Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TDOH 南區 WorkShop 2016 Reversing on Windows

229b1596ce57cd0935a2bacd410d87a0?s=47 adr
October 01, 2016

TDOH 南區 WorkShop 2016 Reversing on Windows

Reversing about PE (portable-executable) and cracking on Windows for education.

229b1596ce57cd0935a2bacd410d87a0?s=128

adr

October 01, 2016
Tweet

More Decks by adr

Other Decks in Technology

Transcript

  1. aaaddress1 at The Declaration of Hacker (TDOH) Reversing On WINDOWS

  2. aaaddress1 at The Declaration of Hacker (TDOH) Who Am I

  3. aaaddress1 at The Declaration of Hacker (TDOH) ⾺聖豪 (aaaddress1, aka

    adr) 義守⼤學資訊⼯程三年級 Reverse Engineering, Pwn C/C++, C#, x86, Node.js Blog: Adr.Horse, 30cm.tw Speaker ✓ HITCON 2015 ✓ SITCON 2016 ✓ Besides Las Vegas 2016 ✓ TDOHxNTSTU Security Lecture Reversing Windows Pwn
  4. aaaddress1 at The Declaration of Hacker (TDOH) MapleHack CrackShield Tower

    Of Savior Hack Adr’s FB Isu.30cm.tw AIDS PykemonGo, MadPocket My Little Ransomware
  5. aaaddress1 at The Declaration of Hacker (TDOH) introduction

  6. aaaddress1 at The Declaration of Hacker (TDOH) 這是⼀一場屬於⼯工具⼈人 C/C++ 的開發⾃自我修養

  7. aaaddress1 at The Declaration of Hacker (TDOH) 今天務必保持清醒!

  8. aaaddress1 at The Declaration of Hacker (TDOH) 此議程內容需要⼤大量量艱深 C/C++ 開發底⼦子

    如有任何問題請立即舉⼿手 break; 我!
  9. aaaddress1 at The Declaration of Hacker (TDOH) Trial https://goo.gl/ky7SsW Slide

    https://goo.gl/HBLtkm
  10. aaaddress1 at The Declaration of Hacker (TDOH) Outline

  11. aaaddress1 at The Declaration of Hacker (TDOH) Requirement ✓IDA (Pro)

    ✓OllyDbg ✓Cheat Engine ✓Windows7 x86 ✓Dev C++
  12. aaaddress1 at The Declaration of Hacker (TDOH) Windows PE &

    Process ✓Have fun in PE structure ✓Import Address Table (IAT) ✓ImageBase & Find the entry
  13. aaaddress1 at The Declaration of Hacker (TDOH) Assembly ✓sizeof( variable

    ) ✓eax, ebx, ecx, edx, etc ✓add, sub, inc, dec ✓xor ✓Flag & Branch ✓Loop ✓x86 Calling Convention Function Call esp & ebp
  14. aaaddress1 at The Declaration of Hacker (TDOH) Analyzer ✓IDA (Pro)

    PE, IAT, EAT Strings List Flow Chart Function & Variable Anti-Trace ✓OllyDbg Create Process & Attach Hook & Trace ✓Cheat Engine Create Process & Attach Memory Scan for data Hook & Trace
  15. aaaddress1 at The Declaration of Hacker (TDOH) Bonus ✓IDA Dynamic

    Analysis ✓Patch Executable file patch Dynamic Patch ✓Cheat Engine PE View ✓Assembly & Special
  16. aaaddress1 at The Declaration of Hacker (TDOH) Portable Executable

  17. aaaddress1 at The Declaration of Hacker (TDOH)

  18. aaaddress1 at The Declaration of Hacker (TDOH) Return 0 for

    what?
  19. aaaddress1 at The Declaration of Hacker (TDOH) View → Open

    subviews → Proximity browser IDA
  20. aaaddress1 at The Declaration of Hacker (TDOH) IDA

  21. aaaddress1 at The Declaration of Hacker (TDOH) IDA

  22. aaaddress1 at The Declaration of Hacker (TDOH) IDA The return

    value of main function is the ‘Exit Status’
  23. aaaddress1 at The Declaration of Hacker (TDOH) IDA PE Loader

    will find ‘_start’ function from Exports Address Table (EAT) View → Open subviews → Exports
  24. aaaddress1 at The Declaration of Hacker (TDOH) Is it true?

    Nope, Not at all. It will take too much time to search.
  25. aaaddress1 at The Declaration of Hacker (TDOH) Wiki

  26. aaaddress1 at The Declaration of Hacker (TDOH) Wiki

  27. aaaddress1 at The Declaration of Hacker (TDOH) Wiki The head

    of PE file is DOS header, and that starts with sginature 0x5A4D
  28. aaaddress1 at The Declaration of Hacker (TDOH) Wiki That’s why

    it’s also called DOS-MZ
  29. aaaddress1 at The Declaration of Hacker (TDOH) Wiki And (DOS

    Header + 0x3C) stores the offset of NT Header
  30. aaaddress1 at The Declaration of Hacker (TDOH) Wiki This is

    the real header of PE
  31. aaaddress1 at The Declaration of Hacker (TDOH) Wiki (NT Header

    + 0x028) stores the offset of the first entry function that as known as ‘start’ function.
  32. aaaddress1 at The Declaration of Hacker (TDOH) Wiki (NT Header

    + 0x034) stores the offset of the PE file loaded at where in memory e.g. 0x400000
  33. aaaddress1 at The Declaration of Hacker (TDOH) CE Right click

    → ‘Go to address’ → Input ‘main.exe’ You will find the main.exe loaded at 0x400000 MZ
  34. aaaddress1 at The Declaration of Hacker (TDOH) CE 0x0000110b +

    0x400000 = 0x40110b That’s the same as the address in IDA
  35. aaaddress1 at The Declaration of Hacker (TDOH) If you understand

    the whole PE structure, you can make a great PE packer :P
  36. aaaddress1 at The Declaration of Hacker (TDOH) IMPORT ADDRESS TABLE

  37. aaaddress1 at The Declaration of Hacker (TDOH) View → Open

    subviews → Imports IDA IAT stores all API program calls
  38. aaaddress1 at The Declaration of Hacker (TDOH) Double Click &

    Show the API detail at IAT IDA
  39. aaaddress1 at The Declaration of Hacker (TDOH) Strings List

  40. aaaddress1 at The Declaration of Hacker (TDOH) View → Open

    subviews → Strings IDA
  41. aaaddress1 at The Declaration of Hacker (TDOH) IDA

  42. aaaddress1 at The Declaration of Hacker (TDOH) Assembly: Data

  43. aaaddress1 at The Declaration of Hacker (TDOH) C Data Type

  44. aaaddress1 at The Declaration of Hacker (TDOH) Program counter

  45. aaaddress1 at The Declaration of Hacker (TDOH) Stack Pointer

  46. aaaddress1 at The Declaration of Hacker (TDOH) Base Pointer

  47. aaaddress1 at The Declaration of Hacker (TDOH) Byte Byte Byte

    Byte EAX = 4Byte = int = long Register Type
  48. aaaddress1 at The Declaration of Hacker (TDOH) Byte Byte Byte

    Byte AX = 2 Byte = Short Register Type
  49. aaaddress1 at The Declaration of Hacker (TDOH) Byte Byte Byte

    Byte AH = 1 Byte = Char Register Type
  50. aaaddress1 at The Declaration of Hacker (TDOH) Byte Byte Byte

    Byte AL = 1 Byte = Char Register Type
  51. aaaddress1 at The Declaration of Hacker (TDOH) Assembly: Opcode

  52. aaaddress1 at The Declaration of Hacker (TDOH) Nop (0x90) →

    Nothing to do.
  53. aaaddress1 at The Declaration of Hacker (TDOH) Mov dest,source →

    dest = source Mov dest, [source] → source = value of dest
  54. aaaddress1 at The Declaration of Hacker (TDOH)

  55. aaaddress1 at The Declaration of Hacker (TDOH)

  56. aaaddress1 at The Declaration of Hacker (TDOH) Add dest,source →

    dest += source Add dest, [source] → dest += value of source
  57. aaaddress1 at The Declaration of Hacker (TDOH) Sub dest, source

    → dest -= source Sub dest, [source] → dest -= value of source
  58. aaaddress1 at The Declaration of Hacker (TDOH) Inc dest →

    dest ++ Inc [dest] → (value of dest)++
  59. aaaddress1 at The Declaration of Hacker (TDOH) Dec dest →

    dest -- Dec [dest] → (value of dest)--
  60. aaaddress1 at The Declaration of Hacker (TDOH) Cmp [source], value

    //Compare *(long*)source with value Je blockOne // Jump to blockOne if they’re equal Jl blockTwo // Jump to blockTwo if [source] less than value Jg blockThree // Jump to blockThree if [source] greater than value
  61. aaaddress1 at The Declaration of Hacker (TDOH) Cmp [source], value

    //Compare *(long*)source with value Jne blockOne // Jump to blockOne if they’re not equal Jnl blockTwo // Jump to blockTwo if [source] not less than value Jng blockThree // Jump to blockThree if [source] not greater than value
  62. aaaddress1 at The Declaration of Hacker (TDOH) Test [source], value

    //Compare *(long*)source with value Jz blockOne // Jump to blockOne if ([source] - value) is zero Ja blockTwo // Jump to blockTwo if ([source] - value) is above zero Jb blockThree // Jump to blockThree if ([source] - value) is below zero
  63. aaaddress1 at The Declaration of Hacker (TDOH) Test v.s. Cmp

    Using Cmp & Jl/Je/Jg If source & dest are signed number Using Test & Jb/Jz/Ja If source & dest are unsigned
  64. aaaddress1 at The Declaration of Hacker (TDOH) Jmp near +0x200

    → EIP = EIP + 0x200
  65. aaaddress1 at The Declaration of Hacker (TDOH) Jmp long 0x400000

    → EIP = 0x400000
  66. aaaddress1 at The Declaration of Hacker (TDOH) Ret → EIP

    = [ESP+0] & pop [ESP+0]
  67. aaaddress1 at The Declaration of Hacker (TDOH) Ret 0x0C →

    pop 0x0C bytes from stack, i.e. ESP += 0x0C 
 → EIP = [ESP+0] & pop [ESP+0]
  68. aaaddress1 at The Declaration of Hacker (TDOH) Xor dest, source

    → mov dest, ‘A’ //0x41 → xor dest, 0x20 //dest is ‘a’(0x61) now
  69. aaaddress1 at The Declaration of Hacker (TDOH) Xor dest, source

    → mov dest, ‘a’ //0x61 → xor dest, 0x20 //dest is ‘A’(0x41) now
  70. aaaddress1 at The Declaration of Hacker (TDOH) 0100 0001 ‘A’(0x41)

    0x20 0010 0000 Xor ‘a’(0x61) 0110 0001
  71. aaaddress1 at The Declaration of Hacker (TDOH) Assembly: Function Call

  72. aaaddress1 at The Declaration of Hacker (TDOH)

  73. aaaddress1 at The Declaration of Hacker (TDOH)

  74. aaaddress1 at The Declaration of Hacker (TDOH)

  75. aaaddress1 at The Declaration of Hacker (TDOH)

  76. aaaddress1 at The Declaration of Hacker (TDOH)

  77. aaaddress1 at The Declaration of Hacker (TDOH) void Func() {

    int A = 0; Int B = 1; Int C = 2; } [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP sub ESP, LEN
  78. aaaddress1 at The Declaration of Hacker (TDOH) void Func() {

    nFunc(ARG1,ARG2,ARG3…); } push ebb mov ebp,esp . . push arg3 push arg2 push arg1 call nFunc
  79. aaaddress1 at The Declaration of Hacker (TDOH)

  80. aaaddress1 at The Declaration of Hacker (TDOH)

  81. aaaddress1 at The Declaration of Hacker (TDOH)

  82. aaaddress1 at The Declaration of Hacker (TDOH)

  83. aaaddress1 at The Declaration of Hacker (TDOH) [EBP+0 ] =

    Pointer to old EBP [EBP+4 ] = Return Address [EBP+8 ] = Parameter 1 [EBP+C] = Parameter 2 [EBP+10]= Parameter 3 …etc
  84. aaaddress1 at The Declaration of Hacker (TDOH) Assembly: Calling Convention

  85. aaaddress1 at The Declaration of Hacker (TDOH) Stack ESP +

    0 ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14
  86. aaaddress1 at The Declaration of Hacker (TDOH) Stack ESP +

    0 Old EBP ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14 _______EIP
  87. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP +

    0 =ESP Old EBP EBP + 4 EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP
  88. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP Buffer EBP - 4 Buffer EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP
  89. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP 1 EBP - 4 Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  90. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  91. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  92. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP Old EBP EBP - 4 return Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP
  93. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP +

    0 =ESP Old EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  94. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP +

    0 =ESP Old EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  95. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  96. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  97. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP 1 EBP - 4 Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  98. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    4 =ESP Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C EBP + 10 _______EIP
  99. aaaddress1 at The Declaration of Hacker (TDOH) x86 Disassembly &

    Calling Conventions
  100. aaaddress1 at The Declaration of Hacker (TDOH) It’s time to

    talk about each register meanings and their functions used for.
  101. aaaddress1 at The Declaration of Hacker (TDOH) I collect the

    simple parts from wiki, and they’re real useful for reversing. read more: x86 Disassembly/Calling Conventions
  102. aaaddress1 at The Declaration of Hacker (TDOH)

  103. aaaddress1 at The Declaration of Hacker (TDOH) CDECL

  104. aaaddress1 at The Declaration of Hacker (TDOH)

  105. aaaddress1 at The Declaration of Hacker (TDOH) STDCALL

  106. aaaddress1 at The Declaration of Hacker (TDOH)

  107. aaaddress1 at The Declaration of Hacker (TDOH) FASTCALL

  108. aaaddress1 at The Declaration of Hacker (TDOH)

  109. aaaddress1 at The Declaration of Hacker (TDOH) C++ THISCALL

  110. aaaddress1 at The Declaration of Hacker (TDOH) DEBUGGing

  111. aaaddress1 at The Declaration of Hacker (TDOH) Debug: Ollydbg

  112. aaaddress1 at The Declaration of Hacker (TDOH) Debug: Cheat Engine

  113. aaaddress1 at The Declaration of Hacker (TDOH) Debug: IDA Pro

  114. aaaddress1 at The Declaration of Hacker (TDOH) Trial: TDOH Hello

    World
  115. aaaddress1 at The Declaration of Hacker (TDOH) Play the game

    & Find the flag :P
  116. aaaddress1 at The Declaration of Hacker (TDOH) Game Time

  117. aaaddress1 at The Declaration of Hacker (TDOH)

  118. aaaddress1 at The Declaration of Hacker (TDOH) IDA

  119. aaaddress1 at The Declaration of Hacker (TDOH) IDA

  120. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA,

    CE, Olly
  121. aaaddress1 at The Declaration of Hacker (TDOH) ‘Generate Pseudocode(F5)’ of

    IDA Pro might lose something important in assembly for accessible reading. It’s important to use debugger and trace opcode of every step. IDA
  122. aaaddress1 at The Declaration of Hacker (TDOH) Trial: Lucky Day

  123. aaaddress1 at The Declaration of Hacker (TDOH) Game Time

  124. aaaddress1 at The Declaration of Hacker (TDOH)

  125. aaaddress1 at The Declaration of Hacker (TDOH)

  126. aaaddress1 at The Declaration of Hacker (TDOH)

  127. aaaddress1 at The Declaration of Hacker (TDOH)

  128. aaaddress1 at The Declaration of Hacker (TDOH) TDOH{Debug_is_Fun!}

  129. aaaddress1 at The Declaration of Hacker (TDOH)

  130. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA,

    CE, Olly
  131. aaaddress1 at The Declaration of Hacker (TDOH) Game Time 清华⽹网络安全技术协会

  132. aaaddress1 at The Declaration of Hacker (TDOH)

  133. aaaddress1 at The Declaration of Hacker (TDOH) Game Time

  134. aaaddress1 at The Declaration of Hacker (TDOH)

  135. aaaddress1 at The Declaration of Hacker (TDOH)

  136. aaaddress1 at The Declaration of Hacker (TDOH)

  137. aaaddress1 at The Declaration of Hacker (TDOH)

  138. aaaddress1 at The Declaration of Hacker (TDOH)

  139. aaaddress1 at The Declaration of Hacker (TDOH)

  140. aaaddress1 at The Declaration of Hacker (TDOH)

  141. aaaddress1 at The Declaration of Hacker (TDOH)

  142. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA,

    CE, Olly
  143. aaaddress1 at The Declaration of Hacker (TDOH) GAME TIme AIS3

    2016 Final Binary 1
  144. aaaddress1 at The Declaration of Hacker (TDOH) Game Time

  145. aaaddress1 at The Declaration of Hacker (TDOH) Using ‘Strings Window’

    to figure out the format string of printf and double click for detail.
  146. aaaddress1 at The Declaration of Hacker (TDOH) Click the xref

    and follow
  147. aaaddress1 at The Declaration of Hacker (TDOH)

  148. aaaddress1 at The Declaration of Hacker (TDOH) Just check every

    char of the input is lower case
  149. aaaddress1 at The Declaration of Hacker (TDOH)

  150. aaaddress1 at The Declaration of Hacker (TDOH) RC4 but a

    little diffrent. I will take this function into three parts for you understanding well.
  151. aaaddress1 at The Declaration of Hacker (TDOH)

  152. aaaddress1 at The Declaration of Hacker (TDOH)

  153. aaaddress1 at The Declaration of Hacker (TDOH)

  154. aaaddress1 at The Declaration of Hacker (TDOH) If the result

    after RC4 cipher is the same as input, that will be the really key.
  155. aaaddress1 at The Declaration of Hacker (TDOH)

  156. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA,

    CE, Olly
  157. aaaddress1 at The Declaration of Hacker (TDOH) Game TIme 特訓99

  158. aaaddress1 at The Declaration of Hacker (TDOH)

  159. aaaddress1 at The Declaration of Hacker (TDOH) I prepare the

    same one but patched. If you can set bullet count to zero, the game will give you flag.
  160. aaaddress1 at The Declaration of Hacker (TDOH) Game Time

  161. aaaddress1 at The Declaration of Hacker (TDOH)

  162. aaaddress1 at The Declaration of Hacker (TDOH)

  163. aaaddress1 at The Declaration of Hacker (TDOH)

  164. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA,

    CE, Olly
  165. aaaddress1 at The Declaration of Hacker (TDOH) Game Time CrackMe#1

    [UBC] by bRaINbuSY
  166. aaaddress1 at The Declaration of Hacker (TDOH) Game Time

  167. aaaddress1 at The Declaration of Hacker (TDOH)

  168. aaaddress1 at The Declaration of Hacker (TDOH) We don’t care

    those, that don’t make any effect on the checking Here is used for SEH ExceptionList but it’s not the point
  169. aaaddress1 at The Declaration of Hacker (TDOH) We can make

    it simple like this.
  170. aaaddress1 at The Declaration of Hacker (TDOH) We should figure

    how to get this value ( you can debug and get this without doubt, but it’s import to know how it works for creating a keygen)
  171. aaaddress1 at The Declaration of Hacker (TDOH)

  172. aaaddress1 at The Declaration of Hacker (TDOH)

  173. aaaddress1 at The Declaration of Hacker (TDOH)

  174. aaaddress1 at The Declaration of Hacker (TDOH)

  175. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA,

    CE, Olly
  176. aaaddress1 at The Declaration of Hacker (TDOH) Q&A aaaddress1@gmail.com