Upload
-
View
655
Download
2
Embed Size (px)
Citation preview
aaaddress1 at The Declaration of Hacker (TDOH)
Reversing
On
WINDOWS
aaaddress1 at The Declaration of Hacker (TDOH)
Who Am I
aaaddress1 at The Declaration of Hacker (TDOH)
(aaaddress1, aka adr)
Reverse Engineering, Pwn C/C++, C#, x86, Node.js Blog: Adr.Horse, 30cm.tw Speaker HITCON 2015
SITCON 2016
Besides Las Vegas 2016
TDOHxNTSTU Security Lecture
Reversing
Windows Pwn
aaaddress1 at The Declaration of Hacker (TDOH)
MapleHack CrackShield Tower Of Savior Hack Adrs FB Isu.30cm.tw AIDS PykemonGo, MadPocket My Little Ransomware
aaaddress1 at The Declaration of Hacker (TDOH)
introduction
aaaddress1 at The Declaration of Hacker (TDOH)
C/C++
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
C/C++ break;
aaaddress1 at The Declaration of Hacker (TDOH)
Trial https://goo.gl/ky7SsW
Slide https://goo.gl/HBLtkm
https://goo.gl/ky7SsWhttps://goo.gl/HBLtkm
aaaddress1 at The Declaration of Hacker (TDOH)
Outline
aaaddress1 at The Declaration of Hacker (TDOH)
Requirement IDA (Pro) OllyDbg Cheat Engine Windows7 x86 Dev C++
aaaddress1 at The Declaration of Hacker (TDOH)
Windows PE & Process Have fun in PE structure Import Address Table (IAT) ImageBase & Find the entry
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly sizeof( variable ) eax, ebx, ecx, edx, etc add, sub, inc, dec xor Flag & Branch Loop x86 Calling Convention
Function Call
esp & ebp
aaaddress1 at The Declaration of Hacker (TDOH)
Analyzer IDA (Pro)
PE, IAT, EAT
Strings List
Flow Chart
Function & Variable Anti-Trace
OllyDbg Create Process & Attach
Hook & Trace
Cheat Engine Create Process & Attach
Memory Scan for data
Hook & Trace
aaaddress1 at The Declaration of Hacker (TDOH)
Bonus IDA Dynamic Analysis
Patch
Executable file patch
Dynamic Patch
Cheat Engine PE View
Assembly & Special
aaaddress1 at The Declaration of Hacker (TDOH)
Portable Executable
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Return 0 for what?
aaaddress1 at The Declaration of Hacker (TDOH)
View Open subviews Proximity browser
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
The return value of main function is the Exit Status
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
PE Loader will find _start function from Exports Address Table (EAT)
View Open subviews Exports
aaaddress1 at The Declaration of Hacker (TDOH)
Is it true? Nope, Not at all. It will take too much time to search.
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki The head of PE file is DOS header, and that starts with sginature 0x5A4D
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
Thats why its also called DOS-MZ
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki And (DOS Header + 0x3C) stores the offset of NT Header
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki This is the real header of PE
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki (NT Header + 0x028) stores the offset of
the first entry function that as known as start function.
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki (NT Header + 0x034) stores the offset
of the PE file loaded at where in memory e.g. 0x400000
aaaddress1 at The Declaration of Hacker (TDOH)
CE
Right click Go to address Input main.exe You will find the main.exe loaded at 0x400000
MZ
aaaddress1 at The Declaration of Hacker (TDOH)
CE
0x0000110b + 0x400000 = 0x40110b
Thats the same as the address in IDA
aaaddress1 at The Declaration of Hacker (TDOH)
If you understand the whole PE structure, you can make a great PE packer :P
aaaddress1 at The Declaration of Hacker (TDOH)
IMPORT ADDRESS TABLE
aaaddress1 at The Declaration of Hacker (TDOH)
View Open subviews Imports
IDA IAT stores all API program calls
aaaddress1 at The Declaration of Hacker (TDOH)
Double Click & Show the API detail at IAT
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
Strings List
aaaddress1 at The Declaration of Hacker (TDOH)
View Open subviews Strings
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Data
aaaddress1 at The Declaration of Hacker (TDOH)
C Data Type
aaaddress1 at The Declaration of Hacker (TDOH)
Program counter
aaaddress1 at The Declaration of Hacker (TDOH)
Stack Pointer
aaaddress1 at The Declaration of Hacker (TDOH)
Base Pointer
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
EAX = 4Byte = int = long
Register Type
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
AX = 2 Byte = Short
Register Type
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
AH = 1 Byte = Char
Register Type
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
AL = 1 Byte = Char
Register Type
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Opcode
aaaddress1 at The Declaration of Hacker (TDOH)
Nop (0x90) Nothing to do.
aaaddress1 at The Declaration of Hacker (TDOH)
Mov dest,source dest = source
Mov dest, [source] source = value of dest
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Add dest,source dest += source
Add dest, [source] dest += value of source
aaaddress1 at The Declaration of Hacker (TDOH)
Sub dest, source dest -= source
Sub dest, [source] dest -= value of source
aaaddress1 at The Declaration of Hacker (TDOH)
Inc dest dest ++
Inc [dest] (value of dest)++
aaaddress1 at The Declaration of Hacker (TDOH)
Dec dest dest --
Dec [dest] (value of dest)--
aaaddress1 at The Declaration of Hacker (TDOH)
Cmp [source], value //Compare *(long*)source with value
Je blockOne // Jump to blockOne if theyre equal
Jl blockTwo // Jump to blockTwo if [source] less than value
Jg blockThree // Jump to blockThree if [source] greater than value
aaaddress1 at The Declaration of Hacker (TDOH)
Cmp [source], value //Compare *(long*)source with value
Jne blockOne // Jump to blockOne if theyre not equal
Jnl blockTwo // Jump to blockTwo if [source] not less than value
Jng blockThree // Jump to blockThree if [source] not greater than value
aaaddress1 at The Declaration of Hacker (TDOH)
Test [source], value //Compare *(long*)source with value
Jz blockOne // Jump to blockOne if ([source] - value) is zero
Ja blockTwo // Jump to blockTwo if ([source] - value) is above zero
Jb blockThree // Jump to blockThree if ([source] - value) is below zero
aaaddress1 at The Declaration of Hacker (TDOH)
Test v.s. Cmp Using Cmp & Jl/Je/Jg If source & dest are signed number
Using Test & Jb/Jz/Ja If source & dest are unsigned
aaaddress1 at The Declaration of Hacker (TDOH)
Jmp near +0x200 EIP = EIP + 0x200
aaaddress1 at The Declaration of Hacker (TDOH)
Jmp long 0x400000 EIP = 0x400000
aaaddress1 at The Declaration of Hacker (TDOH)
Ret EIP = [ESP+0] & pop [ESP+0]
aaaddress1 at The Declaration of Hacker (TDOH)
Ret 0x0C pop 0x0C bytes from stack,
i.e. ESP += 0x0C
EIP = [ESP+0] & pop [ESP+0]
aaaddress1 at The Declaration of Hacker (TDOH)
Xor dest, source mov dest, A //0x41 xor dest, 0x20 //dest is a(0x61) now
aaaddress1 at The Declaration of Hacker (TDOH)
Xor dest, source mov dest, a //0x61 xor dest, 0x20 //dest is A(0x41) now
aaaddress1 at The Declaration of Hacker (TDOH)
0100 0001 A(0x41)0x200010 0000
Xor
a(0x61)0110 0001
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Function Call
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
void Func()
{
int A = 0;
Int B = 1;
Int C = 2;
}
[EBP - 4] =0
[EBP - 8] =1
[EBP - C] =2
push EBP mov EBP,ESP sub ESP, LEN
aaaddress1 at The Declaration of Hacker (TDOH)
void Func() {
nFunc(ARG1,ARG2,ARG3);
}
push ebb mov ebp,esp
.
. push arg3 push arg2 push arg1 call nFunc
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
[EBP+0 ] = Pointer to old EBP [EBP+4 ] = Return Address [EBP+8 ] = Parameter 1 [EBP+C] = Parameter 2 [EBP+10]= Parameter 3 etc
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Calling Convention
aaaddress1 at The Declaration of Hacker (TDOH)
StackESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
aaaddress1 at The Declaration of Hacker (TDOH)
StackESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP + 0
=ESP Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP Buffer
EBP - 4 Buffer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP 1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP Old EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buffer
EBP + 8 Buffer
EBP + C Old EBP
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP + 0
=ESP Old EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP + 0
=ESP Old EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP 1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 4 =ESP Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
EBP + 10
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
x86 Disassembly
&
Calling Conventions
aaaddress1 at The Declaration of Hacker (TDOH)
Its time to talk about each register meanings and their functions used for.
aaaddress1 at The Declaration of Hacker (TDOH)
I collect the simple parts from wiki, and theyre real useful for reversing.
read more: x86 Disassembly/Calling Conventions
https://en.wikibooks.org/wiki/X86_Disassembly/Calling_Conventions
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
CDECL
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
STDCALL
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
FASTCALL
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
C++ THISCALL
aaaddress1 at The Declaration of Hacker (TDOH)
DEBUGGing
aaaddress1 at The Declaration of Hacker (TDOH)
Debug:
Ollydbg
aaaddress1 at The Declaration of Hacker (TDOH)
Debug:
Cheat Engine
aaaddress1 at The Declaration of Hacker (TDOH)
Debug:
IDA Pro
aaaddress1 at The Declaration of Hacker (TDOH)
Trial:
TDOH Hello World
aaaddress1 at The Declaration of Hacker (TDOH)
Play the game & Find the flag :P
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
Generate Pseudocode(F5) of IDA Pro might lose something important in assembly for accessible reading.
Its important to use debugger and trace opcode of every step.
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
Trial:
Lucky Day
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
TDOH{Debug_is_Fun!}
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
GAME TIme
AIS3 2016 Final Binary 1
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
Using Strings Window to figure out the format string of printf and double click for detail.
aaaddress1 at The Declaration of Hacker (TDOH)
Click the xref and follow
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Just check every char of the input is lower case
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
RC4 but a little diffrent. I will take this function into three parts for you understanding well.
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
If the result after RC4 cipher is the same as input, that will be the really key.
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
Game TIme
99
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
I prepare the same one but patched.
If you can set bullet count to zero, the game will give you flag.
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
CrackMe#1 [UBC] by bRaINbuSY
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
We dont care those, that dont make any effect on the checking
Here is used for SEH ExceptionList but its not the point
aaaddress1 at The Declaration of Hacker (TDOH)
We can make it simple like this.
aaaddress1 at The Declaration of Hacker (TDOH)
We should figure how to get this value ( you can debug and get this without doubt, but its import to know how it works for creating a keygen)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
mailto:[email protected]