![Page 1: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/1.jpg)
Tools and Basic Reverse Engineering – Part 2
Modern Binary Exploitation
CSCI 4968 – Spring 2015
Jeremy Blackthorne
MBE - 01/30/2015 Tools and Basic RE 1
![Page 2: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/2.jpg)
Lecture Overview
1. Review of Last Lecture
2. Introduction to Dynamic Analysis
3. Tools!
4. Resources
MBE - 01/30/2015 Tools and Basic RE 2
![Page 3: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/3.jpg)
Review
Reversing Concepts:
–Static vs dynamic
–Diffing
–patching
MBE - 01/30/2015 Tools and Basic RE 3
![Page 4: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/4.jpg)
Review
Tools:
–file
–md5sum
–ssdeep
–strings
–readelf
–objdump
–IDA Pro.exe
MBE - 01/30/2015 Tools and Basic RE 4
![Page 5: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/5.jpg)
Review
IDA Pro:
–Rename variables
–Insert comments
–Recognize structures
–Cross reference
–Stack usage in assembly
MBE - 01/30/2015 Tools and Basic RE 5
![Page 6: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/6.jpg)
Lecture Overview
1. Review of Last Lecture
2. Introduction to Dynamic Analysis
3. Tools!
4. Resources
MBE - 01/30/2015 Tools and Basic RE 6
![Page 7: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/7.jpg)
RE Domain
Process, t=0 Process, t=i Process, t=n Binary File
Load Step Step
Static Dynamic MBE - 01/30/2015 Tools and Basic RE 7
![Page 8: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/8.jpg)
Slide Colors
• Linux Tool
– Command
• Windows Tool
– ToolName.exe
• Associated Challenges:
– ChallengeName
MBE - 01/30/2015 Tools and Basic RE 8
![Page 9: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/9.jpg)
Debugger – IDA Pro
•crackme0x04_win.exe
•IDA Pro.exe
MBE - 01/30/2015 Tools and Basic RE 9
![Page 10: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/10.jpg)
RE Domain
Code Registers
Stack Other Memory
Libraries
![Page 11: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/11.jpg)
Stack
c
b
a
Old EIP
Old EBP
x
y
z 0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
ESP
EBP
MBE - 01/30/2015 Tools and Basic RE 11
![Page 12: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/12.jpg)
Lecture Overview
1. Review of Last Lecture
2. Introduction to Dynamic Analysis
3. Tools!
4. Resources
MBE - 01/30/2015 Tools and Basic RE 12
![Page 13: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/13.jpg)
Debugger – Evan’s Debugger
• crackme0x00a.exe
• edb
– edb->options->Preferences->Appearance
MBE - 01/30/2015 Tools and Basic RE 13
![Page 14: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/14.jpg)
ELF Memory Layout
MBE - 01/30/2015 14
![Page 15: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/15.jpg)
Virtual Memory Layout
MBE - 01/30/2015 15
![Page 16: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/16.jpg)
Physical Memory Layout
MBE - 01/30/2015 16
![Page 17: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/17.jpg)
Physical Memory Layout
MBE - 01/30/2015 17
![Page 18: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/18.jpg)
Debugger – GNU Debugger
• crackme0x00a
• gdb
MBE - 01/30/2015 Tools and Basic RE 18
![Page 19: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/19.jpg)
GNU Debugger - Basics
• crackme0x00a
• gdb
– disassemble main (disas main)
– set disassembly-flavor intel
– break main (b main)
– run
– stepi (s), step into
– nexti (n), step over
MBE - 01/30/2015 Tools and Basic RE 19
![Page 20: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/20.jpg)
GNU Debugger – Examine Memory
• gdb
– Examine memory: x/NFU address
– N = number
– F = format
– U = unit
• Examples
– x/10xb 0xdeadbeef, examine 10 bytes in hex
– x/xw 0xdeadbeef, examine 1 word in hex
– x/s 0xdeadbeef, examine null terminated string
MBE - 01/30/2015 Tools and Basic RE 20
![Page 21: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/21.jpg)
GNU Debugger - python
• gdb
– python print ‘A’ *10
MBE - 01/30/2015 Tools and Basic RE 21
![Page 22: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/22.jpg)
GNU Debugger – Init File
• mv special ~/.gdbinit
• gdb
– help user
– hexdump
MBE - 01/30/2015 Tools and Basic RE 22
![Page 23: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/23.jpg)
Tracing
• ltrace, library calls
• strace, system calls
MBE - 01/30/2015 Tools and Basic RE 23
![Page 24: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/24.jpg)
Lecture Overview
1. Review of Last Lecture
2. Introduction to Dynamic Analysis
3. Tools!
4. Resources
MBE - 01/30/2015 Tools and Basic RE 24
![Page 25: Tools and Basic Reverse Engineeringsecurity.cs.rpi.edu/courses/binexp-spring2015/lectures/3/... · 2015. 1. 30. · Tools and Basic Reverse Engineering – Part 2 . Modern Binary](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031addc9a56b8042f57d596/html5/thumbnails/25.jpg)
Additional Resources
• Gdb customizations – http://reverse.put.as/gdbinit/ – https://github.com/dholm/voidwalker – http://stackoverflow.com/questions/209534/pret
tify-my-gdb – https://github.com/longld/peda
• Ring security – http://duartes.org/gustavo/blog/post/cpu-rings-
privilege-and-protection/ – http://www.amazon.com/The-Rootkit-Arsenal-
Evasion-Corners/dp/1598220616 MBE - 01/30/2015 Tools and Basic RE 25