Reversing 101 - Gazi Üniversitesi

1. Reverse
Engineering 101
Yasin SÜRER
http://twitter.com/yasinsurer

2. Jargon
A zero-day(or zero-hour or day zero) attack or threat is an attack that exploits a
previously unknown vulnerability in a computer application.
An exploit is a piece of software, a chunk of data, or sequence of commands that takes
advantage of a bug
A shellcode is a small piece of code used as the payload in the exploitation of a software
vulnerability
A rootkit is a stealthy type of software, often malicious, designed to hide the existence
of certain processes or programs from normal methods of detection and enable
continued privileged access to a computer.

3. Attacker Mindset
Vulnerability Research
Find the vulnerability, and developing weaponized-exploits.
Exploit Development
Zero-day attack uses advanced-exploitationtechnique
Understanding undocumented system functions
malware authors; Rootkit, worm, keylogger, spyware etc.

4. Defensive Perspective
Patch and Vulnerability Analysis
Developing signatures against zero-day threats for IDS/IPS appliance
Binary Code Analysis
Finding new zero-day vulnerabilities to take advantage on defensive
perspective
Advanced Exploit Development
Penetration Test and Vulnerability assesment.
Malware Analysis
Anti-Virus, Anti-Spyware and Digital Forensics companies

5. Real-World Crime Example
May 2008 in New York for the Dave & Busters case
May 2008 in Massachusetts for the TJ Maxx case
August 2009 in New Jersey in connection with the Heartland
Payment case.

7. State-Sponsored Attack Example
The group obtained a sponsor who paid them 2000 RMB ($325)
per month
Their sponsor is likely the People's Liberation Army (PLA)
Tan Dailin attacks on US Department of Defense in May and
June 2006
GinWui Rootkit (Manipulate Service, Start and Kill Process etc.)
iDefense says,35 zero-day Microsoft Office Exploit

8. State-Sponsored Attack Example

9. Advanced Persistent Threat

10. ‘’We do not call those types of threats as Advanced Persistent
Threat since they use widely known, old-school tactics’’
Microsoft

11. US Department of Defense
Offensive Contractors

23. Reverse Engineering

24. What is Reverse Engineering ?
Static Analysis or Reversing
Static program analysis is the analysis of computer software that is
performed without actually executing programs
Dynamic Analysis or Reversing
Dynamic program analysis is the analysis of computer softwarethat is
performed by executing programs on a real or virtual processor.

25. x86 Architecture & Assembly

26. Arithmetic Instructions
mov eax, 5 ; eax=5
mov ebx, 3 ; ebx=3
add eax, ebx ; eax = eax + ebx
sub ebx, 2 ; ebx = ebx -2

27. Accessing Memory
cmp eax, 2 ; compare eax with 2
je label ; if(eax == 2)
ja label ; if(eax > 2)
jb label ; if(eax < 2)
jbe label ; if(eax <= 2)
jne label ; if(eax != 2)
jmp label ; jump label

28. Function Calls
call function ; store return addr on the stack
; and jump to function!
func:
push esi ; save esi
…
pop esi ; restore esi
ret ; read return addr from the stack
; and jump to it.

29. Modern Compiler
Native Language
Intermediate Representation
Low-level Intermediate representation
x86 Assembly

30. Binary Reverse Engineering
How the compiler works and to translate it into machine code
Understanding operating system structures
Understanding executable (PE/ELF) file formats
We need to think like the compiler, but in reverse!

31. Toolbag

32. Reverser Toolbag (1)
IDA Disassembler from Hex-Rays
IDA is a disassembler for computer software which generates assembly
language source code from machine-executable code
OllyDbg is Free Debugger
OllyDbg is an x86 debugger that emphasizes binary code
analysis, which is useful when source code is not available
Windbg from Microsoft
It can be used to debug user mode applications, drivers, and the
operating system itself in kernel mode.

33. Reverser Toolbag (2)
Virtual Machines (Virtualbox, VMWare, Hyper-V)
A virtual machine (VM) is a software implemented abstraction of the
underlying hardware, which is presented to the application layer of the
system.
Packet Sniffers (Wireshark, tcpdump)
The sniffer captures packets, if needed, decodes the packet's raw
data, showing the values of various fields in the packet
Sysinternals Suite
technical resources and utilities to manage, diagnose, troubleshoot, and monitor
a Microsoft Windows environment.

34. PEiD

35. IDA Pro

36. IDA Pro (2)

37. IDA Pro (3)

38. IDA Pro (4)

39. OllyDbg

40. OllyDbg (2)

41. Windbg

42. Windbg (2)

43. Intro to Windbg
• r: display current register content
• t: trace-step (until call)
• pt: single-step (until-ret)
• g: process run (go!)
• .hh: help command. (for example .hh t)
• lm: list modules

44. Sysinternal: Process Explorer

45. Sysinternal: Process Monitor

46. Sysinternal: Autoruns

47. ImpREC

48. LordPE

49. Anti-Reverse Engineering
Anti-Debugging, the implementation of one or more techniques within
computer code that ‘’hinders attempts’’ at reverse engineering or debugging a
target process
Anti-Dumping, describes the process of taking an executable that has been
protected and after the executable has been decrypted into memory
Code obfuscation is the deliberate act of creating obfuscated code, i.e. source
or machine code that is difficult for humans to understand.
Executable compression is any means of compressing an executable
file and combining the compressed data with decompression code into
a single executable

50. Executable Compression
(Packed Executables)

51. Packed Executable

52. Packed Executable

53. Packed Executable

54. Packed Executable

55. Packed Executable

56. Anti-Debugging

57. Anti-Debugging

58. Anti-Debugging

59. Anti-Debugging

60. Anti-Debugging

61. Anti-Debugging

62. FATMAL
(Real-World Example)

63. FATMAL

64. Loader

65. Loader

66. Payload
InstallBot()

67. Payload

68. Payload

69. Payload

70. Payload

71. Payload

72. Who could be behind the FATMAL
attack?

75. Memory Analysis
- Sality -

76. Memory Analysis

77. Memory Analysis

78. Memory Analysis

79. Memory Analysis

80. Memory Analysis

81. Resources

83. Analysis of Mobile Threats

84. Mobile Market
49%
19%
13%
11%
5%
3%
Android
iPhone
BlackBerry
Windows Phone
Symbian
Other

85. Mobile Threats
79
19
0.30.70.30.7
Android
Symbian
Windows Mobile
iPhone
BlackBerry
J2ME

86. Mobile Threats
66.1
0.71
2.7
0.3
5.6
7
11.2
3.7 0
Trojan
Downloader
Spy
Adware
Backdoor
Hacktool
Monitoring
Riskware
Spyware
Application

87. Android
Android is a Linux-based operating system, runs on custom Linux.
Google I/O statshot, 900 million Android devices activated
Google play hits 600.000 application, 20 billion total installs.
Manufacturers; Samsung, HTC, Asus, Amazon, Sony, Toshiba, Acer…

88. Android Apps
Android Market
APK/ZIP
Metadata (manifest, images)
Dex File (classes.dex)

89. Android Architecture

90. Geinimi

91. Geinimi

92. Geinimi

93. Geinimi

94. Geinimi

95. Geinimi

96. Geinimi

97. 5 years of silence…

98. The ProGuard tool shrinks, optimizes, and obfuscates your code by removing
unused code and renaming classes, fields, and methods with semantically obscure
names.
DexGuardis our specialized optimizer and obfuscator for Android. Create apps that
are faster, more compact, and more difficult to crack.

99. Obfuscation

100. Obfuscation

101. Obfuscation

102. Modifying The bytecode

103. Android Application
Dalvik VM!
Activity Thread
Zygote
Activity Manager
Launcher

104. Modifying the byte-code
JNI
Native
Code
Dalvik
bytecode
Modified!

105. Processor

107. so what…

108. Malware writers is getting ready to implement x86 techniques for
Android.

109. Questions…