Jump to content
Tuts 4 You

Reverse Code Engineering

55 files

  1. Cracking the MSI Files

    Today, we are discussing how to bypass serial number protections built in to windows binary installer files (.msi). Commonly, registration number protections are embedded within an InstallShield script, so we are going to make sure this is not the case before we delve into the .msi file.

    41 downloads

    0 comments

    Submitted

  2. CrackMe3 Hellsp@wn Solution

    This tutorial doesn't want to describe the methods I used to reverse this crackme, but rather the questions born in the mind of novel reverser like me … . So, you will ask: "Why did you choose this crackme" The answer is simple: THE CHALLENGE! The name of Hellsp@wn (coauthor of the principal Ollydbg's hide plugin: Phantom) and a crackme of level 5, dated 2006 and not yet resolved, are the right mix to test my abilities; indeed, the possibility to discover a new anti debug technique is behind the corner so good lecture and, as always, sorry for my poor English.

    23 downloads

    0 comments

    Submitted

  3. Dealing With Funny Checksum

    After a while, I've decided to write about something interesting which I've found while unpacking one protection, and it will be also nice introduction to one of my tools which I have wrote for fun of it.

    However, I won't mention application name here, but to demonstrate checksum check which I have found I will be using one test application, thus you will get idea what happened, and how checksum is defeated. I will also introduce one tool I wrote, which served me well in this particular case. Tool should come with this document, thus I won't describe tool, and it's internals as source code should be well commented.

    36 downloads

    0 comments

    Submitted

  4. Definitive Guide To Exploring File Formats

    Computer games are vast and many, however most computer games have something in common - they need a place to store all their important files like images, movies, and sounds. To do this, computer game developers typically store their data into a big archive file.

    There are many reasons for storing all your data files in one big archive, some reasons include reducing the number of files on a CD, hiding the data files to stop people hacking the game, and so that all data files can be accessed using a single data stream.

    However, the bad news for gamers is that there are almost as many different archives as there are different computer games - every game developer creates their own archive formats, and they even change their formats between games or departments in the company.

    This brings us to the focus of the tutorial - how to explore the archives and grab the files from within them. This tutorial will attempt to make it easy for anyone to explore a new format, with the aim of promoting game modifications and enhancements by the community.

    In the following pages, we will discuss the terms Game Resource Archives (GRAs) and Game Resource Archive Formats (GRAFs), common data types, and other definitions. From there, we will explain the fundamentals of cracking a file format, including the tools you use, and the patterns to look out for.

    Thanks for reading our guide; we wish you the best of luck in your exploration.

    42 downloads

    0 comments

    Submitted

  5. DTrace - Applied Reverse Engineering on OSX

    This paper will examine how DTrace, a kernel-based dynamic scriptable tracer, can be effectively used for reverse engineering tasks. DTrace offers an unprecedented view of both user and kernel space, which has many interesting implications for security researchers. In this paper we will introduce DTrace, comparing it to existing debuggers and tracers. We will then walk the reader through various applications of DTrace. We will show how to monitor for stack and heap overflows, generate code coverage graphs, trace code paths visually in target applications over the network with IDA Pro, and discuss intrusion detection and evading DTrace.

    16 downloads

    0 comments

    Submitted

  6. Enabling Buttons Under Visual Basic 6

    A brief explanation of how to enable masked buttons under Visual Basic 6.

    23 downloads

    0 comments

    Submitted

  7. Exposing a Resource Leak in Yoda Protector

    There are many reasons to wrap your product inside a program protector or packer - some of which are even beyond reproach. But you can't blindly entrust your code to the operations of code encryptors and obfuscators. Unless you perform some type of code quality review, you may be inadvertently destabilizing your customer's or target's system. Resources may not be disposed of properly; the program stack may be corrupted; the exception handling chain that you so carefully constructed may have an extra link or two. Since access to the source code for these packer programs is in most cases limited and traditional debugging tools such as Compuware's BoundsChecker may not function properly alongside these programs, one avenue open to you is to reverse engineer what the packer is doing. The packer that I will be examining for this article is one called "yoda's Protector" (version 1.03.2) and can be found at http://protools.reverse-engineering.net. Source code, which appears to be out of date, can be found at https://sourceforge.net/projects/yodap. (Building the source from the project files produces an executable with a version number of 1.0. but test programs "protected" by this version either crashed or blue-screened my system when a debugger was attached.)

    For the purposes of this investigation I took a copy of CALC, the Windows calculator program (version 5.1.2600.0 (xpclient.010817-1148)) and "protected" it using Yoda's Protector. The options I selected were:
    Anti-SoftICE protection Checksum Protection API Redirection Anti-Dump Protection Clear Import Information Remove .reloc section Remove debug information Compress Option - 10 Create backup copy Section's Name - .yP (The packed version of CALC is included in the supporting files for this article.) If you compare file sizes both before and after this operation, you will see that the packed version is much smaller than the original --112Kb shrinks down to 81Kb. Launching the compressed version of the executable brings up the calculator program in all its glory. Let us see what happens when I start CALC using a debugger.

    As I expected, nearly all the debuggers I tried experience problems. OllyDbg, WinDbg, and Visual Studio.NET 2003 crashed and burned with only one clue remaining: the desktop taskbar was unresponsive. My debugger, PEBrowse Professional Interactive (available at www.smidgeonsoft.com), locked up, but the taskbar was still disabled. SoftICE appeared to handle the program with no problem at all - the reason for this is mysterious, as I'll discuss later.

    There is, however, one common thread running through the usermode debuggers - inability to handle this beast - the taskbar has been disabled. I can still use the three-fingered-salute (Ctrl-Alt-Delete) to bring up Task Manager and restart the system. Now it's time for me to roll up my sleeves and dive into the code behind the packed calculator program. (I will be using my own debugger during this discussion - the others should work well using the hints and addresses that I will be providing.)

    21 downloads

    0 comments

    Submitted

  8. Extracting Code from Perl2Exe

    Perl2exe is a program that is used to run Perl scripts natively on Windows, without needing to install a Perl interpreter.

    This might seem like magic to some people but we know better don't we

    23 downloads

    0 comments

    Submitted

  9. Fast and Furious Reverse Engineering

    One of the greatest challenges of modern reverse engineering is taking apart and analyzing software protections. During the last decade a vast number of such shell modifiers have appeared. Software Protection as an industry has come a long way from simple encryption that protects executable and data parts to current highly sophisticated protections that are packed with tricks aiming at slow down in the reversing process. Number of such techniques increases every year. Hence we need to ask ourselves, can we keep up with the tools that we have?

    Protections have evolved over the last few years, but so have the reversers tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn't evolved much. We are limited to writing our own code for every scenario in the field.

    We have designed TitanEngine in such fashion that writing unpackers would mimic analyst's manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method. That is why we will discuss both static and dynamic unpackers.. We will also see into methods of making generic code to support large number of formats without knowing the format specifics.

    TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric. Best yet, TitanEngine can be automated. It is suitable for more than just file unpacking. TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files. As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.

    34 downloads

    0 comments

    Submitted

  10. Fixing Bugs in Binaries

    I had been using Code Crafter's Ability Server for some time when a colleague brought to my attention, the fact that there was a remotely exploitable vulnerability in precisely the version I was using. After a short conversation with a friend regarding the vulnerability, I decided to delve a little deeper in an attempt to identify and remove the vulnerability.

    23 downloads

    0 comments

    Submitted

  11. General Reversing Tutorial

    A movie tutorial for newbies explaining the process of bypassing the trial period of an application (this is very easy tut.. not too interesting).

    57 downloads

    0 comments

    Submitted

  12. Hacker Challenge ReWolf Reports 2007-2008

    ReWolf's solution to the Hacker Challenges found at: https://hackerchallenge.org/
    The purpose of this challenge is to evaluate the effectiveness of software protections. The results of this effort will be used to improve our protection measures.

    21 downloads

    0 comments

    Submitted

  13. Hacker School - Sapheads

    An introduction to the reverse engineering field in the style of a comic book. Originally presented at the final of Defcon CTF 2009.

    26 downloads

    0 comments

    Submitted

  14. HDSpoof Reversing

    What's happening under the covers when you launch an executable on your Windows system? These days, malicious activity--viruses, worms, spyware--caused by seemingly innocent programs and attachments makes the question extremely important. Even if you are confident that you could debug (or reverse-engineer) a suspicious program, what if you encounter a program designed to frustrate your analysis attempts? There are tricks and traps that can thwart your best intentions. This article will examine some of these and introduce you to topics such as code obfuscation and protection and anti-reverse-
    engineering.

    A while back I needed to find out what an executable named HDSPOOF.EXE was doing to my system. Starting the program from the command line produced the display seen in Figure 1 (HDSpoof.BMP). The only visible result was the creation of a configuration file with the name of HDSPOOF.INI in the program's installation directory. But a proprietary hardware identification driver and test program I had written for a client now generated different results after executing this program. Clearly something on my system had changed. A little bit of investigation revealed that this program had created and started a dynamic driver on the system and was trying to hide its presence. The driver was visible with a random name in my utility, NTDevices (available at my website, www.smidgeonsoft.com--look for an entry in the index minus the .SYS file extension), but the file for the driver had been deleted from my hard drive. Deleting the configuration file would not restore the expected results. There were still entries present in the system registry for the driver but under a key with a name different than the display name. Rebooting the system and rerunning the program created a driver with a new random name
    and with new entries in the system registry but would still "spoof" the hardware identification program. Time to fire up a static analyzer program and then the debugger!

    Note: this article is based upon an early version of the program found in the WinRAR file. An updated version is available at www.taurine.game-deception.com as hwspoofv2.1.rar. The points and code fragments noted throughout this discussion are the same; only the addresses have changed in the newer version.

    20 downloads

    0 comments

    Submitted

  15. How to Inject Code into an Executable File

    Our goal is to inject some code into the Notepad.exe.

    39 downloads

    0 comments

    Submitted

  16. How To Load My DLL With a Base Offset

    Today I show you quickly how you can tell your system to load your DLL with your desired base address you want manually if OllyDbg's LoadDLL tool didn't work for you.

    24 downloads

    0 comments

    Submitted

  17. Hump-and-Dump Efficient Generic Unpacking

    We present a new and efficient generic unpacking algorithm which effectively locates the original entry point (OEP) area of a packed program. The algorithm is based upon the dual observation that (a) even in a packed program, the OEP bytes are almost always only executed once, and (b) most packers unpack the original program to an area of memory which has not been previously executed. Given this, the technique relies upon creating a histogram of the addresses of executed instructions (EIP on x86). Whilst others have done this, the trick is to order the histogram by the last time an address is executed. Decryption, decompression and copying appear as large spikes at the start of the histogram, followed by a flat section, of height one, which is usually the OEP. We attach figures showing histograms for some popular packers, on both linear and log scales, which clearly illustrate the OEP after the massive unpacking "hump".

    This technique is extremely efficient to implement, and can compute the OEP "on-the-fly" in an emulator, or off-line from a trace of EIP. For instance, for UPX 2.03w, we need less than 1K of memory to hold the necessary data structures, and computation is similarly cheap (and compatible with dynamic-translation emulators). Given the shape of the chart, and the fact that after the "hump" represents a good opportunity to dump the memory, we have given this technique the somewhat sordid name of hump-and-dump.

    36 downloads

    0 comments

    Submitted

  18. In Memory Reverse Engineering for Obfuscated Python Bytecode

    Growing numbers of commercial and closed source applications are being developed using the Python programming language. The trend with developers of such applications appears to be that there is an increasing amount of effort being invested in order to stop the sourcecode of their application being easily obtainable by the end user. This is being achieved through the use of a variety of obfuscation techniques designed to impede the common methods of Python decompilation. Another trend occurring in parallel is the use of Python as an increasingly present component of 'Cloud' technologies where traditional bytecode decompilation techniques fall down not through obfuscation, but through lack of access to the bytecode files on disk.

    The techniques discussed in this paper extend existing Python decompilation technologies through taking an approach that does not require access to standard Python bytecode files (.pyc/.pyo), but rather focuses on gaining access to the bytecode through instantiated Python objects in memory and using these to reconstruct a sourcecode listing equivalent to that composed by the applications author. Approaches will also be discussed of how to defeat the common obfuscation techniques that have been observed in use in order to be able to use the in memory decompilation techniques.

    Finally a proof of concept embodiment of the techniques developed will be discussed which will allow people to quickly leverage them to evaluate code for bugs that was previously opaque to them.

    37 downloads

    0 comments

    Submitted

  19. Inject Your Code to a Portable Executable File

    This article demonstrates five steps to inject your code in a portable executable (EXE, DLL, OCX,...) file without recompiling source code.

    43 downloads

    0 comments

    Submitted

  20. InTether Protection System

    Back from a long period of silence with a tutorial for all (serious) crackers and reversers that they don't want to waste their time to play with kiddy packer/crypters.

    Like always this is a reversing tutorial, so if your looking for only a way to crack InTether protection... you have opened the wrong one... and probably you are not a reverser too. I'm sorry.

    In the title I have defined InTether protection like the "perfect reversing training field", this because with a real reversing approach it possible have a lot of fun coding tools to better understand not only how this protection works but also how parts of our OS works too.

    The tutorial is made of 2 parts because it's quite long and because I want to give you the approach that I have used here, with the background too.

    Lets start!

    23 downloads

    0 comments

    Submitted

  21. Introduction to Reverse Engineering

    Reversing often implies converting low-level asm into some higher-level language or pseudo-code for digestion by humans...(and then using such specifications to understand, emulate, improve or copy the original).

    For us to do this we first investigate how some high-level constructs (in our case C) are represented in ASM. We then use this knowledge to infer high-level-constructs from the asm if we are attempting to discover what a segment of code does, or otherwise look for coding anomalies which may lead to discovering what compiler was used and possibly even fingerprint a style of coding.

    39 downloads

    0 comments

    Submitted

  22. iOS App Reverse Engineering

    Software reverse engineering refers to the process of deducing the implementation and design details of a program or a system by analyzing the functions, structures or behaviors of it. When we are very interested in a certain software feature while not having the access to the source code, we can try to analyze it by reverse engineering.

    For iOS developers, Apps on iOS are one of the most complex but fantastic virtual items as far as we know. They are elaborate, meticulous and creative. As developers, when you see an exquisite App, not only will you be amazed by its implementation, but also you will be curious about what kind of techniques are used in this App and what we can learn from it.

    23 downloads

    0 comments

    Submitted

  23. Java Bytecode Reversing

    I decided to make a Java bytecode reversing / jar patching tutorial I learned a lot from and wanted to share. A tutorial for complete beginners.

    44 downloads

    0 comments

    Submitted

  24. Kingston USB Password Sniffing

    Today one of my friend came to me for help...Actually he had locked his 'Kingston Datatraveller 2GB' with a password and forgotten it and it was a crucial stage as his project files were on it...so i decided to help him by breaking the protection.Actually i was also nervous because i have not tried my hand on any such securities related to hardware but at last i was able to penetrate the security system and sniff the password from there Anyways i am giving a tutorial on how i did that.

    24 downloads

    0 comments

    Submitted

  25. Looking Inside the (Drop) Box

    Dropbox is a cloud based file storage service used by more than 100 million users. In spite of its widespread popularity, we believe that Dropbox as a platform hasn’t been analyzed extensively enough from a security standpoint. Also, the previous work on the security analysis of Dropbox has been heavily censored. Moreover, the existing Python bytecode reversing techniques are not enough for reversing hardened applications like Dropbox.

    This paper presents new and generic techniques, to reverse engineer frozen Python applications, which are not limited to just the Dropbox world. We describe a method to bypass Dropbox’s two factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented.

    We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will / should no longer be a black box. Finally, we describe the design and implementation of an open-source version of Dropbox client (and yes, it runs on ARM too).

    20 downloads

    0 comments

    Submitted


×
×
  • Create New...