Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy...
-
Upload
elmer-bruce -
Category
Documents
-
view
242 -
download
4
Transcript of Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy...
![Page 1: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/1.jpg)
Tools and Basic Reverse Engineering
Modern Binary ExploitationCSCI 4968 – Spring 2015
Jeremy Blackthorne
MBE - 01/30/2015 Tools and Basic RE 1
![Page 2: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/2.jpg)
Lecture Overview
1. Introduction to Reverse Engineering2. Tools!3. Resources
MBE - 01/30/2015 Tools and Basic RE 2
![Page 3: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/3.jpg)
MBE - 01/30/2015 Tools and Basic RE 3
![Page 4: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/4.jpg)
Compiling
Source Code Assembly Object File Binary File
Compile AssembleLink
Libraries
MBE - 01/30/2015 4
![Page 5: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/5.jpg)
Loading
Source Code Assembly Object File Binary File
Compile Assemble Link
Libraries
Process
Load
MBE - 01/30/2015 5
![Page 6: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/6.jpg)
Running
Process, t=0 Process, t=1 Process, t=i Process, t=n
StepStep Step
MBE - 01/30/2015 Tools and Basic RE 6
![Page 7: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/7.jpg)
RE Domain
Process, t=0 Process, t=i Process, t=nBinary File
Load Step Step
MBE - 01/30/2015 Tools and Basic RE 7
![Page 8: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/8.jpg)
RE Domain
Process, t=0 Process, t=i Process, t=nBinary File
Load Step Step
StaticMBE - 01/30/2015 Tools and Basic RE 8
![Page 9: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/9.jpg)
RE Domain
Process, t=0 Process, t=i Process, t=nBinary File
Load Step Step
Static DynamicMBE - 01/30/2015 9
![Page 10: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/10.jpg)
RE Domain
Process, t=0 Process, t=i Process, t=nBinary File
Load Step Step
StaticMBE - 01/30/2015 Tools and Basic RE 10
![Page 11: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/11.jpg)
Lecture Overview
1. Introduction to Reverse Engineering2. Tools!3. Resources
MBE - 01/30/2015 Tools and Basic RE 11
![Page 12: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/12.jpg)
Tool Color Coding
• Linux Tool– Command
• Windows Tool– ToolName.exe
• Associated Challenges:– ChallengeName
MBE - 01/30/2015 Tools and Basic RE 12
![Page 13: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/13.jpg)
Hex Editor / Viewers
• Hex Editors / Viewers– wxHexEditor (GUI)– xxd
• “-i” option is C include style
• Challenge:– crackme0x00a
MBE - 01/30/2015 Tools and Basic RE 13
![Page 14: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/14.jpg)
ASCII Readable Hex
• strings– Displays ACII strings > 4 characters long
• Challenge:– crackme0x00a– crackme0x00b
MBE - 01/30/2015 Tools and Basic RE 14
![Page 15: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/15.jpg)
ASCII Readable Hex
• strings– Displays ACII strings > 4 characters long
• Challenge:– crackme0x00a– crackme0x00b
• strings –e ? crackme0x00b
MBE - 01/30/2015 Tools and Basic RE 15
![Page 16: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/16.jpg)
File Formats on Disk
• Linux: – ELF-Walkthrough.png– readelf
MBE - 01/30/2015 Tools and Basic RE 16
![Page 17: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/17.jpg)
File Formats on Disk
• Linux: – ELF-Walkthrough.png– readelf
• Windows: – PE-Layout.jpg– Peview.exe
MBE - 01/30/2015 Tools and Basic RE 17
![Page 18: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/18.jpg)
File Formats on Disk
• Linux: – ELF-Walkthrough.png– readelf
• Windows: – PE-Layout.jpg– Peview.exe
• For unknown files / binaries– file
MBE - 01/30/2015 Tools and Basic RE 18
![Page 19: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/19.jpg)
Hashing
• Do we have the same file?– md5sum
• Upload hash to virustotal.com• Google search hash
MBE - 01/30/2015 Tools and Basic RE 19
![Page 20: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/20.jpg)
Hashing
• Do we have the same file?– md5sum
• Upload hash to virustotal.com• Google search hash• Fuzzy hashing:
– ssdeep -b original.elf >hash.txt– ssdeep -bm hash.txt modified.elf
MBE - 01/30/2015 Tools and Basic RE 20
![Page 21: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/21.jpg)
Command Line Disassembly
• crackme0x01
MBE - 01/30/2015 Tools and Basic RE 21
![Page 22: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/22.jpg)
Command Line Disassembly
• crackme0x01• objdump –d
MBE - 01/30/2015 Tools and Basic RE 22
![Page 23: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/23.jpg)
Command Line Disassembly
• crackme0x01• objdump –d• Convert hex to decimal
– echo $((0xDEADBEEF))
MBE - 01/30/2015 Tools and Basic RE 23
![Page 24: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/24.jpg)
Patching Binaries
• It’s your binary, you can patch it if you want to• objdump –d crackme0x00a | grep –A 30 ‘<main>’• wxHexEditor-->Edit-->Find
MBE - 01/30/2015 Tools and Basic RE 24
![Page 25: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/25.jpg)
External Diffing
• Original + modified = HUGE advantage• wxHexEditor-->Tools-->compare files
MBE - 01/30/2015 Tools and Basic RE 25
![Page 26: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/26.jpg)
Disassembly
• objdump –d• IDA Pro.exe
• Challenges:– crackme0x01
MBE - 01/30/2015 Tools and Basic RE 26
![Page 27: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/27.jpg)
Disassembly
• objdump –d• IDA Pro.exe
• Challenges:– crackme0x01– crackme0x02
MBE - 01/30/2015 Tools and Basic RE 27
![Page 28: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/28.jpg)
IDA Pro
• IDA Pro.exe• crackme0x04
MBE - 01/30/2015 Tools and Basic RE 28
![Page 29: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/29.jpg)
IDA Basics• Change between basic and graphic mode (space bar)• Rename variables: (n)• Comment
– Side: (:), (;)– Above/below: (ins)
• Convert const formats: (right-click)• Cross-reference: (x)• Change to array: (a)• IDA->Windows->Reset desktop• IDA->Options->General->auto comment• IDA->Options->General->opcode bytes 8
https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdfMBE - 01/30/2015 Tools and Basic RE 29
![Page 30: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/30.jpg)
The Stack
MBE - 01/30/2015 Tools and Basic RE 30
![Page 31: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/31.jpg)
Foo a b c );, ,( EBPEIPEIP
ESP
EBP
0x03
0x04
0x05
0x06
0x07
MBE - 01/30/2015 Tools and Basic RE 31
The animations on this slide will only work in the .pptx of this lecture
![Page 32: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/32.jpg)
Stack
c
b
a
Old EIP
Old EBP
x
y
z0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
ESP
EBP
MBE - 01/30/2015 Tools and Basic RE 32
![Page 33: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/33.jpg)
Lecture Overview
1. Introduction to Reverse Engineering2. Tools!3. Resources
MBE - 01/30/2015 Tools and Basic RE 33
![Page 34: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/34.jpg)
IDA Pro
• IDA_Pro_Shortcuts.pdf• The book on IDA• IDA Syntax Highlighting:
– http://practicalmalwareanalysis.com/2012/03/25/decorating-your-disassembly/
MBE - 01/30/2015 Tools and Basic RE 34
![Page 35: Tools and Basic Reverse Engineering Modern Binary Exploitation CSCI 4968 – Spring 2015 Jeremy Blackthorne MBE - 01/30/2015Tools and Basic RE1.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649d135503460f949e6a77/html5/thumbnails/35.jpg)
Additional Resources
• Corkami.com – diagrams of file structures and other interesting trivia
• Crackmes.de – “Reverser’s Playground” • Subreddits
– reddit.com/r/reverseengineering– reddit.com/r/netsec– reddit.com/r/uic
• http://www.bottomupcs.com - Systems background
MBE - 01/30/2015 Tools and Basic RE 35