Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TDOH 南區 WorkShop 2016 Reversing on Windows

adr
October 01, 2016

TDOH 南區 WorkShop 2016 Reversing on Windows

Reversing about PE (portable-executable) and cracking on Windows for education.

adr

October 01, 2016
Tweet

More Decks by adr

Other Decks in Technology

Transcript

  1. aaaddress1 at The Declaration of Hacker (TDOH) ⾺聖豪 (aaaddress1, aka

    adr) 義守⼤學資訊⼯程三年級 Reverse Engineering, Pwn C/C++, C#, x86, Node.js Blog: Adr.Horse, 30cm.tw Speaker ✓ HITCON 2015 ✓ SITCON 2016 ✓ Besides Las Vegas 2016 ✓ TDOHxNTSTU Security Lecture Reversing Windows Pwn
  2. aaaddress1 at The Declaration of Hacker (TDOH) MapleHack CrackShield Tower

    Of Savior Hack Adr’s FB Isu.30cm.tw AIDS PykemonGo, MadPocket My Little Ransomware
  3. aaaddress1 at The Declaration of Hacker (TDOH) Requirement ✓IDA (Pro)

    ✓OllyDbg ✓Cheat Engine ✓Windows7 x86 ✓Dev C++
  4. aaaddress1 at The Declaration of Hacker (TDOH) Windows PE &

    Process ✓Have fun in PE structure ✓Import Address Table (IAT) ✓ImageBase & Find the entry
  5. aaaddress1 at The Declaration of Hacker (TDOH) Assembly ✓sizeof( variable

    ) ✓eax, ebx, ecx, edx, etc ✓add, sub, inc, dec ✓xor ✓Flag & Branch ✓Loop ✓x86 Calling Convention Function Call esp & ebp
  6. aaaddress1 at The Declaration of Hacker (TDOH) Analyzer ✓IDA (Pro)

    PE, IAT, EAT Strings List Flow Chart Function & Variable Anti-Trace ✓OllyDbg Create Process & Attach Hook & Trace ✓Cheat Engine Create Process & Attach Memory Scan for data Hook & Trace
  7. aaaddress1 at The Declaration of Hacker (TDOH) Bonus ✓IDA Dynamic

    Analysis ✓Patch Executable file patch Dynamic Patch ✓Cheat Engine PE View ✓Assembly & Special
  8. aaaddress1 at The Declaration of Hacker (TDOH) IDA The return

    value of main function is the ‘Exit Status’
  9. aaaddress1 at The Declaration of Hacker (TDOH) IDA PE Loader

    will find ‘_start’ function from Exports Address Table (EAT) View → Open subviews → Exports
  10. aaaddress1 at The Declaration of Hacker (TDOH) Is it true?

    Nope, Not at all. It will take too much time to search.
  11. aaaddress1 at The Declaration of Hacker (TDOH) Wiki The head

    of PE file is DOS header, and that starts with sginature 0x5A4D
  12. aaaddress1 at The Declaration of Hacker (TDOH) Wiki And (DOS

    Header + 0x3C) stores the offset of NT Header
  13. aaaddress1 at The Declaration of Hacker (TDOH) Wiki (NT Header

    + 0x028) stores the offset of the first entry function that as known as ‘start’ function.
  14. aaaddress1 at The Declaration of Hacker (TDOH) Wiki (NT Header

    + 0x034) stores the offset of the PE file loaded at where in memory e.g. 0x400000
  15. aaaddress1 at The Declaration of Hacker (TDOH) CE Right click

    → ‘Go to address’ → Input ‘main.exe’ You will find the main.exe loaded at 0x400000 MZ
  16. aaaddress1 at The Declaration of Hacker (TDOH) CE 0x0000110b +

    0x400000 = 0x40110b That’s the same as the address in IDA
  17. aaaddress1 at The Declaration of Hacker (TDOH) If you understand

    the whole PE structure, you can make a great PE packer :P
  18. aaaddress1 at The Declaration of Hacker (TDOH) View → Open

    subviews → Imports IDA IAT stores all API program calls
  19. aaaddress1 at The Declaration of Hacker (TDOH) Byte Byte Byte

    Byte EAX = 4Byte = int = long Register Type
  20. aaaddress1 at The Declaration of Hacker (TDOH) Byte Byte Byte

    Byte AX = 2 Byte = Short Register Type
  21. aaaddress1 at The Declaration of Hacker (TDOH) Mov dest,source →

    dest = source Mov dest, [source] → source = value of dest
  22. aaaddress1 at The Declaration of Hacker (TDOH) Add dest,source →

    dest += source Add dest, [source] → dest += value of source
  23. aaaddress1 at The Declaration of Hacker (TDOH) Sub dest, source

    → dest -= source Sub dest, [source] → dest -= value of source
  24. aaaddress1 at The Declaration of Hacker (TDOH) Inc dest →

    dest ++ Inc [dest] → (value of dest)++
  25. aaaddress1 at The Declaration of Hacker (TDOH) Dec dest →

    dest -- Dec [dest] → (value of dest)--
  26. aaaddress1 at The Declaration of Hacker (TDOH) Cmp [source], value

    //Compare *(long*)source with value Je blockOne // Jump to blockOne if they’re equal Jl blockTwo // Jump to blockTwo if [source] less than value Jg blockThree // Jump to blockThree if [source] greater than value
  27. aaaddress1 at The Declaration of Hacker (TDOH) Cmp [source], value

    //Compare *(long*)source with value Jne blockOne // Jump to blockOne if they’re not equal Jnl blockTwo // Jump to blockTwo if [source] not less than value Jng blockThree // Jump to blockThree if [source] not greater than value
  28. aaaddress1 at The Declaration of Hacker (TDOH) Test [source], value

    //Compare *(long*)source with value Jz blockOne // Jump to blockOne if ([source] - value) is zero Ja blockTwo // Jump to blockTwo if ([source] - value) is above zero Jb blockThree // Jump to blockThree if ([source] - value) is below zero
  29. aaaddress1 at The Declaration of Hacker (TDOH) Test v.s. Cmp

    Using Cmp & Jl/Je/Jg If source & dest are signed number Using Test & Jb/Jz/Ja If source & dest are unsigned
  30. aaaddress1 at The Declaration of Hacker (TDOH) Ret 0x0C →

    pop 0x0C bytes from stack, i.e. ESP += 0x0C 
 → EIP = [ESP+0] & pop [ESP+0]
  31. aaaddress1 at The Declaration of Hacker (TDOH) Xor dest, source

    → mov dest, ‘A’ //0x41 → xor dest, 0x20 //dest is ‘a’(0x61) now
  32. aaaddress1 at The Declaration of Hacker (TDOH) Xor dest, source

    → mov dest, ‘a’ //0x61 → xor dest, 0x20 //dest is ‘A’(0x41) now
  33. aaaddress1 at The Declaration of Hacker (TDOH) void Func() {

    int A = 0; Int B = 1; Int C = 2; } [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP sub ESP, LEN
  34. aaaddress1 at The Declaration of Hacker (TDOH) void Func() {

    nFunc(ARG1,ARG2,ARG3…); } push ebb mov ebp,esp . . push arg3 push arg2 push arg1 call nFunc
  35. aaaddress1 at The Declaration of Hacker (TDOH) [EBP+0 ] =

    Pointer to old EBP [EBP+4 ] = Return Address [EBP+8 ] = Parameter 1 [EBP+C] = Parameter 2 [EBP+10]= Parameter 3 …etc
  36. aaaddress1 at The Declaration of Hacker (TDOH) Stack ESP +

    0 ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14
  37. aaaddress1 at The Declaration of Hacker (TDOH) Stack ESP +

    0 Old EBP ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14 _______EIP
  38. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP +

    0 =ESP Old EBP EBP + 4 EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP
  39. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP Buffer EBP - 4 Buffer EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP
  40. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP 1 EBP - 4 Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  41. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  42. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  43. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP Old EBP EBP - 4 return Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP
  44. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP +

    0 =ESP Old EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  45. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP +

    0 =ESP Old EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  46. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  47. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  48. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    8 =ESP 1 EBP - 4 Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  49. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP -

    4 =ESP Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C EBP + 10 _______EIP
  50. aaaddress1 at The Declaration of Hacker (TDOH) It’s time to

    talk about each register meanings and their functions used for.
  51. aaaddress1 at The Declaration of Hacker (TDOH) I collect the

    simple parts from wiki, and they’re real useful for reversing. read more: x86 Disassembly/Calling Conventions
  52. aaaddress1 at The Declaration of Hacker (TDOH) ‘Generate Pseudocode(F5)’ of

    IDA Pro might lose something important in assembly for accessible reading. It’s important to use debugger and trace opcode of every step. IDA
  53. aaaddress1 at The Declaration of Hacker (TDOH) Using ‘Strings Window’

    to figure out the format string of printf and double click for detail.
  54. aaaddress1 at The Declaration of Hacker (TDOH) RC4 but a

    little diffrent. I will take this function into three parts for you understanding well.
  55. aaaddress1 at The Declaration of Hacker (TDOH) If the result

    after RC4 cipher is the same as input, that will be the really key.
  56. aaaddress1 at The Declaration of Hacker (TDOH) I prepare the

    same one but patched. If you can set bullet count to zero, the game will give you flag.
  57. aaaddress1 at The Declaration of Hacker (TDOH) We don’t care

    those, that don’t make any effect on the checking Here is used for SEH ExceptionList but it’s not the point
  58. aaaddress1 at The Declaration of Hacker (TDOH) We should figure

    how to get this value ( you can debug and get this without doubt, but it’s import to know how it works for creating a keygen)