TDOH 南區 WorkShop 2016 Reversing on Windows

aaaddress1 at The Declaration of Hacker (TDOH)

Reversing

On

WINDOWS


Who Am I


(aaaddress1, aka adr)

Reverse Engineering, Pwn C/C++, C#, x86, Node.js Blog: Adr.Horse, 30cm.tw Speaker HITCON 2015

SITCON 2016

Besides Las Vegas 2016

TDOHxNTSTU Security Lecture

Reversing

Windows Pwn


MapleHack CrackShield Tower Of Savior Hack Adrs FB Isu.30cm.tw AIDS PykemonGo, MadPocket My Little Ransomware


introduction


C/C++


C/C++ break;


Trial https://goo.gl/ky7SsW

Slide https://goo.gl/HBLtkm

https://goo.gl/ky7SsWhttps://goo.gl/HBLtkm


Outline


Requirement IDA (Pro) OllyDbg Cheat Engine Windows7 x86 Dev C++


Windows PE & Process Have fun in PE structure Import Address Table (IAT) ImageBase & Find the entry


Assembly sizeof( variable ) eax, ebx, ecx, edx, etc add, sub, inc, dec xor Flag & Branch Loop x86 Calling Convention

Function Call

esp & ebp


Analyzer IDA (Pro)

PE, IAT, EAT

Strings List

Flow Chart

Function & Variable Anti-Trace

OllyDbg Create Process & Attach

Hook & Trace

Cheat Engine Create Process & Attach

Memory Scan for data

Hook & Trace


Bonus IDA Dynamic Analysis

Patch

Executable file patch

Dynamic Patch

Cheat Engine PE View

Assembly & Special


Portable Executable


Return 0 for what?


View Open subviews Proximity browser

IDA


IDA


IDA

The return value of main function is the Exit Status


IDA

PE Loader will find _start function from Exports Address Table (EAT)

View Open subviews Exports


Is it true? Nope, Not at all. It will take too much time to search.


Wiki


Wiki The head of PE file is DOS header, and that starts with sginature 0x5A4D


Wiki

Thats why its also called DOS-MZ


Wiki And (DOS Header + 0x3C) stores the offset of NT Header


Wiki This is the real header of PE


Wiki (NT Header + 0x028) stores the offset of

the first entry function that as known as start function.


Wiki (NT Header + 0x034) stores the offset

of the PE file loaded at where in memory e.g. 0x400000


CE

Right click Go to address Input main.exe You will find the main.exe loaded at 0x400000

MZ


CE

0x0000110b + 0x400000 = 0x40110b

Thats the same as the address in IDA


If you understand the whole PE structure, you can make a great PE packer :P


IMPORT ADDRESS TABLE


View Open subviews Imports

IDA IAT stores all API program calls


Double Click & Show the API detail at IAT

IDA


Strings List


View Open subviews Strings

IDA


IDA


Assembly:

Data


C Data Type


Program counter


Stack Pointer


Base Pointer


ByteByte ByteByte

EAX = 4Byte = int = long

Register Type


ByteByte ByteByte

AX = 2 Byte = Short

Register Type


ByteByte ByteByte

AH = 1 Byte = Char

Register Type


ByteByte ByteByte

AL = 1 Byte = Char

Register Type


Assembly:

Opcode


Nop (0x90) Nothing to do.


Mov dest,source dest = source

Mov dest, [source] source = value of dest


Add dest,source dest += source

Add dest, [source] dest += value of source


Sub dest, source dest -= source

Sub dest, [source] dest -= value of source


Inc dest dest ++

Inc [dest] (value of dest)++


Dec dest dest --

Dec [dest] (value of dest)--


Cmp [source], value //Compare *(long*)source with value

Je blockOne // Jump to blockOne if theyre equal

Jl blockTwo // Jump to blockTwo if [source] less than value

Jg blockThree // Jump to blockThree if [source] greater than value


Cmp [source], value //Compare *(long*)source with value

Jne blockOne // Jump to blockOne if theyre not equal

Jnl blockTwo // Jump to blockTwo if [source] not less than value

Jng blockThree // Jump to blockThree if [source] not greater than value


Test [source], value //Compare *(long*)source with value

Jz blockOne // Jump to blockOne if ([source] - value) is zero

Ja blockTwo // Jump to blockTwo if ([source] - value) is above zero

Jb blockThree // Jump to blockThree if ([source] - value) is below zero


Test v.s. Cmp Using Cmp & Jl/Je/Jg If source & dest are signed number

Using Test & Jb/Jz/Ja If source & dest are unsigned


Jmp near +0x200 EIP = EIP + 0x200


Jmp long 0x400000 EIP = 0x400000


Ret EIP = [ESP+0] & pop [ESP+0]


Ret 0x0C pop 0x0C bytes from stack,

i.e. ESP += 0x0C

EIP = [ESP+0] & pop [ESP+0]


Xor dest, source mov dest, A //0x41 xor dest, 0x20 //dest is a(0x61) now


Xor dest, source mov dest, a //0x61 xor dest, 0x20 //dest is A(0x41) now


0100 0001 A(0x41)0x200010 0000

Xor

a(0x61)0110 0001


Assembly:

Function Call


void Func()

{

int A = 0;

Int B = 1;

Int C = 2;

}

[EBP - 4] =0

[EBP - 8] =1

[EBP - C] =2

push EBP mov EBP,ESP sub ESP, LEN


void Func() {

nFunc(ARG1,ARG2,ARG3);

}

push ebb mov ebp,esp

.

. push arg3 push arg2 push arg1 call nFunc


[EBP+0 ] = Pointer to old EBP [EBP+4 ] = Return Address [EBP+8 ] = Parameter 1 [EBP+C] = Parameter 2 [EBP+10]= Parameter 3 etc


Assembly:

Calling Convention


StackESP + 0

ESP + 4

ESP + 8

ESP + C

ESP + 10

ESP + 14


StackESP + 0 Old EBP

ESP + 4

ESP + 8

ESP + C

ESP + 10

ESP + 14

_______EIP


StackEBP + 0

=ESP Old EBP

EBP + 4

EBP + 8

EBP + C

EBP + 10

EBP + 14

_______EIP


StackEBP - 8 =ESP Buffer

EBP - 4 Buffer

EBP + 0 Old EBP

EBP + 4

EBP + 8

EBP + C

_______EIP


StackEBP - 8 =ESP 1

EBP - 4 Buffer

EBP + 0 Buffer

EBP + 4 Old EBP

EBP + 8

EBP + C

_______EIP


StackEBP - 8 =ESP return Address

EBP - 4 1

EBP + 0 Buffer

EBP + 4 Buffer

EBP + 8 Old EBP

EBP + C

_______EIP



EBP - 4 1

EBP + 0 Buffer

EBP + 4 Buffer

EBP + 8 Old EBP

EBP + C


StackEBP - 8 =ESP Old EBP

EBP - 4 return Address

EBP + 0 1

EBP + 4 Buffer

EBP + 8 Buffer

EBP + C Old EBP

_______EIP


StackEBP + 0

=ESP Old EBP

EBP + 4 return Address

EBP + 8 1

EBP + C Buffer

EBP + 10 Buffer

EBP + 14 Old EBP

_______EIP



EBP - 4 1

EBP + 0 Buffer

EBP + 4 Buffer

EBP + 8 Old EBP

EBP + C

_______EIP


StackEBP - 8 =ESP 1

EBP - 4 Buffer

EBP + 0 Buffer

EBP + 4 Old EBP

EBP + 8

EBP + C

_______EIP


StackEBP - 4 =ESP Buffer

EBP + 0 Buffer

EBP + 4 Old EBP

EBP + 8

EBP + C

EBP + 10

_______EIP


x86 Disassembly

&

Calling Conventions


Its time to talk about each register meanings and their functions used for.


I collect the simple parts from wiki, and theyre real useful for reversing.

read more: x86 Disassembly/Calling Conventions

https://en.wikibooks.org/wiki/X86_Disassembly/Calling_Conventions


CDECL


STDCALL


FASTCALL


C++ THISCALL


DEBUGGing


Debug:

Ollydbg


Debug:

Cheat Engine


Debug:

IDA Pro


Trial:

TDOH Hello World


Play the game & Find the flag :P


Game Time


IDA


Live Demo

IDA, CE, Olly


Generate Pseudocode(F5) of IDA Pro might lose something important in assembly for accessible reading.

Its important to use debugger and trace opcode of every step.

IDA


Trial:

Lucky Day


Game Time


TDOH{Debug_is_Fun!}


Live Demo

IDA, CE, Olly


Game Time


Live Demo

IDA, CE, Olly


GAME TIme

AIS3 2016 Final Binary 1


Game Time


Using Strings Window to figure out the format string of printf and double click for detail.


Click the xref and follow


Just check every char of the input is lower case


RC4 but a little diffrent. I will take this function into three parts for you understanding well.


If the result after RC4 cipher is the same as input, that will be the really key.


Live Demo

IDA, CE, Olly


Game TIme

99


I prepare the same one but patched.

If you can set bullet count to zero, the game will give you flag.


Game Time


Live Demo

IDA, CE, Olly


Game Time

CrackMe#1 [UBC] by bRaINbuSY


Game Time


We dont care those, that dont make any effect on the checking

Here is used for SEH ExceptionList but its not the point


We can make it simple like this.


We should figure how to get this value ( you can debug and get this without doubt, but its import to know how it works for creating a keygen)


Live Demo

IDA, CE, Olly


Q&A [email protected]

mailto:[email protected]

Education

TDOH 南區 WorkShop 2016 Reversing on Windows