Reverse engineering by Ravi Rajput hcon groups meet
-
Upload
ravi-rajput -
Category
Technology
-
view
115 -
download
1
Transcript of Reverse engineering by Ravi Rajput hcon groups meet
Ravi Rajput
“Painless pill for the complicated topic”
/usr/bin/whoami
• Student of Information Technology
• A n00b with time in my hand
• Have interest in Information Security
• A person who have BIG dreams :P
Agenda• To wet our hands in the Ocean of REVERSE ENGINEERING
• Will cover basic fundas of Assembly Language
• It’s a Painless pill for the complicated topic.
CPU
Contd.• CONTROL UNIT:- Retrieve/Decode
instructions and store in memory • Execution Unit:- Actual Execution of
instructions.• Registers:- Internal Memory
Locations used as “variables”• Flags:- Used to indicate various
events @execution time.
General Purpose Registers• EAX• EBX• ECX• EDX• ESI• EDI• ESP• EBP
Contd.• EAX :- Accumulator register used for
storing operands and result data• EBX :- (base register) Pointer to data
• ECX :- (Counter Register) Loop operations
• EDX :- (data register) I/O pointers
Contd.• ESI & EDI :- Data pointer registers for
memory operations• ESP :- (top of the stack) Stack Pointer
Register • EBP :- Stack Data pointer register
Contd.
StackSTACK
Unused Memory
Heap
.bss
.data
.text
Used to store function arguments & local variables
Dynamic memory
Uninitialized Data
Initialized Data
Program Code
NOTE :- stack is LIFO and starts from High memory to low memory
General Structure.data
.bss
.text.globl_start
_start:
All initialized data
All uninitialized data
(External callable routine)
main() (in c program)
Program Instructions
System Calls• System calls are invoked by
processes using a software interrupt – int 0x80
• EAX :- System call number• EBX :- First Arguments
• ECX :- Second Arguments
and so on… up to EDI
Finally..!!
• Ya …finally after boring theory we are going to learn about coding in ASSEMBLY LANGUAGE ..
Steps1. Declare all initialized data in
“.data” section.For eg. hello_world:
.ascii “Hello World”2. Pass system call in EAX3. Pass arguments in EBX,ECX,EDX..4. Raise the software interrupt.
Hello World.datahello_world:
.ascii “Hello World”.text
.gobl_start_start:
#load all the arguments for write()movl $4, %eaxmovl $1, %ebxmovl $hello_world, %ecxmovl $11, %edx
Hello World Contd.int $0x80
#while write next code for exit to terminate the program
movl $1, %eaxmovl $0, %ebxint $0x80
Congratulations…!!!• There are 11 instructions mostly used
in every program.
• And you have done all 11 instructions in this Hello World Program.
• Congratulations for your First program in Assembly Language
I didn’t know that
• But what is these .ascii & movl in last program ???
Data TypeIn .data
.byte = 1 byte
.ascii = string
.asciz = null terminated string
.int = 32 bit integer
.short = 16 bit integer
.float = single precision floating point number
.double = double precision floating point number
Space reserved at compile time
Data Type Contd.In .bss
.comm = declares common memory area
.lcomm = declares local common memory area
Space created at runtime
Moving DataSyntax : movx source, destination
mvl = moves a 32 bit valuemvl %eax,%ebx
mvw = moves a 16 bit valuemvw %ax,%bx
mvb = moves a 8 bit valuemvb %ah,%bh
Scenario of Moving Data1. Between Registers
movl %eax, %ebx
2. Between Registers and Memorylocation:
.int 10movl %eax , locationmovl location, %ebx
Contd.3. Directly Moving into Registers:
movl $10,%eax
4. Immediate value into memory locationlocation:
.byte 0movb $10, location
NOTE :- We have to choose the appropriateregisters carefully according to the memory requirements
Contd.5. Moving Data into an indexed Memory location
IntegerArray:.int 10,20,30,40,50
#Selecting 3rd integer “30”#BaseAddress(Offset, Index, Size)#IntegerAddress(0,2,4)
movl %eax, IntegerArray(0,2,4)
Important thing for REIn Next slides so
Conditional JumpsTake it as JXX – JA , JAE , JE … JZ , JNZ
NOTE :- Conditional Jumps are short and near … “NOT” far anyway ..Short jumps are +128 to -128 bytesFar jumps are jumps pointing to different section.Well , near are …..
short > near < farSO .. ?? The moral of the story is ..The authentication code can within + or – 128 bytes
Conditional JumpsSCENARIO
If the key of “Nonreversible software v2.0.1” is 1337 Then (Use the software) only set FLAG 0 else (no rights to use it.. Purchase ..!! :O )FLAG NOT 0 (It sets EFLAGS)Because @the first the flags are not set 0 until and unless you match that hex code We can use xorl to xor the registers and make 0
Processor Flags• CF – Carry Flag :- Set on high-order bit carry or
borrow ; cleared otherwise.• PF – Parity Flag :- Set if low-order eight bits of
result contain an even number of “1” bits; cleared otherwise.
• ZF – Zero Flag :- Set if result is Zero; cleared otherwise.
• SF – Sign Flag :- Set equal to high-order bit of result (0 if positive 1 if negative).
• OF – Overflow Flag :- Set if result is too large or too small to fit in destination operand.
SCENARIOIf the key of “Nonreversible software v2.0.1” is 1337 And you are so genius that you bypassed that authentication code and used the registered version.
“Congratulations..!! you are have registered the software.Thank you for using our software.”
This message makes feel good..
Unconditional Jumps• JMP
1> like goto statement in C programming2> Syntax JMP label/address3> Short , Near and far supported
• So you can bypass authentication and directly jump on the software code … Wwwoohhaa..!!!!
• I intentionally left CALL & LOOP instructions as we will study in Exploit writing
Unconditional Jumps is like
Register??
Yes No
Enjoy the software
JNZ 0X0884568
0X08844455
JMP 0X08844455
Road Map• Security Tube Assembly Language Mega primer for Linux
and Windows Assembly Language Mega primer Click here
• Introductory Intel x86 www.opensecuritytraning.info Click here
• http://securityxploded.com/• http://garage4hackers.com/forumdisplay.php?f=24• Gray Hat Python Book
ASK ME ANYTHING … ANYTHING MEANS ANYTHING
You can Contact me
Gmail :- [email protected] :- fb.com/rajputravitLinkedIn :-www.linkedin.com/profile/view?id=328373563