Jump to content
Tuts 4 You

Reverse Code Engineering

55 files

  1. Reverse Engineering of Real-Time Assembly Code

    Much legacy real-time code is written in assembly language. Such code is often crafted to meet stringent time and space requirements so the high-level intent of the programmer may have been obscured. The result is code that is difficult to maintain and reuse. In this paper we present a tool for reverse engineering of real-time Z86 assembly code, together with a tool for validation of the output. Our experimental results are for a suite of commercial micro-controllers. For those benchmarks, our tool does the bulk of the reverse-engineering work, leaving just a few undisciplined uses of machine code to be handled manually. Our tool is designed to preserve programmer intent to the largest extent possible. Thus, the reverse engineered program is easier to understand and maintain than the original.

    25 downloads

    0 comments

    Submitted

  2. Reverse Engineering Self-Modifying Code Unpacker Extraction

    An important application of binary-level reverse engineering is in reconstructing the internal logic of computer malware. Most malware code is distributed in encrypted (or "packed") form; at runtime, an unpacker routine transforms this to the original executable form of the code, which is then executed. Most of the existing work on analysis of such programs focuses on detecting unpacking and extracting the unpacked code. However, this does not shed any light on the functionality of different portions of the code so obtained, and in particular does not distinguish between code that performs unpacking and code that does not; identifying such functionality can be helpful for reverse engineering the code. This paper describes a technique for identifying and extracting the unpacker code in a self-modifying program. Our algorithm uses offline analysis of a dynamic instruction trace both to identify the point(s) where unpacking occurs and to identify and extract the corresponding unpacker code.

    31 downloads

    0 comments

    Submitted

  3. Reverse Engineering Techniques - Part 1

    The whole tutorial is about playing with a target and implementing new things into it. The tutorial is not for newbies, you must know how the tools given in this tutorial works. The entire article is based on exploring the calibre of a reverse engineer. Reverse engineering is an art; how to analyse and play with the target and find out other possibilities which you can implement. Sometimes targets are so challenging you can't even imagine. The target I am going to use in this tutorial is a simple crackme by Nemo.

    48 downloads

    0 comments

    Submitted

  4. Introduction to Reverse Engineering

    Reversing often implies converting low-level asm into some higher-level language or pseudo-code for digestion by humans...(and then using such specifications to understand, emulate, improve or copy the original).

    For us to do this we first investigate how some high-level constructs (in our case C) are represented in ASM. We then use this knowledge to infer high-level-constructs from the asm if we are attempting to discover what a segment of code does, or otherwise look for coding anomalies which may lead to discovering what compiler was used and possibly even fingerprint a style of coding.

    39 downloads

    0 comments

    Submitted

  5. iOS App Reverse Engineering

    Software reverse engineering refers to the process of deducing the implementation and design details of a program or a system by analyzing the functions, structures or behaviors of it. When we are very interested in a certain software feature while not having the access to the source code, we can try to analyze it by reverse engineering.

    For iOS developers, Apps on iOS are one of the most complex but fantastic virtual items as far as we know. They are elaborate, meticulous and creative. As developers, when you see an exquisite App, not only will you be amazed by its implementation, but also you will be curious about what kind of techniques are used in this App and what we can learn from it.

    23 downloads

    0 comments

    Submitted

  6. Java Bytecode Reversing

    I decided to make a Java bytecode reversing / jar patching tutorial I learned a lot from and wanted to share. A tutorial for complete beginners.

    44 downloads

    0 comments

    Submitted

  7. Kingston USB Password Sniffing

    Today one of my friend came to me for help...Actually he had locked his 'Kingston Datatraveller 2GB' with a password and forgotten it and it was a crucial stage as his project files were on it...so i decided to help him by breaking the protection.Actually i was also nervous because i have not tried my hand on any such securities related to hardware but at last i was able to penetrate the security system and sniff the password from there Anyways i am giving a tutorial on how i did that.

    24 downloads

    0 comments

    Submitted

  8. Looking Inside the (Drop) Box

    Dropbox is a cloud based file storage service used by more than 100 million users. In spite of its widespread popularity, we believe that Dropbox as a platform hasn’t been analyzed extensively enough from a security standpoint. Also, the previous work on the security analysis of Dropbox has been heavily censored. Moreover, the existing Python bytecode reversing techniques are not enough for reversing hardened applications like Dropbox.

    This paper presents new and generic techniques, to reverse engineer frozen Python applications, which are not limited to just the Dropbox world. We describe a method to bypass Dropbox’s two factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented.

    We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will / should no longer be a black box. Finally, we describe the design and implementation of an open-source version of Dropbox client (and yes, it runs on ARM too).

    20 downloads

    0 comments

    Submitted

  9. Next Generation Collaborative Reversing

    A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files all of which quickly diverge, leaving the differences to somehow be reconciled. These methods and existing tools provided a first step towards automated collaboration amongst IDA Pro users, however they suffer from several shortcomings including the fact that tools have failed to keep pace with the evolution of IDA's internal architecture. In this paper the authors present a new collaborative tool, titled collabREate, designed to bring nearly effortless collaboration to IDA users.

    23 downloads

    0 comments

    Submitted

  10. Notes on Reversing Java Applications

    This tutorial aim is show some simple techniques that can be used to reverse and patching Java target, a first classical approach will be about the class decompilation with JAD and JODE decompiler, then we can move into the JVM (Java virtual machine) analysis and deeper into the bytecode analysis and patching.

    In order to fix some concepts a simple Java CrackMe will be explored trough decompilation with the presented tool and bytecode patching by using IDA and Hex Editor. Of course this topic isn't new and was also covered into the past by other, but this essay will just point some well know concept and show some more hint about the Java patching, a minimum skill on the Java programming is needed to make code change and understand the program execution flow at the decompiled stage. Finally some consideration around how to better protect Java coded application was covered.

    43 downloads

    0 comments

    Submitted

  11. How To Load My DLL With a Base Offset

    Today I show you quickly how you can tell your system to load your DLL with your desired base address you want manually if OllyDbg's LoadDLL tool didn't work for you.

    24 downloads

    0 comments

    Submitted

  12. Hump-and-Dump Efficient Generic Unpacking

    We present a new and efficient generic unpacking algorithm which effectively locates the original entry point (OEP) area of a packed program. The algorithm is based upon the dual observation that (a) even in a packed program, the OEP bytes are almost always only executed once, and (b) most packers unpack the original program to an area of memory which has not been previously executed. Given this, the technique relies upon creating a histogram of the addresses of executed instructions (EIP on x86). Whilst others have done this, the trick is to order the histogram by the last time an address is executed. Decryption, decompression and copying appear as large spikes at the start of the histogram, followed by a flat section, of height one, which is usually the OEP. We attach figures showing histograms for some popular packers, on both linear and log scales, which clearly illustrate the OEP after the massive unpacking "hump".

    This technique is extremely efficient to implement, and can compute the OEP "on-the-fly" in an emulator, or off-line from a trace of EIP. For instance, for UPX 2.03w, we need less than 1K of memory to hold the necessary data structures, and computation is similarly cheap (and compatible with dynamic-translation emulators). Given the shape of the chart, and the fact that after the "hump" represents a good opportunity to dump the memory, we have given this technique the somewhat sordid name of hump-and-dump.

    36 downloads

    0 comments

    Submitted

  13. In Memory Reverse Engineering for Obfuscated Python Bytecode

    Growing numbers of commercial and closed source applications are being developed using the Python programming language. The trend with developers of such applications appears to be that there is an increasing amount of effort being invested in order to stop the sourcecode of their application being easily obtainable by the end user. This is being achieved through the use of a variety of obfuscation techniques designed to impede the common methods of Python decompilation. Another trend occurring in parallel is the use of Python as an increasingly present component of 'Cloud' technologies where traditional bytecode decompilation techniques fall down not through obfuscation, but through lack of access to the bytecode files on disk.

    The techniques discussed in this paper extend existing Python decompilation technologies through taking an approach that does not require access to standard Python bytecode files (.pyc/.pyo), but rather focuses on gaining access to the bytecode through instantiated Python objects in memory and using these to reconstruct a sourcecode listing equivalent to that composed by the applications author. Approaches will also be discussed of how to defeat the common obfuscation techniques that have been observed in use in order to be able to use the in memory decompilation techniques.

    Finally a proof of concept embodiment of the techniques developed will be discussed which will allow people to quickly leverage them to evaluate code for bugs that was previously opaque to them.

    37 downloads

    0 comments

    Submitted

  14. Inject Your Code to a Portable Executable File

    This article demonstrates five steps to inject your code in a portable executable (EXE, DLL, OCX,...) file without recompiling source code.

    43 downloads

    0 comments

    Submitted

  15. InTether Protection System

    Back from a long period of silence with a tutorial for all (serious) crackers and reversers that they don't want to waste their time to play with kiddy packer/crypters.

    Like always this is a reversing tutorial, so if your looking for only a way to crack InTether protection... you have opened the wrong one... and probably you are not a reverser too. I'm sorry.

    In the title I have defined InTether protection like the "perfect reversing training field", this because with a real reversing approach it possible have a lot of fun coding tools to better understand not only how this protection works but also how parts of our OS works too.

    The tutorial is made of 2 parts because it's quite long and because I want to give you the approach that I have used here, with the background too.

    Lets start!

    23 downloads

    0 comments

    Submitted

  16. Enabling Buttons Under Visual Basic 6

    A brief explanation of how to enable masked buttons under Visual Basic 6.

    23 downloads

    0 comments

    Submitted

  17. Exposing a Resource Leak in Yoda Protector

    There are many reasons to wrap your product inside a program protector or packer - some of which are even beyond reproach. But you can't blindly entrust your code to the operations of code encryptors and obfuscators. Unless you perform some type of code quality review, you may be inadvertently destabilizing your customer's or target's system. Resources may not be disposed of properly; the program stack may be corrupted; the exception handling chain that you so carefully constructed may have an extra link or two. Since access to the source code for these packer programs is in most cases limited and traditional debugging tools such as Compuware's BoundsChecker may not function properly alongside these programs, one avenue open to you is to reverse engineer what the packer is doing. The packer that I will be examining for this article is one called "yoda's Protector" (version 1.03.2) and can be found at http://protools.reverse-engineering.net. Source code, which appears to be out of date, can be found at https://sourceforge.net/projects/yodap. (Building the source from the project files produces an executable with a version number of 1.0. but test programs "protected" by this version either crashed or blue-screened my system when a debugger was attached.)

    For the purposes of this investigation I took a copy of CALC, the Windows calculator program (version 5.1.2600.0 (xpclient.010817-1148)) and "protected" it using Yoda's Protector. The options I selected were:
    Anti-SoftICE protection Checksum Protection API Redirection Anti-Dump Protection Clear Import Information Remove .reloc section Remove debug information Compress Option - 10 Create backup copy Section's Name - .yP (The packed version of CALC is included in the supporting files for this article.) If you compare file sizes both before and after this operation, you will see that the packed version is much smaller than the original --112Kb shrinks down to 81Kb. Launching the compressed version of the executable brings up the calculator program in all its glory. Let us see what happens when I start CALC using a debugger.

    As I expected, nearly all the debuggers I tried experience problems. OllyDbg, WinDbg, and Visual Studio.NET 2003 crashed and burned with only one clue remaining: the desktop taskbar was unresponsive. My debugger, PEBrowse Professional Interactive (available at www.smidgeonsoft.com), locked up, but the taskbar was still disabled. SoftICE appeared to handle the program with no problem at all - the reason for this is mysterious, as I'll discuss later.

    There is, however, one common thread running through the usermode debuggers - inability to handle this beast - the taskbar has been disabled. I can still use the three-fingered-salute (Ctrl-Alt-Delete) to bring up Task Manager and restart the system. Now it's time for me to roll up my sleeves and dive into the code behind the packed calculator program. (I will be using my own debugger during this discussion - the others should work well using the hints and addresses that I will be providing.)

    21 downloads

    0 comments

    Submitted

  18. Extracting Code from Perl2Exe

    Perl2exe is a program that is used to run Perl scripts natively on Windows, without needing to install a Perl interpreter.

    This might seem like magic to some people but we know better don't we

    23 downloads

    0 comments

    Submitted

  19. Fast and Furious Reverse Engineering

    One of the greatest challenges of modern reverse engineering is taking apart and analyzing software protections. During the last decade a vast number of such shell modifiers have appeared. Software Protection as an industry has come a long way from simple encryption that protects executable and data parts to current highly sophisticated protections that are packed with tricks aiming at slow down in the reversing process. Number of such techniques increases every year. Hence we need to ask ourselves, can we keep up with the tools that we have?

    Protections have evolved over the last few years, but so have the reversers tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn't evolved much. We are limited to writing our own code for every scenario in the field.

    We have designed TitanEngine in such fashion that writing unpackers would mimic analyst's manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method. That is why we will discuss both static and dynamic unpackers.. We will also see into methods of making generic code to support large number of formats without knowing the format specifics.

    TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric. Best yet, TitanEngine can be automated. It is suitable for more than just file unpacking. TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files. As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.

    34 downloads

    0 comments

    Submitted

  20. Fixing Bugs in Binaries

    I had been using Code Crafter's Ability Server for some time when a colleague brought to my attention, the fact that there was a remotely exploitable vulnerability in precisely the version I was using. After a short conversation with a friend regarding the vulnerability, I decided to delve a little deeper in an attempt to identify and remove the vulnerability.

    23 downloads

    0 comments

    Submitted

  21. General Reversing Tutorial

    A movie tutorial for newbies explaining the process of bypassing the trial period of an application (this is very easy tut.. not too interesting).

    57 downloads

    0 comments

    Submitted

  22. Hacker Challenge ReWolf Reports 2007-2008

    ReWolf's solution to the Hacker Challenges found at: https://hackerchallenge.org/
    The purpose of this challenge is to evaluate the effectiveness of software protections. The results of this effort will be used to improve our protection measures.

    21 downloads

    0 comments

    Submitted

  23. Hacker School - Sapheads

    An introduction to the reverse engineering field in the style of a comic book. Originally presented at the final of Defcon CTF 2009.

    26 downloads

    0 comments

    Submitted

  24. HDSpoof Reversing

    What's happening under the covers when you launch an executable on your Windows system? These days, malicious activity--viruses, worms, spyware--caused by seemingly innocent programs and attachments makes the question extremely important. Even if you are confident that you could debug (or reverse-engineer) a suspicious program, what if you encounter a program designed to frustrate your analysis attempts? There are tricks and traps that can thwart your best intentions. This article will examine some of these and introduce you to topics such as code obfuscation and protection and anti-reverse-
    engineering.

    A while back I needed to find out what an executable named HDSPOOF.EXE was doing to my system. Starting the program from the command line produced the display seen in Figure 1 (HDSpoof.BMP). The only visible result was the creation of a configuration file with the name of HDSPOOF.INI in the program's installation directory. But a proprietary hardware identification driver and test program I had written for a client now generated different results after executing this program. Clearly something on my system had changed. A little bit of investigation revealed that this program had created and started a dynamic driver on the system and was trying to hide its presence. The driver was visible with a random name in my utility, NTDevices (available at my website, www.smidgeonsoft.com--look for an entry in the index minus the .SYS file extension), but the file for the driver had been deleted from my hard drive. Deleting the configuration file would not restore the expected results. There were still entries present in the system registry for the driver but under a key with a name different than the display name. Rebooting the system and rerunning the program created a driver with a new random name
    and with new entries in the system registry but would still "spoof" the hardware identification program. Time to fire up a static analyzer program and then the debugger!

    Note: this article is based upon an early version of the program found in the WinRAR file. An updated version is available at www.taurine.game-deception.com as hwspoofv2.1.rar. The points and code fragments noted throughout this discussion are the same; only the addresses have changed in the newer version.

    20 downloads

    0 comments

    Submitted

  25. How to Inject Code into an Executable File

    Our goal is to inject some code into the Notepad.exe.

    39 downloads

    0 comments

    Submitted


×
×
  • Create New...