Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. - - PowerPoint PPT Presentation

reverse engineering basics
SMART_READER_LITE
LIVE PREVIEW

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. - - PowerPoint PPT Presentation

Oct 09, 2023 284 likes •540 views

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

slide-1
SLIDE 1

Reverse engineering basics

Mg.sc.comp. Kirils Solovjovs Possible Security @KirilsSolovjovs on twitter http://kirils.org for more

slide-2
SLIDE 2

Reverse engineering?

www.indiamart.com

slide-3
SLIDE 3

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 3/25

Contents

  • Hardware architecture
  • Processors and machine language
  • Engineering: Creating a program binary
  • Reverse engeineering:

– Static analysis – Binary debugging

slide-4
SLIDE 4

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 4/25

Hardware architecture

slide-5
SLIDE 5

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 5/25

  • Theory. Turing machine
slide-6
SLIDE 6

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 6/25

ENIAC, 1945

  • Turing complete
  • General purpose
  • “Reprogrammable”

– Physical rewiring

required

– Takes weeks

slide-7
SLIDE 7

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 7/25

The two common hardware architectures

slide-8
SLIDE 8

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 8/25

Von Neumann arch

  • “Stored program” concept
  • CPU = CU + ALU
  • Joint MU
  • I/O
  • Most modern systems
slide-9
SLIDE 9

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 9/25

Harvard arch

  • Separate CU and ALU
  • Separate memories

Data

Instructions

  • Allows memories to have

different attributes

  • Improved speed
  • DSPs, some microcontrollers

Instruction memory I/O Control unit Data memory ALU

slide-10
SLIDE 10

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 10/25

Machine code

  • A list of machine language instructions to be directly executed by a

CPU.

  • Each instruction is a small specifjc task:

– Data operations – Arithmetic and logic operations – Control fmow operations

  • Different ISAs (Instruction set architectures):

– 8086, ARM, MIPS, VAX, ...

slide-11
SLIDE 11

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 11/25

Instruction

MIPS32 Add Immediate Instruction

Equivalent mnemonic:

addi $r1, $r2,350 001000 00001 00010 0000000101011110

OP Code Addr 1 Addr 2 Immediate value

slide-12
SLIDE 12

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 12/25

x86 opcodes

slide-13
SLIDE 13

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 13/25

Note: virtual address space

  • Each 32bit program “sees”

4GiB of virtual address space available to them.

  • Virtual addresses are the

same for every instance of a process

* before ASLR

Virtual address space Physical address space

0x00000000 0x00010000 0x10000000 0x7fffffff 0x00000000 0x00ffffff page belonging to process page not belonging to process

text data stack

slide-14
SLIDE 14

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 14/25

Stack and heap

  • Where are variables

stored then?

– Stack and heap

  • Heap: for dynamic

allocation, random access

  • Stack: for static memory

allocation

slide-15
SLIDE 15

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 15/25

Creating a program binary

slide-16
SLIDE 16

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 16/25

Overview: gcc example

  • .c, .h – human readable C
  • .s – human readable

assembly

  • .o – binary object code

(relocatable object code)

  • a.out – directly executable

machine code

slide-17
SLIDE 17

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 17/25

DEMO: gcc example

  • Compile:

gcc -S fjle.c -o fjle.s

  • Assemble (&optimize):

gcc -c fjle.s -o fjle.o

  • Link:

gcc fjle.o -o fjle

slide-18
SLIDE 18

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 18/25

Reverse engineering

slide-19
SLIDE 19

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 19/25

Full cycle

slide-20
SLIDE 20

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 20/25

DEMO: Static analysis of password

  • strings r2
  • r2 password

– pdf @ main

slide-21
SLIDE 21

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 21/25

DEMO: Static analysis of Android APK

  • binwalk
  • dex2jar + jd-gui
slide-22
SLIDE 22

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 22/25

DEMO: Binary debugging of test42

  • gdb test42

– info fjles – b *main

  • if not stripped

– start – info registers – x/i $pc

slide-23
SLIDE 23

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 23/25

DEMO: Firmware reverse engineering

  • Real life example – mt
slide-24
SLIDE 24

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 24/25

Overview of tools

  • gdb
  • Capstone
  • radare2
  • IDA-Pro & Hex-Rays
  • Binary Ninja
  • OllyDbg
  • otool
  • PE Explorer
  • binwalk
  • dex2jar & JD-GUI
  • Resource Hacker
slide-25
SLIDE 25

Kirils Solovjovs, 10/07/2018 possiblesecurity.com Reverse engineering basics 25/25

Thanks!

Slides are available on http://kirils.org Find me on twitter: @KirilsSolovjovs