: The GameBoy THE SPECS CPU : SHARP LR35902 @ 4.19 MHZ DISPLAY: 2.6” LCD RESOLUTION: 160X144PX MEDIA: ROM CARTRIDGES A Gameboy cartridge PCB.
Metroid II Changing bomb timers DDX0 – Bomb State, DDX1 – Bomb Timer
After searching we find that setting the timer is quite simple.
This one (thankfully) was quite simple and very easy to modify.
Super Mario Land How does the score update? Score is stored at RAM values C0A0 – C0A2
After a lot of searching, we stumble upon this routine.
Basically HL points to location in ram, point value is loaded from register D, then moved to register A, and score is tabulated and stored back to target RAM Location.
Things to remember: - Assembly can be a valuable asset, it’s quite confusing at first but debugging a program (that you have source code access to or not) is an invaluable tool for fixing problems! - Reverse Engineering is a challenging process but you’ll learn quite a lot about a program and the architecture it’s designed for - Don’t ever be afraid to dive into assembly, it may look scary but given enough time you can figure things out and will learn a lot of useful info
STUXNET
Background • Spread on Microsoft Windows • Developed June 2009 • Spreading began late 2009/early 2010 • Discovered in July 2010 o Microsoft out-of-band patch released August 2010 - .lnk exploit o More patches with the September 'Patch Tuesday' - print spooler exploit • Around half a megabyte • C, C++, and other object oriented languages
What the news says it was • Iranian centrifuge destroyer! o It's one goal was to destroy the Iranian nuclear program • Developed by the United States and Israel • Contributed to the Gulf oil leak • 'Mission: Impossible'-like virus • It will kill your unborn children o Assuming they are born in a hospital using PLC machines
What it really was • Malware that spread on networks to infect systems running WinCC and PCS 7 SCADA • Took advantage of the fact that PLCs are usually unsecured o They are behind firewalls and run by other computers that ARE secured • Once inside, had the ability to reprogram PLC controlling machinery o Gave the possibility of altering how machinery being controlled will run *PLC: Programmable Logic Controller
How it did it • USB drive for initial infection, then spread on network • .lnk file exploit o As soon as the shortcut is displayed, exploit is run • Windows vulnerabilities o EoP ▪ Task scheduler o MS08-067 (Conficker) - Already patched!!!! (but not on these systems) o Printspooler exploit o Used at least 4 previously undiscovered vulnerabilities • Searched for WinCC and PCS 7 SCADA management programs o Tried default Siemens passwords to gain access o If access is granted, PLC software could be reprogrammed • Used stolen signed digital certificates o looked like genuine software to antivirus scanners *EoP: Elevation of Privileges
How it did it (cont.) • Installed a RPC server • Self-updating o Machines check on other machines running Stuxnet and do a version check o Newer versions automatically push their version onto the other machines o Older versions automatically request newer version to be pushed ▪ If central server goes down, updates still spread *RPC: Remote Procedure Call
What a story! I mean theory... "As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and Israel are the most common suspects--specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country that's a pariah to much of the world. The only problem with the story is that it's almost entirely speculation." - Bruce Schneier What we "know" it does: • Infects windows • Looks for Siemens SIMATIC WinCC/Step 7 controller software • Reads and changes bits in the PLC • Spreads through network/USB • Various updating mechanisms
What a story! I mean theory... The media focuses on these types of quotes: • The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals. • "I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google's network and those of dozens of other major companies, were child's play. • But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.
What a story! I mean theory... Once you pop you just can't stop: • The word "myrtus" appears in the worm: o an artifact that the compiler left, possibly by accident. o refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. "Hadassah" means "myrtle" in Hebrew. • Sets a registry value of "19790509": o a date o refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel. • The hex 0xDEADF007 appears in the worm: o Symantec suggests it may mean Dead Fool or Dead Foot, a term referring to an airplane engine failure. o "This suggests failure of the targeted system is a possible aim, though whether Stuxnet aims to simply halt the system or blow it up remains unknown."
What a story! I mean theory... These markers COULD: • Point to Israel as the author. • Point to being deliberately planted by someone who wanted to frame Israel • Point to being deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. When do you stop? • Deepwater Horizon did have some Siemens PLC systems on it! • Did stuxnet contribute to the Gulf of Mexico oil spill?!?! Stuxnet's Authors: • extremely careful to not leave any traces
What a story! I mean theory... • We don't know who wrote Stuxnet. o Government o Individual o Research Group • We don't know why. o Criminal worm to demonstrate capability o Research efforts o Social/Political • We don't know what the target is, or if Stuxnet reached it. o control alarm systems o access controls on doors o motors o conveyor belts o pumps o chemical plants o oil refineries o pipelines o nuclear power plants!?!?!
What a story! I mean theory... Stuxnet is sophisticated. It is fun to speculate its purposes. But we do not know the author's true intentions.
Questions?
Sources http://www.networkworld.com/news/2010/091610-is-stuxnet-the-best-malware.html?page=2 http://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_worm http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_industrial_systems http://www.symantec.com/connect/blogs/stuxnet-p2p-component http://blogs.technet.com/b/mmpc/archive/2010/07/30/stuxnet-malicious-lnks-and-then-there-was-sality.aspx http://www.internetnews.com/security/article.php/3903541/Patch+Tuesday+Fixes+Another+Stuxnet+Vulner ability.htm http://www.abc.net.au/science/articles/2011/11/01/3353334.htm http://www.schneier.com/blog/archives/2010/10/stuxnet.html http://www.schneier.com/blog/archives/2010/09/the_stuxnet_wor.html http://www.wired.com/threatlevel/2010/10/stuxnet-deconstructed/
THE END!

Recommandé

Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxShivashankarHR1
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 

Recommandé

Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxShivashankarHR1
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensicsShane Macaulay
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
HKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyHKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyKelvin Chan
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
 
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbgSam Bowne
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
CNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgSam Bowne
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgSam Bowne
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer OverflowsDaniel Tumser
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
CNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgCNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgSam Bowne
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 

Contenu connexe

Similaire à Reverse Engineering Presentation.pdf

A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
HKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyHKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyKelvin Chan
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
 
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
CNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgSam Bowne
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgSam Bowne
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer OverflowsDaniel Tumser
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
CNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgCNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgSam Bowne
 

Similaire à Reverse Engineering Presentation.pdf (20)

A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensics
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
HKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyHKUST Security Lab Opening Ceremony
HKUST Security Lab Opening Ceremony
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
 
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
CNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbg
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer Overflows
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
CNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgCNIT 126 9: OllyDbg
CNIT 126 9: OllyDbg
 

Dernier

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 

Dernier (20)

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 

Reverse Engineering Presentation.pdf

  • 1. Reverse Engineering AN INTRODUCTION TO REVERSE ENGINEERING, THE TOOLS AND ASSEMBLY Ali Mohamed
  • 2. What is Reverse Engineering? • When you take a final product (e.g. a compiled program) and attempt to break it down and understand what it’s doing, and possibly modifying it for a new purpose. • This involves the use of specialized tools such as debuggers and disassemblers • Debuggers allow you monitor things live as they happen • Disassemblers attempt to analyze the program and show you what it looks like in assembly
  • 3. Why would you need to reverse engineer something? • When you have a program that you don’t have the source code for but what to find out how it does things • Improving/modifying something you don’t have the source code for • This may not be legal for every program out there, so exercise it with caution
  • 4. We’ll be looking at reverse engineering through “romhacking”
  • 5. Why romhacking? • It’s in a bit of a grey area, however, many hobbyists have written highly specialized and useful debuggers/emulators that can help one learn this process • A game is a good way to break into reverse engineering (and by extension assembly) • It’ll be easier to work with gameplay concepts as things we want to find/alter
  • 6. Why does it have to be in assembly? • There is no real way to convert something back from a compiled format to the original source code • The best we can manage is turning it back into assembly • Don’t be scared of assembly! It is daunting at first but it’s a good skill to have High Level Language Compiler Executable File (Machine Code /Assembly)
  • 7. The CPU Registers – storage locations, values move around here Processor Status/Flag Register – keeps track of flags that are set during calculations Program Counter – address of current instruction Stack Pointer – keeps track of call stack
  • 8. Assembly Basics A very basic example. Basic operators: add, sub, mul*, div* mov (move): copies value from source and puts it into the destination. You will probably see this instruction a lot. jmp (jump) and other conditional jumps: used to hop to certain addresses nop: no operation (I believe it’s used for when you need to wait) *older, simpler CPUs might not have those luxuries, you may have to do your multiplication/division through bit-shifting I highly recommend keeping a reference document up while working on assembly to make it simpler.
  • 9. Basic approach to reverse engineering Task we want to accomplish -> hunt for relevant info (such as RAM addresses & values) -> set breakpoints (freeze CPU during a certain action) -> slowly trace through instructions and attempting to figure things out -> modify (test & check) OR document how it works
  • 10. Our Target: The GameBoy THE SPECS CPU : SHARP LR35902 @ 4.19 MHZ DISPLAY: 2.6” LCD RESOLUTION: 160X144PX MEDIA: ROM CARTRIDGES A Gameboy cartridge PCB.
  • 11. Metroid II Changing bomb timers DDX0 – Bomb State, DDX1 – Bomb Timer
  • 12. After searching we find that setting the timer is quite simple.
  • 13. This one (thankfully) was quite simple and very easy to modify.
  • 14. Super Mario Land How does the score update? Score is stored at RAM values C0A0 – C0A2
  • 15. After a lot of searching, we stumble upon this routine.
  • 16. Basically HL points to location in ram, point value is loaded from register D, then moved to register A, and score is tabulated and stored back to target RAM Location.
  • 17. Things to remember: - Assembly can be a valuable asset, it’s quite confusing at first but debugging a program (that you have source code access to or not) is an invaluable tool for fixing problems! - Reverse Engineering is a challenging process but you’ll learn quite a lot about a program and the architecture it’s designed for - Don’t ever be afraid to dive into assembly, it may look scary but given enough time you can figure things out and will learn a lot of useful info
  • 19.
  • 20. Background • Spread on Microsoft Windows • Developed June 2009 • Spreading began late 2009/early 2010 • Discovered in July 2010 o Microsoft out-of-band patch released August 2010 - .lnk exploit o More patches with the September 'Patch Tuesday' - print spooler exploit • Around half a megabyte • C, C++, and other object oriented languages
  • 21. What the news says it was • Iranian centrifuge destroyer! o It's one goal was to destroy the Iranian nuclear program • Developed by the United States and Israel • Contributed to the Gulf oil leak • 'Mission: Impossible'-like virus • It will kill your unborn children o Assuming they are born in a hospital using PLC machines
  • 22. What it really was • Malware that spread on networks to infect systems running WinCC and PCS 7 SCADA • Took advantage of the fact that PLCs are usually unsecured o They are behind firewalls and run by other computers that ARE secured • Once inside, had the ability to reprogram PLC controlling machinery o Gave the possibility of altering how machinery being controlled will run *PLC: Programmable Logic Controller
  • 23. How it did it • USB drive for initial infection, then spread on network • .lnk file exploit o As soon as the shortcut is displayed, exploit is run • Windows vulnerabilities o EoP ▪ Task scheduler o MS08-067 (Conficker) - Already patched!!!! (but not on these systems) o Printspooler exploit o Used at least 4 previously undiscovered vulnerabilities • Searched for WinCC and PCS 7 SCADA management programs o Tried default Siemens passwords to gain access o If access is granted, PLC software could be reprogrammed • Used stolen signed digital certificates o looked like genuine software to antivirus scanners *EoP: Elevation of Privileges
  • 24. How it did it (cont.) • Installed a RPC server • Self-updating o Machines check on other machines running Stuxnet and do a version check o Newer versions automatically push their version onto the other machines o Older versions automatically request newer version to be pushed ▪ If central server goes down, updates still spread *RPC: Remote Procedure Call
  • 25. What a story! I mean theory... "As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and Israel are the most common suspects--specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country that's a pariah to much of the world. The only problem with the story is that it's almost entirely speculation." - Bruce Schneier What we "know" it does: • Infects windows • Looks for Siemens SIMATIC WinCC/Step 7 controller software • Reads and changes bits in the PLC • Spreads through network/USB • Various updating mechanisms
  • 26. What a story! I mean theory... The media focuses on these types of quotes: • The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals. • "I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google's network and those of dozens of other major companies, were child's play. • But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.
  • 27. What a story! I mean theory... Once you pop you just can't stop: • The word "myrtus" appears in the worm: o an artifact that the compiler left, possibly by accident. o refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. "Hadassah" means "myrtle" in Hebrew. • Sets a registry value of "19790509": o a date o refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel. • The hex 0xDEADF007 appears in the worm: o Symantec suggests it may mean Dead Fool or Dead Foot, a term referring to an airplane engine failure. o "This suggests failure of the targeted system is a possible aim, though whether Stuxnet aims to simply halt the system or blow it up remains unknown."
  • 28. What a story! I mean theory... These markers COULD: • Point to Israel as the author. • Point to being deliberately planted by someone who wanted to frame Israel • Point to being deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. When do you stop? • Deepwater Horizon did have some Siemens PLC systems on it! • Did stuxnet contribute to the Gulf of Mexico oil spill?!?! Stuxnet's Authors: • extremely careful to not leave any traces
  • 29. What a story! I mean theory... • We don't know who wrote Stuxnet. o Government o Individual o Research Group • We don't know why. o Criminal worm to demonstrate capability o Research efforts o Social/Political • We don't know what the target is, or if Stuxnet reached it. o control alarm systems o access controls on doors o motors o conveyor belts o pumps o chemical plants o oil refineries o pipelines o nuclear power plants!?!?!
  • 30. What a story! I mean theory... Stuxnet is sophisticated. It is fun to speculate its purposes. But we do not know the author's true intentions.