Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security
Reverse engineering? www.indiamart.com
Contents ● Hardware architecture ● Processors and machine language ● Engineering: Creating a program binary ● Reverse engeineering: – Static analysis – Binary debugging Kirils Solovjovs, 10/07/2018 Reverse engineering basics 3/25 possiblesecurity.com
Hardware architecture Kirils Solovjovs, 10/07/2018 Reverse engineering basics 4/25 possiblesecurity.com
Theory. Turing machine Kirils Solovjovs, 10/07/2018 Reverse engineering basics 5/25 possiblesecurity.com
ENIAC, 1945 ● Turing complete ● General purpose ● “Reprogrammable” – Physical rewiring required – Takes weeks Kirils Solovjovs, 10/07/2018 Reverse engineering basics 6/25 possiblesecurity.com
The two common hardware architectures Kirils Solovjovs, 10/07/2018 Reverse engineering basics 7/25 possiblesecurity.com
Von Neumann arch ● “Stored program” concept ● CPU = CU + ALU ● Joint MU ● I/O ● Most modern systems Kirils Solovjovs, 10/07/2018 Reverse engineering basics 8/25 possiblesecurity.com
Harvard arch ● Separate CU and ALU ● Separate memories ALU Data – Instructions – Instruction Data Control ● Allows memories to have memory memory unit different attributes ● Improved speed I/O ● DSPs, some microcontrollers Kirils Solovjovs, 10/07/2018 Reverse engineering basics 9/25 possiblesecurity.com
Machine code ● A list of machine language instructions to be directly executed by a CPU. ● Each instruction is a small specifjc task: – Data operations – Arithmetic and logic operations – Control fmow operations ● Different ISAs (Instruction set architectures): – 8086, ARM, MIPS, VAX, ... Kirils Solovjovs, 10/07/2018 Reverse engineering basics 10/25 possiblesecurity.com
Instruction MIPS32 Add Immediate Instruction 001000 00001 00010 0000000101011110 OP Code Addr 1 Addr 2 Immediate value addi $r1 , $r2 , 350 Equivalent mnemonic: Kirils Solovjovs, 10/07/2018 Reverse engineering basics 11/25 possiblesecurity.com
x86 opcodes Kirils Solovjovs, 10/07/2018 Reverse engineering basics 12/25 possiblesecurity.com
Note: virtual address space Virtual address space Physical address space ● Each 32bit program “sees” 0x00000000 0x00010000 4GiB of virtual address text 0x00000000 space available to them. 0x10000000 ● Virtual addresses are the data same for every instance of a process * before ASLR 0x00ffffff stack page belonging to process 0x7fffffff page not belonging to process Kirils Solovjovs, 10/07/2018 Reverse engineering basics 13/25 possiblesecurity.com
Stack and heap ● Where are variables stored then? – Stack and heap ● Heap: for dynamic allocation, random access ● Stack: for static memory allocation Kirils Solovjovs, 10/07/2018 Reverse engineering basics 14/25 possiblesecurity.com
Creating a program binary Kirils Solovjovs, 10/07/2018 Reverse engineering basics 15/25 possiblesecurity.com
Overview: gcc example ● .c, .h – human readable C ● .s – human readable assembly ● .o – binary object code (relocatable object code) ● a.out – directly executable machine code Kirils Solovjovs, 10/07/2018 Reverse engineering basics 16/25 possiblesecurity.com
DEMO: gcc example ● Compile: gcc -S fjle.c -o fjle.s – ● Assemble (&optimize): gcc -c fjle.s -o fjle.o – ● Link: gcc fjle.o -o fjle – Kirils Solovjovs, 10/07/2018 Reverse engineering basics 17/25 possiblesecurity.com
Reverse engineering Kirils Solovjovs, 10/07/2018 Reverse engineering basics 18/25 possiblesecurity.com
Full cycle Kirils Solovjovs, 10/07/2018 Reverse engineering basics 19/25 possiblesecurity.com
DEMO: Static analysis of password ● strings r2 ● r2 password – pdf @ main Kirils Solovjovs, 10/07/2018 Reverse engineering basics 20/25 possiblesecurity.com
DEMO: Static analysis of Android APK ● binwalk ● dex2jar + jd-gui Kirils Solovjovs, 10/07/2018 Reverse engineering basics 21/25 possiblesecurity.com
DEMO: Binary debugging of test42 ● gdb test42 – info fjles – b *main if not stripped ● – start – info registers – x/i $pc Kirils Solovjovs, 10/07/2018 Reverse engineering basics 22/25 possiblesecurity.com
DEMO: Firmware reverse engineering ● Real life example – mt Kirils Solovjovs, 10/07/2018 Reverse engineering basics 23/25 possiblesecurity.com
Overview of tools ● gdb ● otool ● Capstone ● PE Explorer ● radare2 ● binwalk ● IDA-Pro & Hex-Rays ● dex2jar & JD-GUI ● Binary Ninja ● Resource Hacker ● OllyDbg Kirils Solovjovs, 10/07/2018 Reverse engineering basics 24/25 possiblesecurity.com
Thanks! Slides are available on http://kirils.org Find me on twitter: @KirilsSolovjovs Kirils Solovjovs, 10/07/2018 Reverse engineering basics 25/25 possiblesecurity.com
Recommend
More recommend
