tdoh 南區 workshop 2016 reversing on windows
TRANSCRIPT
-
aaaddress1 at The Declaration of Hacker (TDOH)
Reversing
On
WINDOWS
-
aaaddress1 at The Declaration of Hacker (TDOH)
Who Am I
-
aaaddress1 at The Declaration of Hacker (TDOH)
(aaaddress1, aka adr)
Reverse Engineering, Pwn C/C++, C#, x86, Node.js Blog: Adr.Horse, 30cm.tw Speaker HITCON 2015
SITCON 2016
Besides Las Vegas 2016
TDOHxNTSTU Security Lecture
Reversing
Windows Pwn
-
aaaddress1 at The Declaration of Hacker (TDOH)
MapleHack CrackShield Tower Of Savior Hack Adrs FB Isu.30cm.tw AIDS PykemonGo, MadPocket My Little Ransomware
-
aaaddress1 at The Declaration of Hacker (TDOH)
introduction
-
aaaddress1 at The Declaration of Hacker (TDOH)
C/C++
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
C/C++ break;
-
aaaddress1 at The Declaration of Hacker (TDOH)
Trial https://goo.gl/ky7SsW
Slide https://goo.gl/HBLtkm
https://goo.gl/ky7SsWhttps://goo.gl/HBLtkm
-
aaaddress1 at The Declaration of Hacker (TDOH)
Outline
-
aaaddress1 at The Declaration of Hacker (TDOH)
Requirement IDA (Pro) OllyDbg Cheat Engine Windows7 x86 Dev C++
-
aaaddress1 at The Declaration of Hacker (TDOH)
Windows PE & Process Have fun in PE structure Import Address Table (IAT) ImageBase & Find the entry
-
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly sizeof( variable ) eax, ebx, ecx, edx, etc add, sub, inc, dec xor Flag & Branch Loop x86 Calling Convention
Function Call
esp & ebp
-
aaaddress1 at The Declaration of Hacker (TDOH)
Analyzer IDA (Pro)
PE, IAT, EAT
Strings List
Flow Chart
Function & Variable Anti-Trace
OllyDbg Create Process & Attach
Hook & Trace
Cheat Engine Create Process & Attach
Memory Scan for data
Hook & Trace
-
aaaddress1 at The Declaration of Hacker (TDOH)
Bonus IDA Dynamic Analysis
Patch
Executable file patch
Dynamic Patch
Cheat Engine PE View
Assembly & Special
-
aaaddress1 at The Declaration of Hacker (TDOH)
Portable Executable
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
Return 0 for what?
-
aaaddress1 at The Declaration of Hacker (TDOH)
View Open subviews Proximity browser
IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
The return value of main function is the Exit Status
-
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
PE Loader will find _start function from Exports Address Table (EAT)
View Open subviews Exports
-
aaaddress1 at The Declaration of Hacker (TDOH)
Is it true? Nope, Not at all. It will take too much time to search.
-
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
-
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
-
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki The head of PE file is DOS header, and that starts with sginature 0x5A4D
-
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
Thats why its also called DOS-MZ
-
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki And (DOS Header + 0x3C) stores the offset of NT Header
-
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki This is the real header of PE
-
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki (NT Header + 0x028) stores the offset of
the first entry function that as known as start function.
-
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki (NT Header + 0x034) stores the offset
of the PE file loaded at where in memory e.g. 0x400000
-
aaaddress1 at The Declaration of Hacker (TDOH)
CE
Right click Go to address Input main.exe You will find the main.exe loaded at 0x400000
MZ
-
aaaddress1 at The Declaration of Hacker (TDOH)
CE
0x0000110b + 0x400000 = 0x40110b
Thats the same as the address in IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
If you understand the whole PE structure, you can make a great PE packer :P
-
aaaddress1 at The Declaration of Hacker (TDOH)
IMPORT ADDRESS TABLE
-
aaaddress1 at The Declaration of Hacker (TDOH)
View Open subviews Imports
IDA IAT stores all API program calls
-
aaaddress1 at The Declaration of Hacker (TDOH)
Double Click & Show the API detail at IAT
IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
Strings List
-
aaaddress1 at The Declaration of Hacker (TDOH)
View Open subviews Strings
IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Data
-
aaaddress1 at The Declaration of Hacker (TDOH)
C Data Type
-
aaaddress1 at The Declaration of Hacker (TDOH)
Program counter
-
aaaddress1 at The Declaration of Hacker (TDOH)
Stack Pointer
-
aaaddress1 at The Declaration of Hacker (TDOH)
Base Pointer
-
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
EAX = 4Byte = int = long
Register Type
-
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
AX = 2 Byte = Short
Register Type
-
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
AH = 1 Byte = Char
Register Type
-
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
AL = 1 Byte = Char
Register Type
-
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Opcode
-
aaaddress1 at The Declaration of Hacker (TDOH)
Nop (0x90) Nothing to do.
-
aaaddress1 at The Declaration of Hacker (TDOH)
Mov dest,source dest = source
Mov dest, [source] source = value of dest
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
Add dest,source dest += source
Add dest, [source] dest += value of source
-
aaaddress1 at The Declaration of Hacker (TDOH)
Sub dest, source dest -= source
Sub dest, [source] dest -= value of source
-
aaaddress1 at The Declaration of Hacker (TDOH)
Inc dest dest ++
Inc [dest] (value of dest)++
-
aaaddress1 at The Declaration of Hacker (TDOH)
Dec dest dest --
Dec [dest] (value of dest)--
-
aaaddress1 at The Declaration of Hacker (TDOH)
Cmp [source], value //Compare *(long*)source with value
Je blockOne // Jump to blockOne if theyre equal
Jl blockTwo // Jump to blockTwo if [source] less than value
Jg blockThree // Jump to blockThree if [source] greater than value
-
aaaddress1 at The Declaration of Hacker (TDOH)
Cmp [source], value //Compare *(long*)source with value
Jne blockOne // Jump to blockOne if theyre not equal
Jnl blockTwo // Jump to blockTwo if [source] not less than value
Jng blockThree // Jump to blockThree if [source] not greater than value
-
aaaddress1 at The Declaration of Hacker (TDOH)
Test [source], value //Compare *(long*)source with value
Jz blockOne // Jump to blockOne if ([source] - value) is zero
Ja blockTwo // Jump to blockTwo if ([source] - value) is above zero
Jb blockThree // Jump to blockThree if ([source] - value) is below zero
-
aaaddress1 at The Declaration of Hacker (TDOH)
Test v.s. Cmp Using Cmp & Jl/Je/Jg If source & dest are signed number
Using Test & Jb/Jz/Ja If source & dest are unsigned
-
aaaddress1 at The Declaration of Hacker (TDOH)
Jmp near +0x200 EIP = EIP + 0x200
-
aaaddress1 at The Declaration of Hacker (TDOH)
Jmp long 0x400000 EIP = 0x400000
-
aaaddress1 at The Declaration of Hacker (TDOH)
Ret EIP = [ESP+0] & pop [ESP+0]
-
aaaddress1 at The Declaration of Hacker (TDOH)
Ret 0x0C pop 0x0C bytes from stack,
i.e. ESP += 0x0C
EIP = [ESP+0] & pop [ESP+0]
-
aaaddress1 at The Declaration of Hacker (TDOH)
Xor dest, source mov dest, A //0x41 xor dest, 0x20 //dest is a(0x61) now
-
aaaddress1 at The Declaration of Hacker (TDOH)
Xor dest, source mov dest, a //0x61 xor dest, 0x20 //dest is A(0x41) now
-
aaaddress1 at The Declaration of Hacker (TDOH)
0100 0001 A(0x41)0x200010 0000
Xor
a(0x61)0110 0001
-
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Function Call
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
void Func()
{
int A = 0;
Int B = 1;
Int C = 2;
}
[EBP - 4] =0
[EBP - 8] =1
[EBP - C] =2
push EBP mov EBP,ESP sub ESP, LEN
-
aaaddress1 at The Declaration of Hacker (TDOH)
void Func() {
nFunc(ARG1,ARG2,ARG3);
}
push ebb mov ebp,esp
.
. push arg3 push arg2 push arg1 call nFunc
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
[EBP+0 ] = Pointer to old EBP [EBP+4 ] = Return Address [EBP+8 ] = Parameter 1 [EBP+C] = Parameter 2 [EBP+10]= Parameter 3 etc
-
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Calling Convention
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP + 0
=ESP Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP Buffer
EBP - 4 Buffer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP 1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP Old EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buffer
EBP + 8 Buffer
EBP + C Old EBP
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP + 0
=ESP Old EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP + 0
=ESP Old EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 8 =ESP 1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
StackEBP - 4 =ESP Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
EBP + 10
_______EIP
-
aaaddress1 at The Declaration of Hacker (TDOH)
x86 Disassembly
&
Calling Conventions
-
aaaddress1 at The Declaration of Hacker (TDOH)
Its time to talk about each register meanings and their functions used for.
-
aaaddress1 at The Declaration of Hacker (TDOH)
I collect the simple parts from wiki, and theyre real useful for reversing.
read more: x86 Disassembly/Calling Conventions
https://en.wikibooks.org/wiki/X86_Disassembly/Calling_Conventions
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
CDECL
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
STDCALL
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
FASTCALL
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
C++ THISCALL
-
aaaddress1 at The Declaration of Hacker (TDOH)
DEBUGGing
-
aaaddress1 at The Declaration of Hacker (TDOH)
Debug:
Ollydbg
-
aaaddress1 at The Declaration of Hacker (TDOH)
Debug:
Cheat Engine
-
aaaddress1 at The Declaration of Hacker (TDOH)
Debug:
IDA Pro
-
aaaddress1 at The Declaration of Hacker (TDOH)
Trial:
TDOH Hello World
-
aaaddress1 at The Declaration of Hacker (TDOH)
Play the game & Find the flag :P
-
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
-
aaaddress1 at The Declaration of Hacker (TDOH)
Generate Pseudocode(F5) of IDA Pro might lose something important in assembly for accessible reading.
Its important to use debugger and trace opcode of every step.
IDA
-
aaaddress1 at The Declaration of Hacker (TDOH)
Trial:
Lucky Day
-
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
TDOH{Debug_is_Fun!}
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
-
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
-
aaaddress1 at The Declaration of Hacker (TDOH)
GAME TIme
AIS3 2016 Final Binary 1
-
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
-
aaaddress1 at The Declaration of Hacker (TDOH)
Using Strings Window to figure out the format string of printf and double click for detail.
-
aaaddress1 at The Declaration of Hacker (TDOH)
Click the xref and follow
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
Just check every char of the input is lower case
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
RC4 but a little diffrent. I will take this function into three parts for you understanding well.
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
If the result after RC4 cipher is the same as input, that will be the really key.
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
-
aaaddress1 at The Declaration of Hacker (TDOH)
Game TIme
99
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
I prepare the same one but patched.
If you can set bullet count to zero, the game will give you flag.
-
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
-
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
CrackMe#1 [UBC] by bRaINbuSY
-
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
We dont care those, that dont make any effect on the checking
Here is used for SEH ExceptionList but its not the point
-
aaaddress1 at The Declaration of Hacker (TDOH)
We can make it simple like this.
-
aaaddress1 at The Declaration of Hacker (TDOH)
We should figure how to get this value ( you can debug and get this without doubt, but its import to know how it works for creating a keygen)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
-
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
-
aaaddress1 at The Declaration of Hacker (TDOH)
mailto:[email protected]