Jump to content
Tuts 4 You

Reverse Code Engineering

55 files

  1. Reversing a Frozen Python Executable

    This document presents a way to reverse engineer frozen python executables.

    We all at some point of time have reversed native compiled application like the ones generated from Visual C++, Delphi etc, but reversing frozen python executable presents a new challenge and the area in this field is not yet fully explored.

    So this document is going to explore some of those and the way we can proceed in such a situation.

    [This whole tutorial is for learning purposes only and any other unethical use is strongly discouraged]

    38 downloads

    0 comments

    Submitted

  2. Dealing With Funny Checksum

    After a while, I've decided to write about something interesting which I've found while unpacking one protection, and it will be also nice introduction to one of my tools which I have wrote for fun of it.

    However, I won't mention application name here, but to demonstrate checksum check which I have found I will be using one test application, thus you will get idea what happened, and how checksum is defeated. I will also introduce one tool I wrote, which served me well in this particular case. Tool should come with this document, thus I won't describe tool, and it's internals as source code should be well commented.

    38 downloads

    0 comments

    Submitted

  3. Reverse Engineering Drivers for Safety and Portability

    Device drivers today lack two important properties: guaranteed safety and cross-platform portability. We present an approach to incrementally achieving these properties in drivers, without requiring any changes in the drivers or operating system kernels. We describe RevEng, a tool for automatically reverse-engineering a binary driver and synthesizing a new, safe and portable driver that mimics the original one. The operating system kernel runs the trusted synthetic driver instead of the original, thus avoiding giving untrusted driver code kernel privileges. Initial results are promising: we reverse-engineered the basic functionality of network drivers in Linux and Windows based solely on their binaries, and we synthesized safe drivers for Linux. We hope RevEng will eventually persuade hardware vendors to provide verifiable formal specifications instead of binary drivers; such specifications can be used to automatically synthesize safe drivers for every desired platform.

    33 downloads

    0 comments

    Submitted

  4. Reverse Engineering Self-Modifying Code Unpacker Extraction

    An important application of binary-level reverse engineering is in reconstructing the internal logic of computer malware. Most malware code is distributed in encrypted (or "packed") form; at runtime, an unpacker routine transforms this to the original executable form of the code, which is then executed. Most of the existing work on analysis of such programs focuses on detecting unpacking and extracting the unpacked code. However, this does not shed any light on the functionality of different portions of the code so obtained, and in particular does not distinguish between code that performs unpacking and code that does not; identifying such functionality can be helpful for reverse engineering the code. This paper describes a technique for identifying and extracting the unpacker code in a self-modifying program. Our algorithm uses offline analysis of a dynamic instruction trace both to identify the point(s) where unpacking occurs and to identify and extract the corresponding unpacker code.

    33 downloads

    0 comments

    Submitted

  5. Reverse Engineering by Crayon

    Recent advances in hypervisor based application profilers have changed the game of reverse engineering. These powerful tools have made it orders of magnitude easier to reverse engineer and enabled the next generation of analysis techniques. We will also present and release our tool VERA, which is an advanced code visualization and profiling tool that integrates with the Ether Xen extensions. VERA allows for high-level program monitoring, as well as low-level code analysis. Using VERA, we'll show how easy the process of unpacking armoured code is, as well as identifying relevant and interesting portions of executables. VERA integrates with IDA Pro easily and helps to annotate the executable before looking at a single assembly instruction. Initial testing with inexperienced reversers has shown that this tool provides an order of magnitude speedup compared to traditional techniques.

    32 downloads

    0 comments

    Submitted

  6. Reverse Engineering is Reverse Forward Engineering

    Reverse Engineering is focused on the challenging task of understanding legacy program code without having suitable documentation. Using a transformational forward engineering perspective, we gain the insight that much of this difficulty is caused by design decisions made during system development. Such decisions "hide" the program functionality and performance requirements in the final system by applying repeated refinements through layers of abstraction, and information-spreading optimizations, both of which change representations and force single program entities to serve multiple purposes. To be able to reverse engineer, we essentially have to reverse these design decisions. Following the transformational approach we can use the transformations of a forward engineering methodology and apply them "backwards" to reverse engineer code to a more abstract specification. Since most existing code was not generated by transformational synthesis, this produces a plausible formal transformational design rather than the original authors' actual design. A byproduct of the transformational reverse engineering process is a design database for the program that then can be maintained to minimize the need for further reverse engineering during the remaining lifetime of the system. A consequence of this perspective is the belief that plan recognition methods are not sufficient for reverse engineering. As an example, a small fragment of a real-time operating system is reverse-engineered using this approach.

    31 downloads

    0 comments

    Submitted

  7. Hacker School - Sapheads

    An introduction to the reverse engineering field in the style of a comic book. Originally presented at the final of Defcon CTF 2009.

    29 downloads

    0 comments

    Submitted

  8. Reversing J2ME Applications

    I wrote this tutorial so that absolute beginners who want to learn reversing j2me applications quickly without going to some hardcore brain busting.

    This tutorial contains 2 parts, the introduction and the reversing part.

    29 downloads

    0 comments

    Submitted

  9. The NTkrnl Journal Volume 1 (Issue 1-2)

    Inject the code to Windows Application

    It might be that you want to comprehend the ways a virus program injects its procedure in to the interior of a portable executable file and corrupts it, or you are interested in implementing a packer or a protector for your specific intention to encrypt the data of your Portable Executable (PE) file. This article is committed to represent a brief intuition to the performance which is done by EXE tools or some kind of mal-wares.

    You can employ the source code of this article to create your custom EXE builder. It could be used to make an EXE protector in the right way, or with a wrong intention, to pullulate a virus. However, my purpose of writing this article has been to gaze on the first application, so I will not be responsible for the immoral usage of these methods.

    The .NET File Format

    The standards of the .NET format are public, you can find them on Microsoft and in your .NET SDK (look after "Partition II Metadata.doc"), but they are intended to be more like a reference, not really a guide. So, the truth is that a description of the format can be useful. I mean, there's a huge difference between having the WinNT.h and having the full explanation of its structures and stuff. The documentation given by Microsoft has some explanations, but a lot of passages aren't very clear at all. Of course, it's required that you know quite well the PE File Format. If that's not the case, you should start with that first, otherwise you won't be able to make heads or tails of this article. A little warning: I'm not going to explain how to use the libraries given by Microsoft to access the .NET format; I'm going to explain the format itself. This article is based on the Framework 2.0.
    .NET Manifest Resources

    This article is about the internal format of .NET Manifest Resources (or better the ".resources" files contained in it). I don't know if the code can be useful to you or not (probably not), but I like to write about undocumented stuff. In fact, this article is nothing sensational, I just wrote it 'cause I haven't found any documentation about this subject on the net, not even in the .NET MetaData specifics: Partition II MetaData.doc.

    Some time ago I wrote a PE Editor called CFF Explorer ('cause I needed to) with the support for .NET MetaData, since there wasn't such a tool. The only tool I could find was Asmex (which you can find on codeproject), but the problem with that tool is that you cannot modify the MetaData fields and, moreover, it relies still on the .NET Framework. And I don't say this to criticize Asmex, which is surely useful, but because I needed something different. Anyway I wrote a resource viewer for the PE Editor and wanted to show the MetaData resources as well. So, in order to do that, avoiding to use an external .NET Assembly, I had to analyze the Manifest Resource format.
    The .NET File Format (continued...)
    Inject the code to Windows Application (continued...)

    29 downloads

    0 comments

    Submitted

  10. Reversing and Exploiting Apple Firmware Update

    The security posture of a computer can be adversely affected by poorly-designed devices on its USB bus. Many modern embedded devices permit firmware to be upgraded in the field and the use of low-cost microcontrollers in these devices can make it difficult to perform the mathematical operations needed to verify a crypto-graphic signature. The security of many of these upgrade mechanisms is very much in question. For a concrete example, we describe how to tamper with a firmware upgrade to the Apple Aluminum Keyboard. We describe how an attacker can subvert an off-the-shelf keyboard by embedding into the firmware malicious code which allows a rootkit to survive a clean re-installation of the host operating system.

    28 downloads

    0 comments

    Submitted

  11. When Memory Management Goes Bad

    Case study of memory management in cmd.exe. Article describes some bad programming pratices that are used in cmd.exe and possible workarounds that can be done with some reverse engineering knowledge.

    28 downloads

    0 comments

    Submitted

  12. Extracting Code from Perl2Exe

    Perl2exe is a program that is used to run Perl scripts natively on Windows, without needing to install a Perl interpreter.

    This might seem like magic to some people but we know better don't we

    27 downloads

    0 comments

    Submitted

  13. Principled Reverse Engineering of Types in Binary Programs

    A recurring problem in security is reverse engineering binary code to recover high-level language data abstractions and types. High-level programming languages have data abstractions such as buffers, structures, and local variables that all help programmers and program analyses reason about programs in a scalable manner. During compilation, these abstractions are removed as code is translated down to operations on registers and one globally addressed memory region. Reverse engineering consists of "undoing" the compilation to recover high-level information so that programmers, security professionals, and analyses can all more easily reason about the binary code.

    In this paper we develop novel techniques for reverse engineering data type abstractions from binary programs. At the heart of our approach is a novel type reconstruction system based upon binary code analysis. Our techniques and system can be applied as part of both static or dynamic analysis, thus are extensible to a large number of security settings. Our results on 87 programs show that TIE is both more accurate and more precise at recovering high-level types than existing mechanisms.

    27 downloads

    0 comments

    Submitted

  14. Reverse Engineering of Real-Time Assembly Code

    Much legacy real-time code is written in assembly language. Such code is often crafted to meet stringent time and space requirements so the high-level intent of the programmer may have been obscured. The result is code that is difficult to maintain and reuse. In this paper we present a tool for reverse engineering of real-time Z86 assembly code, together with a tool for validation of the output. Our experimental results are for a suite of commercial micro-controllers. For those benchmarks, our tool does the bulk of the reverse-engineering work, leaving just a few undisciplined uses of machine code to be handled manually. Our tool is designed to preserve programmer intent to the largest extent possible. Thus, the reverse engineered program is easier to understand and maintain than the original.

    27 downloads

    0 comments

    Submitted

  15. Reversing of a Protection Scheme Based on Drivers Sandboxie

    Sometime happens to fall into an interesting protection which reveals to be nicely implemented and nice to describe into a tutorial. This time is the turn of SandBoxie, a program that has an nice protection schema. I thought it could have been useful to reverse and document in a tutorial, mostly because I used a lot a combination of OllyDbg and IDA Debugger.

    This time I preferred using IDA as much as possible to understand the code and then OllyDbg only to verify the assumptions done. This method of investigation is usually very common when you have to analyze malware, but also very handy, because IDA allows saving of reversing sessions, code editing, name changing taking advantages from both and so on.

    I need reversing instruments that could be frozen at any time (I have very few and scattered spare time): I usually run the dynamic sessions with OllyDbg on a VMWARE virtual PC which I can freeze at anytime and the analysis sessions with IDA (which can also be closed and started again later for another session).

    As usual there are cracks and keygens too for this program around the net and this tutorial will not create many troubles than those already created by someone else.

    Moreover it will then be the occasion to deeper dig the IDA functionalities in combination with OllyDbg, I will try to be as much clear as possible, for everyone.

    27 downloads

    0 comments

    Submitted

  16. Enabling Buttons Under Visual Basic 6

    A brief explanation of how to enable masked buttons under Visual Basic 6.

    26 downloads

    0 comments

    Submitted

  17. How To Load My DLL With a Base Offset

    Today I show you quickly how you can tell your system to load your DLL with your desired base address you want manually if OllyDbg's LoadDLL tool didn't work for you.

    26 downloads

    0 comments

    Submitted

  18. Kingston USB Password Sniffing

    Today one of my friend came to me for help...Actually he had locked his 'Kingston Datatraveller 2GB' with a password and forgotten it and it was a crucial stage as his project files were on it...so i decided to help him by breaking the protection.Actually i was also nervous because i have not tried my hand on any such securities related to hardware but at last i was able to penetrate the security system and sniff the password from there Anyways i am giving a tutorial on how i did that.

    26 downloads

    0 comments

    Submitted

  19. Preventing Reverse Engineering of Native and Managed Programs

    One of the important aspects of protecting software from attack, theft of algorithms, or illegal software use is eliminating the possibility of performing reverse engineering. One common method used to deal with these issues is code obfuscation. However, it is proven to be ineffective. Code encryption is a much more effective means of defying reverse engineering, but it requires managing a cryptographic key available to none but the permissible users. The thesis presents a system for managing cryptographic keys in a protected environment and supporting execution of encrypted code. The system has strong security guarantees. In particular, the cryptographic keys are never stored on the target machine, but rather delivered to it from a remote server, upon a successful verification of its authenticity. The keys and the decrypted instructions are protected by a thin hypervisor at all times. The system allows the encryption and execution of both native and Java code.

    During native code execution, the decrypted instructions are inaccessible to a potentially malicious code. This is achieved by either preventing execution of any other code or by protecting the memory region containing the decrypted instructions during their execution.

    Java programs, unlike native programs, are not executed directly by the processor, but are interpreted (and sometimes compiled) by the Java Virtual Machine (JVM). Therefore, the JVM will require the cryptographic key to decrypt the encrypted portions of Java code, and there is no feasible way of securing the key inside the JVM. The thesis proposes to implement a Java bytecode interpreter inside the secure environment, governed by a thin hypervisor. This interpreter will run in parallel to the standard JVM, both cooperating to execute encrypted Java programs.

    26 downloads

    0 comments

    Submitted

  20. CrackMe3 Hellsp@wn Solution

    This tutorial doesn't want to describe the methods I used to reverse this crackme, but rather the questions born in the mind of novel reverser like me … . So, you will ask: "Why did you choose this crackme" The answer is simple: THE CHALLENGE! The name of Hellsp@wn (coauthor of the principal Ollydbg's hide plugin: Phantom) and a crackme of level 5, dated 2006 and not yet resolved, are the right mix to test my abilities; indeed, the possibility to discover a new anti debug technique is behind the corner so good lecture and, as always, sorry for my poor English.

    26 downloads

    0 comments

    Submitted

  21. Fixing Bugs in Binaries

    I had been using Code Crafter's Ability Server for some time when a colleague brought to my attention, the fact that there was a remotely exploitable vulnerability in precisely the version I was using. After a short conversation with a friend regarding the vulnerability, I decided to delve a little deeper in an attempt to identify and remove the vulnerability.

    25 downloads

    0 comments

    Submitted

  22. InTether Protection System

    Back from a long period of silence with a tutorial for all (serious) crackers and reversers that they don't want to waste their time to play with kiddy packer/crypters.

    Like always this is a reversing tutorial, so if your looking for only a way to crack InTether protection... you have opened the wrong one... and probably you are not a reverser too. I'm sorry.

    In the title I have defined InTether protection like the "perfect reversing training field", this because with a real reversing approach it possible have a lot of fun coding tools to better understand not only how this protection works but also how parts of our OS works too.

    The tutorial is made of 2 parts because it's quite long and because I want to give you the approach that I have used here, with the background too.

    Lets start!

    25 downloads

    0 comments

    Submitted

  23. iOS App Reverse Engineering

    Software reverse engineering refers to the process of deducing the implementation and design details of a program or a system by analyzing the functions, structures or behaviors of it. When we are very interested in a certain software feature while not having the access to the source code, we can try to analyze it by reverse engineering.

    For iOS developers, Apps on iOS are one of the most complex but fantastic virtual items as far as we know. They are elaborate, meticulous and creative. As developers, when you see an exquisite App, not only will you be amazed by its implementation, but also you will be curious about what kind of techniques are used in this App and what we can learn from it.

    25 downloads

    0 comments

    Submitted

  24. Next Generation Collaborative Reversing

    A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files all of which quickly diverge, leaving the differences to somehow be reconciled. These methods and existing tools provided a first step towards automated collaboration amongst IDA Pro users, however they suffer from several shortcomings including the fact that tools have failed to keep pace with the evolution of IDA's internal architecture. In this paper the authors present a new collaborative tool, titled collabREate, designed to bring nearly effortless collaboration to IDA users.

    25 downloads

    0 comments

    Submitted

  25. Exposing a Resource Leak in Yoda Protector

    There are many reasons to wrap your product inside a program protector or packer - some of which are even beyond reproach. But you can't blindly entrust your code to the operations of code encryptors and obfuscators. Unless you perform some type of code quality review, you may be inadvertently destabilizing your customer's or target's system. Resources may not be disposed of properly; the program stack may be corrupted; the exception handling chain that you so carefully constructed may have an extra link or two. Since access to the source code for these packer programs is in most cases limited and traditional debugging tools such as Compuware's BoundsChecker may not function properly alongside these programs, one avenue open to you is to reverse engineer what the packer is doing. The packer that I will be examining for this article is one called "yoda's Protector" (version 1.03.2) and can be found at http://protools.reverse-engineering.net. Source code, which appears to be out of date, can be found at https://sourceforge.net/projects/yodap. (Building the source from the project files produces an executable with a version number of 1.0. but test programs "protected" by this version either crashed or blue-screened my system when a debugger was attached.)

    For the purposes of this investigation I took a copy of CALC, the Windows calculator program (version 5.1.2600.0 (xpclient.010817-1148)) and "protected" it using Yoda's Protector. The options I selected were:
    Anti-SoftICE protection Checksum Protection API Redirection Anti-Dump Protection Clear Import Information Remove .reloc section Remove debug information Compress Option - 10 Create backup copy Section's Name - .yP (The packed version of CALC is included in the supporting files for this article.) If you compare file sizes both before and after this operation, you will see that the packed version is much smaller than the original --112Kb shrinks down to 81Kb. Launching the compressed version of the executable brings up the calculator program in all its glory. Let us see what happens when I start CALC using a debugger.

    As I expected, nearly all the debuggers I tried experience problems. OllyDbg, WinDbg, and Visual Studio.NET 2003 crashed and burned with only one clue remaining: the desktop taskbar was unresponsive. My debugger, PEBrowse Professional Interactive (available at www.smidgeonsoft.com), locked up, but the taskbar was still disabled. SoftICE appeared to handle the program with no problem at all - the reason for this is mysterious, as I'll discuss later.

    There is, however, one common thread running through the usermode debuggers - inability to handle this beast - the taskbar has been disabled. I can still use the three-fingered-salute (Ctrl-Alt-Delete) to bring up Task Manager and restart the system. Now it's time for me to roll up my sleeves and dive into the code behind the packed calculator program. (I will be using my own debugger during this discussion - the others should work well using the hints and addresses that I will be providing.)

    23 downloads

    0 comments

    Submitted


×
×
  • Create New...