Introduction to Information SecurityReverse Engineering and Binary Patching

Reverse Engineering• Restructuring the execution flow of a binary file

• What for?

• Understanding proprietary code

• ReactOS

• Cryptographic algorithms

• Looking for exploits

Reverse Engineering• The problem

• Compilation is like a one-way function: comments, names and some structure are lost

• Solutions

• Look for anchors: constants (especially strings), standard library functions, etc.

• Somewhat of an art form

• Most of the code is inessential

• Programmers are pretty predictable

• Compilers are also pretty predictable

IDA• Interactive DisAssembler

• Navigation

• Strings

• Standard library functions

• Cross references (xrefs)

• Documentation

• Comments

• Variable and function names

IDAclick n ; x

Patching• Changing the execution flow of a binary file

• What for?

• Small changes

• Big changes, when recompilation is not possible (no source code or build environment)

• How?

• Changing instructions to other instructions

• Chaining instructions to redirect to "Dead Zones", and adding more instructions there

Patching

if (!auth)return -1;

...

MOV EAX, [EBP-4]CMP EAX, 0JNE _AUTHMOV EAX, -1RET_AUTH:...

8b 44 24 fc 83 f8 00 75 06 b8 ff ff ff ff c374

JE

Dead Zones

function

Dead ZoneDead Zone

function

Dead ZoneDead Zone

IDA• Shows offsets

• Shows virtual addresses