Tools and Basic Reverse

Engineering
Modern Binary Exploitation
CSCI 4968 – Spring 2015
Jeremy Blackthorne

MBE - 01/30/2015 Tools and Basic RE 1

Lecture Overview
1. Introduction to Reverse Engineering
2. Tools!
3. Resources

MBE - 01/30/2015 Tools and Basic RE 2

MBE - 01/30/2015 Tools and Basic RE 3
 Compiling

Source Code Assembly Object File Binary File

Link
Compile Assemble

Libraries

MBE - 01/30/2015 4
 Loading

Source Code Assembly Object File Binary File Process

Compile Assemble Link Load

Libraries

MBE - 01/30/2015 5
 Running

Process, t=0 Process, t=1 Process, t=i Process, t=n

Step Step Step

MBE - 01/30/2015 Tools and Basic RE 6

 RE Domain

Binary File Process, t=0 Process, t=i Process, t=n

Load Step Step

MBE - 01/30/2015 Tools and Basic RE 7

 RE Domain

Binary File Process, t=0 Process, t=i Process, t=n

Load Step Step

Static
MBE - 01/30/2015 Tools and Basic RE 8
 RE Domain

Binary File Process, t=0 Process, t=i Process, t=n

Load Step Step

Static Dynamic
MBE - 01/30/2015 9
 RE Domain

Binary File Process, t=0 Process, t=i Process, t=n

Load Step Step

Static
MBE - 01/30/2015 Tools and Basic RE 10
Lecture Overview
1. Introduction to Reverse Engineering
2. Tools!
3. Resources

MBE - 01/30/2015 Tools and Basic RE 11

Tool Color Coding
• Linux Tool
– Command
• Windows Tool
– ToolName.exe
• Associated Challenges:
– ChallengeName

MBE - 01/30/2015 Tools and Basic RE 12

Hex Editor / Viewers
• Hex Editors / Viewers
– wxHexEditor (GUI)
– xxd
• “-i” option is C include style
• Challenge:
– crackme0x00a

MBE - 01/30/2015 Tools and Basic RE 13

ASCII Readable Hex
• strings
– Displays ACII strings > 4 characters long

• Challenge:
– crackme0x00a
– crackme0x00b

MBE - 01/30/2015 Tools and Basic RE 14

ASCII Readable Hex
• strings
– Displays ACII strings > 4 characters long

• Challenge:
– crackme0x00a
– crackme0x00b
• strings –e ? crackme0x00b

MBE - 01/30/2015 Tools and Basic RE 15

File Formats on Disk
• Linux:
– ELF-Walkthrough.png
– readelf

MBE - 01/30/2015 Tools and Basic RE 16

File Formats on Disk
• Linux:
– ELF-Walkthrough.png
– readelf
• Windows:
– PE-Layout.jpg
– Peview.exe

MBE - 01/30/2015 Tools and Basic RE 17

File Formats on Disk
• Linux:
– ELF-Walkthrough.png
– readelf
• Windows:
– PE-Layout.jpg
– Peview.exe
• For unknown files / binaries
– file

MBE - 01/30/2015 Tools and Basic RE 18

Hashing
• Do we have the same file?
– md5sum
• Upload hash to virustotal.com
• Google search hash

MBE - 01/30/2015 Tools and Basic RE 19

Hashing
• Do we have the same file?
– md5sum
• Upload hash to virustotal.com
• Google search hash
• Fuzzy hashing:
– ssdeep -b original.elf >hash.txt
– ssdeep -bm hash.txt modified.elf

MBE - 01/30/2015 Tools and Basic RE 20

Command Line Disassembly
• crackme0x01

MBE - 01/30/2015 Tools and Basic RE 21

Command Line Disassembly
• crackme0x01
• objdump –d

MBE - 01/30/2015 Tools and Basic RE 22

Command Line Disassembly
• crackme0x01
• objdump –d
• Convert hex to decimal
– echo $((0xDEADBEEF))

MBE - 01/30/2015 Tools and Basic RE 23

Patching Binaries
• It’s your binary, you can patch it if you want to
• objdump –d crackme0x00a | grep –A 30 ‘<main>’
• wxHexEditor-->Edit-->Find

MBE - 01/30/2015 Tools and Basic RE 24

External Diffing
• Original + modified = HUGE advantage
• wxHexEditor-->Tools-->compare files

MBE - 01/30/2015 Tools and Basic RE 25

Disassembly
• objdump –d
• IDA Pro.exe

• Challenges:
– crackme0x01

MBE - 01/30/2015 Tools and Basic RE 26

Disassembly
• objdump –d
• IDA Pro.exe

• Challenges:
– crackme0x01
– crackme0x02

MBE - 01/30/2015 Tools and Basic RE 27

IDA Pro
• IDA Pro.exe
• crackme0x04

MBE - 01/30/2015 Tools and Basic RE 28

 IDA Basics
• Change between basic and graphic mode (space bar)
• Rename variables: (n)
• Comment
– Side: (:), (;)
– Above/below: (ins)
• Convert const formats: (right-click)
• Cross-reference: (x)
• Change to array: (a)
• IDA->Windows->Reset desktop
• IDA->Options->General->auto comment
• IDA->Options->General->opcode bytes 8

https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf
MBE - 01/30/2015 Tools and Basic RE 29
 The Stack

MBE - 01/30/2015 Tools and Basic RE 30

EIP Foo ( a , b, c ); EBP

The animations on this slide will only work in the .pptx of this lecture

0x03

0x04

0x05

0x06

0x07
ESP

MBE - 01/30/2015 Tools and Basic RE 31

 Stack
ESP
0x00 z
0x01 y
0x02 x
EBP
0x03 Old EBP
0x04 Old EIP
0x05 a
0x06 b
0x07 c
MBE - 01/30/2015 Tools and Basic RE 32
Lecture Overview
1. Introduction to Reverse Engineering
2. Tools!
3. Resources

MBE - 01/30/2015 Tools and Basic RE 33

IDA Pro
• IDA_Pro_Shortcuts.pdf
• The book on IDA
• IDA Syntax Highlighting:
– http://practicalmalwareanalysis.com/2012/03/25
/decorating-your-disassembly/

MBE - 01/30/2015 Tools and Basic RE 34

Additional Resources
• Corkami.com – diagrams of file structures and
other interesting trivia
• Crackmes.de – “Reverser’s Playground”
• Subreddits
– reddit.com/r/reverseengineering
– reddit.com/r/netsec
– reddit.com/r/uic
• http://www.bottomupcs.com - Systems background

MBE - 01/30/2015 Tools and Basic RE 35