Binary Auditing

Geller BedoyaMichael Wozniak

Background

Binary auditing is a technique used to test the security and discover the inner workings of closed source software.

These techniques can be used to find out what malicious software does.

They are also used by crackers to bypass authentication systems in programs.

Tools

Strings – used to list all printable strings that can be found in a file.

File – displays information about the file.

Hexedit – allows files to be edited at the binary level in a hex representation.

Tools (cont.)

Biew – This is a multi-platform tool that can be used as a hex editor and a disassembler.

Objdump – Used to disassemble binaries in linux.

Gdb – Debugger in linux.

Tools (cont.)

IDA – Interactive DisAssembler – This program is a windows only disassembler for windows and linux binaries. This is an advanced disassembler that can be integrated with scripting languages like python and ruby.

A Simple Binary

A program that takes in a password and compares it to a reference password to authenticate a user.

This type of program can be reverse engineered in many ways.

Simple.c

Method #1

Use hexedit, strings, objdump, or even a text editor.

These methods all display the password in plain text because the password is not encrypted.

Method #2

Suppose the input password were encrypted using a hash and compared to a known hash. Method #1 would be useless.

Method #2 is to modify the function of the binary by reversing the logic of the if statement.

Method #2

Method #3

The jump code can be changed to jump to a different place in the program or it can be changed from je to jne.

This type of change is independent of the test logic.

Anti-Reverse Engineering

Many software engineers attempt to disguise a program’s behaviour.

Techniques to do this include: Anti-Virtual-Machine Binary Compression/Packing Binary Encoding Stripping Symbols Anti-Debugger

Anti-VM

SIDT – Store Interrupt Descriptor Table Register

This instruction can be used to find the value of this register which is abnormally high for VM’s.

RedPill.exe is a POC program that looks at this register and declare’s whether or not it is in a VM.

RedPill.exe

To change this program, the jumps can be changed to manipulate how the program works.

The value that the program compares the IDTR to can be changed as well.

Key Generators

Some software uses a username and an algorithm to get a serial number that is used for authentication.

The problem with this is that the software must calculate the serial number from the user name, and the algorithm can be reversed.

Very Simple Key Generator

A program needs a user name and a key.

The key is the same as the user name, but 1 is added to each character.

By running the program in a debugger or through a disassembler, the algorithm can be discovered.

Key Generator

A key generator is a program that is created to run the same algorithm on any input and display the results.

Questions?