Jump to content
Tuts 4 You

Reverse Code Engineering

56 files

  1. Reverse Engineering by Crayon

    By Teddy Rogers

    Recent advances in hypervisor based application profilers have changed the game of reverse engineering. These powerful tools have made it orders of magnitude easier to reverse engineer and enabled the next generation of analysis techniques. We will also present and release our tool VERA, which is an advanced code visualization and profiling tool that integrates with the Ether Xen extensions. VERA allows for high-level program monitoring, as well as low-level code analysis. Using VERA, we'll show how easy the process of unpacking armoured code is, as well as identifying relevant and interesting portions of executables. VERA integrates with IDA Pro easily and helps to annotate the executable before looking at a single assembly instruction. Initial testing with inexperienced reversers has shown that this tool provides an order of magnitude speedup compared to traditional techniques.

    128 downloads

    0 comments

    Submitted

  2. Qt Reverse Engineering

    By Teddy Rogers

    I was asked a couple months ago by a friend of mine to “tweak†a software protection. As I went in to it, I found the protection scheme very interesting as it involved a couple of cross platforms based engines interacting together to serve as anti-hacking security licensing system. One was Qt, the other being JavaScript. It was the second time that I came against a Qt based software. The first time thought, I just used the basic cracking skills every reverser uses with Windows GDI apps. But this time I needed to go deeper to understand the cross VM interactions, and a bigger understanding of the Qt framework was needed, so, I engaged into searching for more info on the subject. The results were quite poor, except for an article by Daniel Pistelli, who now works at Hex Rays (coincidence that IDA has been reassembled using this framework?).

    Besides his article, not much on the subject of reversing Qt code seemed to be around. Since then I was faced with a fair amount of Qt applications, even Portuguese ones, so I decided to post my thoughts on the subject, and build a tutorial for the 4th version of Qt.

    312 downloads

    0 comments

    Submitted

  3. Principled Reverse Engineering of Types in Binary Programs

    By Teddy Rogers

    A recurring problem in security is reverse engineering binary code to recover high-level language data abstractions and types. High-level programming languages have data abstractions such as buffers, structures, and local variables that all help programmers and program analyses reason about programs in a scalable manner. During compilation, these abstractions are removed as code is translated down to operations on registers and one globally addressed memory region. Reverse engineering consists of "undoing" the compilation to recover high-level information so that programmers, security professionals, and analyses can all more easily reason about the binary code.

    In this paper we develop novel techniques for reverse engineering data type abstractions from binary programs. At the heart of our approach is a novel type reconstruction system based upon binary code analysis. Our techniques and system can be applied as part of both static or dynamic analysis, thus are extensible to a large number of security settings. Our results on 87 programs show that TIE is both more accurate and more precise at recovering high-level types than existing mechanisms.

    132 downloads

    0 comments

    Submitted

  4. Point Events in Delphi Executables

    By Teddy Rogers

    In the last weeks our companions Lisa Alquimista (Arapumk) they delighted us with MiniDE, a decompiler for Delphi executables that is able to obtain addresses of all the events of a program. MiniDE allows us to generate .MAP files that we will be able to import into OllyDbg with plugins like MapConv or GODUP, in order to add comments and/or labels with the names of the events.

    If we add the events information in the form of comments and/or labels we will see that it is much more simple to understand the operation of the program, and what matters more is, cracking it is much more comfortable.

    178 downloads

    0 comments

    Submitted

  5. Notes on Reversing Java Applications

    By Teddy Rogers

    This tutorial aim is show some simple techniques that can be used to reverse and patching Java target, a first classical approach will be about the class decompilation with JAD and JODE decompiler, then we can move into the JVM (Java virtual machine) analysis and deeper into the bytecode analysis and patching.

    In order to fix some concepts a simple Java CrackMe will be explored trough decompilation with the presented tool and bytecode patching by using IDA and Hex Editor. Of course this topic isn't new and was also covered into the past by other, but this essay will just point some well know concept and show some more hint about the Java patching, a minimum skill on the Java programming is needed to make code change and understand the program execution flow at the decompiled stage. Finally some consideration around how to better protect Java coded application was covered.

    165 downloads

    0 comments

    Submitted

  6. Next Generation Collaborative Reversing

    By Teddy Rogers

    A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files all of which quickly diverge, leaving the differences to somehow be reconciled. These methods and existing tools provided a first step towards automated collaboration amongst IDA Pro users, however they suffer from several shortcomings including the fact that tools have failed to keep pace with the evolution of IDA's internal architecture. In this paper the authors present a new collaborative tool, titled collabREate, designed to bring nearly effortless collaboration to IDA users.

    98 downloads

    0 comments

    Submitted

  7. Looking Inside the (Drop) Box

    By Teddy Rogers

    Dropbox is a cloud based file storage service used by more than 100 million users. In spite of its widespread popularity, we believe that Dropbox as a platform hasn’t been analyzed extensively enough from a security standpoint. Also, the previous work on the security analysis of Dropbox has been heavily censored. Moreover, the existing Python bytecode reversing techniques are not enough for reversing hardened applications like Dropbox.

    This paper presents new and generic techniques, to reverse engineer frozen Python applications, which are not limited to just the Dropbox world. We describe a method to bypass Dropbox’s two factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented.

    We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will / should no longer be a black box. Finally, we describe the design and implementation of an open-source version of Dropbox client (and yes, it runs on ARM too).

    87 downloads

    0 comments

    Submitted

  8. Kingston USB Password Sniffing

    By Teddy Rogers

    Today one of my friend came to me for help...Actually he had locked his 'Kingston Datatraveller 2GB' with a password and forgotten it and it was a crucial stage as his project files were on it...so i decided to help him by breaking the protection.Actually i was also nervous because i have not tried my hand on any such securities related to hardware but at last i was able to penetrate the security system and sniff the password from there Anyways i am giving a tutorial on how i did that.

    104 downloads

    0 comments

    Submitted

  9. Java Bytecode Reversing

    By Teddy Rogers

    I decided to make a Java bytecode reversing / jar patching tutorial I learned a lot from and wanted to share. A tutorial for complete beginners.

    166 downloads

    1 comment

    Submitted

  10. iOS App Reverse Engineering

    By Teddy Rogers

    Software reverse engineering refers to the process of deducing the implementation and design details of a program or a system by analyzing the functions, structures or behaviors of it. When we are very interested in a certain software feature while not having the access to the source code, we can try to analyze it by reverse engineering.

    For iOS developers, Apps on iOS are one of the most complex but fantastic virtual items as far as we know. They are elaborate, meticulous and creative. As developers, when you see an exquisite App, not only will you be amazed by its implementation, but also you will be curious about what kind of techniques are used in this App and what we can learn from it.

    102 downloads

    0 comments

    Submitted

  11. Introduction to Reverse Engineering

    By Teddy Rogers

    Reversing often implies converting low-level asm into some higher-level language or pseudo-code for digestion by humans...(and then using such specifications to understand, emulate, improve or copy the original).

    For us to do this we first investigate how some high-level constructs (in our case C) are represented in ASM. We then use this knowledge to infer high-level-constructs from the asm if we are attempting to discover what a segment of code does, or otherwise look for coding anomalies which may lead to discovering what compiler was used and possibly even fingerprint a style of coding.

    208 downloads

    0 comments

    Submitted

  12. InTether Protection System

    By Teddy Rogers

    Back from a long period of silence with a tutorial for all (serious) crackers and reversers that they don't want to waste their time to play with kiddy packer/crypters.

    Like always this is a reversing tutorial, so if your looking for only a way to crack InTether protection... you have opened the wrong one... and probably you are not a reverser too. I'm sorry.

    In the title I have defined InTether protection like the "perfect reversing training field", this because with a real reversing approach it possible have a lot of fun coding tools to better understand not only how this protection works but also how parts of our OS works too.

    The tutorial is made of 2 parts because it's quite long and because I want to give you the approach that I have used here, with the background too.

    Lets start!

    90 downloads

    0 comments

    Submitted

  13. How To Load My DLL With a Base Offset

    By Teddy Rogers

    Today I show you quickly how you can tell your system to load your DLL with your desired base address you want manually if OllyDbg's LoadDLL tool didn't work for you.

    132 downloads

    0 comments

    Submitted

  14. Hump-and-Dump Efficient Generic Unpacking

    By Teddy Rogers

    We present a new and efficient generic unpacking algorithm which effectively locates the original entry point (OEP) area of a packed program. The algorithm is based upon the dual observation that (a) even in a packed program, the OEP bytes are almost always only executed once, and (b) most packers unpack the original program to an area of memory which has not been previously executed. Given this, the technique relies upon creating a histogram of the addresses of executed instructions (EIP on x86). Whilst others have done this, the trick is to order the histogram by the last time an address is executed. Decryption, decompression and copying appear as large spikes at the start of the histogram, followed by a flat section, of height one, which is usually the OEP. We attach figures showing histograms for some popular packers, on both linear and log scales, which clearly illustrate the OEP after the massive unpacking "hump".

    This technique is extremely efficient to implement, and can compute the OEP "on-the-fly" in an emulator, or off-line from a trace of EIP. For instance, for UPX 2.03w, we need less than 1K of memory to hold the necessary data structures, and computation is similarly cheap (and compatible with dynamic-translation emulators). Given the shape of the chart, and the fact that after the "hump" represents a good opportunity to dump the memory, we have given this technique the somewhat sordid name of hump-and-dump.

    145 downloads

    0 comments

    Submitted

  15. In Memory Reverse Engineering for Obfuscated Python Bytecode

    By Teddy Rogers

    Growing numbers of commercial and closed source applications are being developed using the Python programming language. The trend with developers of such applications appears to be that there is an increasing amount of effort being invested in order to stop the sourcecode of their application being easily obtainable by the end user. This is being achieved through the use of a variety of obfuscation techniques designed to impede the common methods of Python decompilation. Another trend occurring in parallel is the use of Python as an increasingly present component of 'Cloud' technologies where traditional bytecode decompilation techniques fall down not through obfuscation, but through lack of access to the bytecode files on disk.

    The techniques discussed in this paper extend existing Python decompilation technologies through taking an approach that does not require access to standard Python bytecode files (.pyc/.pyo), but rather focuses on gaining access to the bytecode through instantiated Python objects in memory and using these to reconstruct a sourcecode listing equivalent to that composed by the applications author. Approaches will also be discussed of how to defeat the common obfuscation techniques that have been observed in use in order to be able to use the in memory decompilation techniques.

    Finally a proof of concept embodiment of the techniques developed will be discussed which will allow people to quickly leverage them to evaluate code for bugs that was previously opaque to them.

    141 downloads

    0 comments

    Submitted

  16. Inject Your Code to a Portable Executable File

    By Teddy Rogers

    This article demonstrates five steps to inject your code in a portable executable (EXE, DLL, OCX,...) file without recompiling source code.

    188 downloads

    0 comments

    Submitted

  17. How to Inject Code into an Executable File

    By Teddy Rogers

    Our goal is to inject some code into the Notepad.exe.

    156 downloads

    0 comments

    Submitted

  18. DTrace - Applied Reverse Engineering on OSX

    By Teddy Rogers

    This paper will examine how DTrace, a kernel-based dynamic scriptable tracer, can be effectively used for reverse engineering tasks. DTrace offers an unprecedented view of both user and kernel space, which has many interesting implications for security researchers. In this paper we will introduce DTrace, comparing it to existing debuggers and tracers. We will then walk the reader through various applications of DTrace. We will show how to monitor for stack and heap overflows, generate code coverage graphs, trace code paths visually in target applications over the network with IDA Pro, and discuss intrusion detection and evading DTrace.

    82 downloads

    0 comments

    Submitted

  19. Enabling Buttons Under Visual Basic 6

    By Teddy Rogers

    A brief explanation of how to enable masked buttons under Visual Basic 6.

    111 downloads

    0 comments

    Submitted

  20. Exposing a Resource Leak in Yoda Protector

    By Teddy Rogers

    There are many reasons to wrap your product inside a program protector or packer - some of which are even beyond reproach. But you can't blindly entrust your code to the operations of code encryptors and obfuscators. Unless you perform some type of code quality review, you may be inadvertently destabilizing your customer's or target's system. Resources may not be disposed of properly; the program stack may be corrupted; the exception handling chain that you so carefully constructed may have an extra link or two. Since access to the source code for these packer programs is in most cases limited and traditional debugging tools such as Compuware's BoundsChecker may not function properly alongside these programs, one avenue open to you is to reverse engineer what the packer is doing. The packer that I will be examining for this article is one called "yoda's Protector" (version 1.03.2) and can be found at http://protools.reverse-engineering.net. Source code, which appears to be out of date, can be found at https://sourceforge.net/projects/yodap. (Building the source from the project files produces an executable with a version number of 1.0. but test programs "protected" by this version either crashed or blue-screened my system when a debugger was attached.)

    For the purposes of this investigation I took a copy of CALC, the Windows calculator program (version 5.1.2600.0 (xpclient.010817-1148)) and "protected" it using Yoda's Protector. The options I selected were:
    Anti-SoftICE protection Checksum Protection API Redirection Anti-Dump Protection Clear Import Information Remove .reloc section Remove debug information Compress Option - 10 Create backup copy Section's Name - .yP (The packed version of CALC is included in the supporting files for this article.) If you compare file sizes both before and after this operation, you will see that the packed version is much smaller than the original --112Kb shrinks down to 81Kb. Launching the compressed version of the executable brings up the calculator program in all its glory. Let us see what happens when I start CALC using a debugger.

    As I expected, nearly all the debuggers I tried experience problems. OllyDbg, WinDbg, and Visual Studio.NET 2003 crashed and burned with only one clue remaining: the desktop taskbar was unresponsive. My debugger, PEBrowse Professional Interactive (available at www.smidgeonsoft.com), locked up, but the taskbar was still disabled. SoftICE appeared to handle the program with no problem at all - the reason for this is mysterious, as I'll discuss later.

    There is, however, one common thread running through the usermode debuggers - inability to handle this beast - the taskbar has been disabled. I can still use the three-fingered-salute (Ctrl-Alt-Delete) to bring up Task Manager and restart the system. Now it's time for me to roll up my sleeves and dive into the code behind the packed calculator program. (I will be using my own debugger during this discussion - the others should work well using the hints and addresses that I will be providing.)

    98 downloads

    0 comments

    Submitted

  21. Extracting Code from Perl2Exe

    By Teddy Rogers

    Perl2exe is a program that is used to run Perl scripts natively on Windows, without needing to install a Perl interpreter.

    This might seem like magic to some people but we know better don't we

    105 downloads

    0 comments

    Submitted

  22. Fast and Furious Reverse Engineering

    By Teddy Rogers

    One of the greatest challenges of modern reverse engineering is taking apart and analyzing software protections. During the last decade a vast number of such shell modifiers have appeared. Software Protection as an industry has come a long way from simple encryption that protects executable and data parts to current highly sophisticated protections that are packed with tricks aiming at slow down in the reversing process. Number of such techniques increases every year. Hence we need to ask ourselves, can we keep up with the tools that we have?

    Protections have evolved over the last few years, but so have the reversers tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn't evolved much. We are limited to writing our own code for every scenario in the field.

    We have designed TitanEngine in such fashion that writing unpackers would mimic analyst's manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method. That is why we will discuss both static and dynamic unpackers.. We will also see into methods of making generic code to support large number of formats without knowing the format specifics.

    TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric. Best yet, TitanEngine can be automated. It is suitable for more than just file unpacking. TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files. As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.

    145 downloads

    0 comments

    Submitted

  23. Fixing Bugs in Binaries

    By Teddy Rogers

    I had been using Code Crafter's Ability Server for some time when a colleague brought to my attention, the fact that there was a remotely exploitable vulnerability in precisely the version I was using. After a short conversation with a friend regarding the vulnerability, I decided to delve a little deeper in an attempt to identify and remove the vulnerability.

    94 downloads

    0 comments

    Submitted

  24. General Reversing Tutorial

    By Teddy Rogers

    A movie tutorial for newbies explaining the process of bypassing the trial period of an application (this is very easy tut.. not too interesting).

    219 downloads

    0 comments

    Submitted

  25. Hacker Challenge ReWolf Reports 2007-2008

    By Teddy Rogers

    ReWolf's solution to the Hacker Challenges found at: https://hackerchallenge.org/
    The purpose of this challenge is to evaluate the effectiveness of software protections. The results of this effort will be used to improve our protection measures.

    92 downloads

    0 comments

    Submitted

×
×
  • Create New...