Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Introduction to Information SecurityReverse Engineering and Binary Patching
Reverse Engineering• Restructuring the execution flow of a binary file
• What for?
• Understanding proprietary code
• ReactOS
• Cryptographic algorithms
• Looking for exploits
Reverse Engineering• The problem
• Compilation is like a one-way function: comments, names and some structure are lost
• Solutions
• Look for anchors: constants (especially strings), standard library functions, etc.
• Somewhat of an art form
• Most of the code is inessential
• Programmers are pretty predictable
• Compilers are also pretty predictable
IDA• Interactive DisAssembler
• Navigation
• Strings
• Standard library functions
• Cross references (xrefs)
• Documentation
• Comments
• Variable and function names
IDAclick n ; x
Patching• Changing the execution flow of a binary file
• What for?
• Small changes
• Big changes, when recompilation is not possible (no source code or build environment)
• How?
• Changing instructions to other instructions
• Chaining instructions to redirect to "Dead Zones", and adding more instructions there
Patching
if (!auth)return -1;
...
MOV EAX, [EBP-4]CMP EAX, 0JNE _AUTHMOV EAX, -1RET_AUTH:...
8b 44 24 fc 83 f8 00 75 06 b8 ff ff ff ff c374
JE
Dead Zones
function
Dead ZoneDead Zone
function
Dead ZoneDead Zone
IDA• Shows offsets
• Shows virtual addresses