Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art...
Transcript of Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art...
![Page 1: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/1.jpg)
Reversing By Example
Travis Phillips
![Page 2: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/2.jpg)
What This Talk is...
● This talk will walk through a few reversing challenges.
– The first few are built by me
– The rest were found on crackmes.de
● This talk is to demo:– The mindset I used when walking through
these.
– Some of the tools and how I used them.
– Some of the techinques used to provide solutions.
![Page 3: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/3.jpg)
What This Talk is Not?
● It isn't a reverse engineering class.● LD_PRELOAD while useful, won't be
covered.● Not a primer to assembly.
– covered bsides jax 2014 – slides online
● Not a gdb tutorial.– covered jaxLUG 2015 – slides online
![Page 4: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/4.jpg)
What is Reversing?
● Engineering– Idea
– Produce specs
– Build
– Finished Product
● Reverse Engineering is taking this process backwards.
![Page 5: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/5.jpg)
Why Reverse Engineer?
● VERY IN DEMAND IN THE SECURITY FIELD!
● Demystifying the "Black Box".● Malware.● Unknown Item and Use.● Item is not longer supported, but you still
need it to work.● Reversing is an Art that falls in line with
debugging.
![Page 6: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/6.jpg)
Warnings About Reversing● REVERSE ENGINEERING IS ILLEGAL IF
YOU AREN'T ALLOWED TO DO SO BY THE IP OWNER!!!
● You will break things sometimes... Just accept this risk or don't do it.
● You may Possibly lose: – Sleep
– Free time
– Your social life.
– Fragments of your sanity.
![Page 7: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/7.jpg)
Skills Need● [Dis]Assembly and debugging is good● Curious Mindset● Documentation skills● Don't be afraid to break things...
– It will happen... Accept it and be ready to fix things or replace them.
![Page 8: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/8.jpg)
First Example: simple_password● Written by me.● A simple find the password crackme
![Page 9: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/9.jpg)
First Example: simple_password● Let's just give it a test run...
![Page 10: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/10.jpg)
What Did We See and Learn● The banner was printed on both the help
and attempted run.● Not quite right was printed. It seems the
password is not password.
![Page 11: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/11.jpg)
First Example: simple_password● Next, Let's check strings
![Page 12: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/12.jpg)
What Did We See and Learn● We did see some strings of interest in this
command.
![Page 13: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/13.jpg)
First Example: simple_password● Let's Attempt that possible password
![Page 14: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/14.jpg)
What Did We See and Learn● Some times devs hard code passwords.● If left as a normal string, finding them is
trivial.● If you are a dev: Please don't hard code
passwords!● We win the challenge.
![Page 15: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/15.jpg)
Second Example: less_simple_password
● Written by me.● Like simple_password. But with some minor
changes to make it less simple.– Hide password string better!
![Page 16: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/16.jpg)
Second Example: less_simple_password
● Let's just test it out.
![Page 17: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/17.jpg)
What Did We See and Learn● Seems to be about the same as the first
example.● Testing isn't the password.
![Page 18: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/18.jpg)
Second Example: less_simple_password
● Let's see what strings yields.
![Page 19: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/19.jpg)
What Did We See and Learn● Password doesn't seem to be visible via
strings this time :-(● We'll need to try something else.
![Page 20: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/20.jpg)
LTRACE● Ltrace is a linux tool that is used to show
calls to c library functions and the parameters passed to it.
● This is a useful tool for reversing!
![Page 21: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/21.jpg)
What Did We See and Learn● Ltrace revealed a call to strcmp and showed
it's arguments!● One argument was my supplied password,
the other was the real password!
![Page 22: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/22.jpg)
Second Example: less_simple_password
● Let's see what happens if we make strcmp happy :-)
![Page 23: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/23.jpg)
What Did We See and Learn● While we found a way to hide the string. It
was still found out.● Take away: HARD CODED PASSWORDS
ARE A BAD IDEA!
![Page 24: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/24.jpg)
How Did We Hide The String?● Not using the string. Instead use some sort
of math or algo to generate the string at runtime. This still isn't secure however.
![Page 25: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/25.jpg)
How Did We Hide The String?
![Page 26: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/26.jpg)
Third Example: josamont's j333
● Found on crackmes.de● Written by josamont● Written in x86 assembly● Stripped
![Page 27: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/27.jpg)
Third Example: josamont's j333
● Let's check strings.
![Page 28: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/28.jpg)
What Did We See and Learn● Not many strings or junk data here.
Assembly usually makes a good clean binary.
● Strings of interest:– 2793246581
– velvet
![Page 29: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/29.jpg)
Third Example: josamont's j333
● Let's Test Those strings out.
![Page 30: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/30.jpg)
What Did We See and Learn● Neither of them worked.● However we did observe something
interesting.– When typing velvet and enter, when the
program ended there was an extra prompt.
– When entering the number, some of it was sent to the command line after the program exited along with an enter keystroke
– This means it is probably using read and reading a finite amount of characters.
![Page 31: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/31.jpg)
Third Example: josamont's j333
● Since this was written in x86 asm, let's try strace since he is probably using syscalls.
![Page 32: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/32.jpg)
What Did We See and Learn● Read() syscall only reads 6 bytes. The g and
enter was extra and ignored by the program and got passed to the command line.
● That said, the password should be 5 or 6 characters, depending on if the new line from enter counts as part of the password.
![Page 33: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/33.jpg)
What Did We See and Learn
![Page 34: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/34.jpg)
What Did We See and Learn
![Page 35: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/35.jpg)
Third Example: josamont's j333
● Since we have that unknown logic, Let's open the binary in Hopper and see if we can't find it.
![Page 36: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/36.jpg)
Third Example: josamont's j333
![Page 37: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/37.jpg)
What's at 0x80480ea
● Set EAX to 4– This sets up the write() syscall
● Set EBX to 1– EBX is used to set the FD for write, 1 is
stdout
● Int 0x80 – Tells the kernel to execute the syscall.
● This is basically a write syscall. Assumes ECX and EDX are set before the call.
![Page 38: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/38.jpg)
Third Example: josamont's j333
● Rename it to improve our ability to read the code.
![Page 39: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/39.jpg)
Third Example: josamont's j333● We can start to line asm up to our flowchart
![Page 40: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/40.jpg)
Third Example: josamont's j333● … and update the flowchart ;-)
![Page 41: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/41.jpg)
Third Example: josamont's j333 – Done Son!
![Page 42: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/42.jpg)
Fourth Example: ascii's kgm1
● From crackmes.de.● X86, written in C● Goal is To build a Keygen for this one
![Page 43: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/43.jpg)
Fourth Example: ascii's kgm1
● Let's think about the goal for a min.● We need to build a keygen, so we need:
– To find the keygen algo
– Find a few good serials for known good dataset.
– Understand the keygen algo
– Replicate the keygen algo in our program.
● May or may not be in that order.
![Page 44: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/44.jpg)
Fourth Example: ascii's kgm1
● Let's look at the first run again. This one asked for a serial only, no username.
● No other user data seeds the generation of the serial.
● Could be static or possible math/random generated.
![Page 45: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/45.jpg)
Fourth Example: ascii's kgm1
● Let's look at strings.
● Not much of interest here...
● Low possibility of being static.
● Static keygens are boring anyways!
![Page 46: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/46.jpg)
Fourth Example: ascii's kgm1
● Let's ltrace it.● Not much
interesting here either.
● We did learn it uses fgets() to read in 16 bytes.
● Seems we will have to disassemble.
![Page 47: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/47.jpg)
Fourth Example: ascii's kgm1
● This binary seems to be stripped, so we get this boiler plate code. The last argument pushed to the stack just before the call to __libc_start_main, is main(). Let's rename it.
![Page 48: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/48.jpg)
Fourth Example: ascii's kgm1
● Click the address, hit 'N' to rename it. After it is renamed, hit enter to follow it. This is the code before any jump runs (jne in this case).
![Page 49: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/49.jpg)
What Did We See and Learn● We see some boiler plate stack
management at the beginning.● We see a few calls to printf(), fgets(), and
strlen(). Let's just go ahead and flow chart those.
– Printf() for the banner
– Printf() for “Key: ”
– Fgets() to collect the data from user
– Strlen() to get the length of the user data
● Let's flowchart that really quickly.
![Page 50: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/50.jpg)
What Did We See and Learn
![Page 51: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/51.jpg)
What's at 0x80484cf?● Sadness and despair...● Prints invalid key and exits with a value of 1.● We can rename this area PrintInvalidKey
and update the flowchart.
![Page 52: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/52.jpg)
What Did We See and Learn
![Page 53: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/53.jpg)
What Did We See and Learn● The major take away from that code
segment is that the key must be 10 character long, including the newline!
– Actual text would be 9 text characters.
– If this isn't met, it will reject the key right away!
● Let's continue with the code after that jne jump assuming we didn't follow it (e.g. our key is 9 alpha long). What does the program do next.
![Page 54: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/54.jpg)
Fourth Example: ascii's kgm1
● The following code till the next jump instruction. Which seems to be a loop.
● The instruction at 0x08048478 referenced esp+arg_10, I renamed that to userInput for readability
![Page 55: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/55.jpg)
Fourth Example: Loop Breakdown
● The jne points to the third instruction in the code sample.
● This means the first two instructions are initializers, setting edx to 1, and ecx to userInput pointer.
![Page 56: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/56.jpg)
Fourth Example: Loop Breakdown
● Next we enter the loop, we set al to whatever [edx + 7] equals... This seems like an illegal address... Let's double check this disassembled correctly in gdb.
![Page 57: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/57.jpg)
Fourth Example: Loop Breakdown
● Ah... The plot thickens, It was wrong!– It wasn't [edx+7],
– It was [edx+0x8049707]. A POINTER!
![Page 58: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/58.jpg)
Fourth Example: Loop Breakdown
● A quick bug report to the dev of Hopper and two days later we have a new release of hopper! Looks much better! Thanks Vincent!
![Page 59: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/59.jpg)
Fourth Example: Loop Breakdown
● Next add 1 to edx● See if edx = 9, if not, continue to loop.
– So it seems that edx is an iterator for the loop. Which should loop through the first 8 chars in the userInput and leave 9 alone.
![Page 60: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/60.jpg)
Fourth Example: Loop Breakdown
● To simplify in mock-up code:I = 0
Xorkey = [0x45, 0x36, 0xab, 0xc8, 0xcc, 0x11, 0xe3, 0x7a]
While i < 8 {
userinput[i] = userinput[i] ^ xorkey(i)
I++
}
![Page 61: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/61.jpg)
Fourth Example: Add The Loop into the FlowChart
![Page 62: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/62.jpg)
Fourth Example: Next Loop Breakdown
● We have another loop that follows.● Initalize:
– Set ECX to 0
– Set EDX to 0
– Set EBX to userInput Pointer
![Page 63: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/63.jpg)
Fourth Example: Next Loop Breakdown
● EDX seems to be a counter again, counting up to 8 from zero.
● The loop seems to step through the XOR'd userInput Buffer byte by byte and adding them up and keeping the total in ECX.
![Page 64: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/64.jpg)
Fourth Example: Next Loop Breakdown
● Mock up code– Int I = 0
– Int total = 0
– While I < 8 {● total = total + userInput[i]
– }
![Page 65: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/65.jpg)
Fourth Example: Next Loop Breakdown
![Page 66: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/66.jpg)
Fourth Example: ascii's kgm1
● Keep in mind ECX has the total sum from the last loop
● The first instruction moves the 9th character from the user string into EDX.
● Compare EDX and ECX. If they aren't equal, we jump to PrintInvalidKey.
![Page 67: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/67.jpg)
Fourth Example: ascii's kgm1
![Page 68: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/68.jpg)
Fourth Example: ascii's kgm1
● Keep in mind EDX has the total sum/9th char from the user key.
● We use LEA to set EAX to total-97.● Compare EAX to 25. If EAX is over 25, it will
jump to PrintInvalidKey. There for the total needs to be 122 or lower (97 + 25). But it we will also want it to be above zero as well.
![Page 69: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/69.jpg)
Fourth Example: ascii's kgm1
![Page 70: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/70.jpg)
Fourth Example: ascii's kgm1
● If we clear that check it looks like we are on our way to winning.
● Prints “Good Key!” and set EAX to zero and jumps to the return at the end of main.
– This is basically the same as return 0;
![Page 71: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/71.jpg)
Fourth Example: ascii's kgm1
![Page 72: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/72.jpg)
Fourth Example: ascii's kgm1
![Page 73: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/73.jpg)
Fourth Example: ascii's kgm1
● So the key must:– Be 9 characters
– The total of the first 8 after being xor'd by the key must equal the ninth character
– The total must be greater than 97
– The total must be less than 122
● Because of this design, we can't memory fish a key (that is, run it in a debugger and grab it from the compare).
![Page 74: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/74.jpg)
Fourth Example: ascii's kgm1
● We will have to generate a key that makes the requirements happy.
– Doing this by hand is tricky.
● The solution is a brute force generator.● While true loop
– Generate character string
– Xor and total it.
– Check that it is above and below limits
– If so, append it as the 9th char
– If not loop again.
![Page 75: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/75.jpg)
Fourth Example: ascii's kgm1
![Page 76: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/76.jpg)
Fourth Example: ascii's kgm1 Keygen
![Page 77: Reversing By Example - wiki.jaxhax.org · Demystifying the "Black Box". ... Reversing is an Art that falls in line with debugging. Warnings About Reversing REVERSE ENGINEERING IS](https://reader034.fdocuments.net/reader034/viewer/2022052004/6017f7f4cc3d19726d51f519/html5/thumbnails/77.jpg)
Questions?
Slides, Example Binaries, useful link, and solutions available on:
wiki.jaxhax.org