Jump to content
Tuts 4 You

Reverse Code Engineering

55 files

  1. Hacker Challenge ReWolf Reports 2007-2008

    ReWolf's solution to the Hacker Challenges found at: https://hackerchallenge.org/
    The purpose of this challenge is to evaluate the effectiveness of software protections. The results of this effort will be used to improve our protection measures.

    23 downloads

    0 comments

    Submitted

  2. Reverse Engineering of Binary Device Drivers with RevNIC

    This paper presents a technique that helps automate the reverse engineering of device drivers. It takes a closed-source binary driver, automatically reverse engineers the driver's logic, and synthesizes new device driver code that implements the exact same hardware protocol as the original driver. This code can be targeted at the same or a different OS. No vendor documentation or source code is required.

    Drivers are often proprietary and available for only one or two operating systems, thus restricting the range of device support on all other OSes. Restricted device support leads to low market viability of new OSes and hampers OS researchers in their efforts to make their ideas available to the "real world" Reverse engineering can help automate the porting of drivers, as well as produce replacement drivers with fewer bugs and fewer security vulnerabilities.

    Our technique is embodied in RevNIC, a tool for reverse engineering network drivers. We use RevNIC to reverse engineer four proprietary Windows drivers and port them to four different OSes, both for PCs and embedded systems. The synthesized network drivers deliver performance nearly identical to that of the original drivers.

    23 downloads

    0 comments

    Submitted

  3. HDSpoof Reversing

    What's happening under the covers when you launch an executable on your Windows system? These days, malicious activity--viruses, worms, spyware--caused by seemingly innocent programs and attachments makes the question extremely important. Even if you are confident that you could debug (or reverse-engineer) a suspicious program, what if you encounter a program designed to frustrate your analysis attempts? There are tricks and traps that can thwart your best intentions. This article will examine some of these and introduce you to topics such as code obfuscation and protection and anti-reverse-
    engineering.

    A while back I needed to find out what an executable named HDSPOOF.EXE was doing to my system. Starting the program from the command line produced the display seen in Figure 1 (HDSpoof.BMP). The only visible result was the creation of a configuration file with the name of HDSPOOF.INI in the program's installation directory. But a proprietary hardware identification driver and test program I had written for a client now generated different results after executing this program. Clearly something on my system had changed. A little bit of investigation revealed that this program had created and started a dynamic driver on the system and was trying to hide its presence. The driver was visible with a random name in my utility, NTDevices (available at my website, www.smidgeonsoft.com--look for an entry in the index minus the .SYS file extension), but the file for the driver had been deleted from my hard drive. Deleting the configuration file would not restore the expected results. There were still entries present in the system registry for the driver but under a key with a name different than the display name. Rebooting the system and rerunning the program created a driver with a new random name
    and with new entries in the system registry but would still "spoof" the hardware identification program. Time to fire up a static analyzer program and then the debugger!

    Note: this article is based upon an early version of the program found in the WinRAR file. An updated version is available at www.taurine.game-deception.com as hwspoofv2.1.rar. The points and code fragments noted throughout this discussion are the same; only the addresses have changed in the newer version.

    22 downloads

    0 comments

    Submitted

  4. Looking Inside the (Drop) Box

    Dropbox is a cloud based file storage service used by more than 100 million users. In spite of its widespread popularity, we believe that Dropbox as a platform hasn’t been analyzed extensively enough from a security standpoint. Also, the previous work on the security analysis of Dropbox has been heavily censored. Moreover, the existing Python bytecode reversing techniques are not enough for reversing hardened applications like Dropbox.

    This paper presents new and generic techniques, to reverse engineer frozen Python applications, which are not limited to just the Dropbox world. We describe a method to bypass Dropbox’s two factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented.

    We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will / should no longer be a black box. Finally, we describe the design and implementation of an open-source version of Dropbox client (and yes, it runs on ARM too).

    22 downloads

    0 comments

    Submitted

  5. DTrace - Applied Reverse Engineering on OSX

    This paper will examine how DTrace, a kernel-based dynamic scriptable tracer, can be effectively used for reverse engineering tasks. DTrace offers an unprecedented view of both user and kernel space, which has many interesting implications for security researchers. In this paper we will introduce DTrace, comparing it to existing debuggers and tracers. We will then walk the reader through various applications of DTrace. We will show how to monitor for stack and heap overflows, generate code coverage graphs, trace code paths visually in target applications over the network with IDA Pro, and discuss intrusion detection and evading DTrace.

    18 downloads

    0 comments

    Submitted


×
×
  • Create New...