Intro to reverse engineering owasp

Intro to Reverse
Engineering By: Tsvetelin (Vincent) Choranov
OWASP
Open Web Application
Security Project

Schedule
• 9:00 – 10:30 am
• C Refresher
• Data Types
• Process Structure and Virtual Memory
• 10:30 – 10:45 am
• Break
• 10:45 – Noon
• X86 Registers
• Stack
• Noon – 1:00 pm
• Lunch
• 1:00 – 2:30 pm
• Assembly Instructions
• Calling Conventions
• 2:30 – 2:45 pm
• Break
• 2:45 – 4:30 pm
• Debuggers Disassemblers and Decompilers

C refresher - Control Flow
• If statement
• If-else
• While / Until
• For loops
• Switch/Case statements ( Jump tables )

• Pseudo-code – if statement
if ( You are hungry ) {
Find food
while ( Found food is not good ) {
Find something else to eat
}
Eat food
} else {
Go play }

• Pseudo-code – else statement
Find food
}
Eat food
} else {
Go play }

• Pseudo-code – while statement
Find food
}
Eat food
} else {
Go play }

• Pseudo-code – for loop
for ( int i = 0 ; i < 10 ; i++ ) {
do something
}
Key points:
• Identify the initialization of the counter variable
• Identify the limit
• Identify the increment

• Pseudo-code – switch/case statement
my_int = 2 ; my_int = 2 ;
switch ( my_int ) {
case 1: if ( my_int == 1 ) {
do something do something
break }
case 2: else if ( my_int == 2 ) {
break }
default: else {
} }

• Pseudo-code – switch/case statement sometimes
produce jump tables

C refresher - Variables
• Local
• Global
• Initialized / Uninitialized
• Signed / Unsigned Integer
• Pointer
• Structure

C refresher - Data Types
• Notations:
• half a word = 2 bytes
• word = 2/4 bytes
• dword = 4 bytes
• qword/giant = 8 bytes

Assembly
Endianness
• Big-endian and little-endian are terms that describe
the order in which a sequence of bytes are stored in
computer memory. Big-endian is an order in which the
"big end" (most significant value in the sequence) is
stored first (at the lowest storage address).

Assembly
NOP
• No operation
• 0x90
• Used for alignment
• In exploitation used for NOP-sleds

Assembly
PUSH
• Pushes data to the stack
• Size of data is word, dword, qword
• Data can be an immediate value or register
• Decrements ESP

Assembly
POP
• Pops a value from the stack to a register
• Increments ESP

Assembly
MOV
• Move operation
• Moves:
• register to register
• memory to register
• register to memory
• immediate to register
• immediate to memory
• memory to memory
• MOV EAX, [EBX]

Assembly
SUB
• Subtract operation
• Source can be memory, immediate or register
• Destination can be memory or register
• Source and Destination can NOT be memory
• It can be used to evaluate an expression
• Influences the following EFLAGS
• OF, SF, ZF, AF, PF and CF

Assembly
ADD
• Addition operation
• Source can be memory, immediate or register
• Destination can be memory or register
• Source and Destination can NOT be memory
• It can be used to evaluate an expression
• Influences the following EFLAGS
• OF, SF, ZF, AF, PF and CF

Assembly
CALL
• Execute a procedure
• It pushes the address of the next instruction after the
call to the stack, so execution can be restored once the
called procedure returns
• Changes EIP to the address of the called procedure

Assembly
LEAVE
• Restores the previous stack frame
• Essentially does:
• MOV ESP, EBP
• POP EBP

Assembly
RET
• Return from a procedure
• RET == POP EIP
• POP increments ESP
• Also seen as RET 0x?? which pops into EIP and
increments ESP by 0x??

Assembly
• NOP
• PUSH
• POP
• MOV
• SUB
• ADD
• RET
• LEAVE
• CALL

Assembly
Example
int func(int x){
return x;
}
int main(void){
int x = 0x1337;
func(x);
return 0xbeef;
}

Assembly
Example
Function Prologue…..............................

Assembly
Example
Function Epilogue…..............................

Assembly
Example
EBP holds the base
address
of the previous
stack frame
saves EBPESP now points here ->

Assembly
Example
ESP is COPIED to EBP.
EBP is now the base of
our new stack frame.
Which is the stack frame for main()
saved EBPESP now points here ->

Assembly
Example
saved EBP
ESP ->
EBP ->

Assembly
Example
saved EBPEBP ->
ESP ->
0x1337

Assembly
Example
EBP ->
ESP ->
saved EBP
0x1337
EAX = 0x1337

Assembly
Example
EBP ->
ESP ->
saved EBP
0x1337
EAX = 0x1337
0x1337

Assembly
Example
EBP ->
ESP ->
saved EBP
0x1337
0x1337
addr of next inst

Assembly
Example
EBP ->
ESP ->
saved EBP
0x1337
0x1337
addr of mov eax, 0xbeef
saves EBP

Assembly
Example
EBP and ESP ->
previous base ptr
0x1337
0x1337
current base ptr

Assembly
Example
EBP and ESP ->
previous base ptr
0x1337
0x1337
current base ptr
EAX = 0x1337

Assembly
Example
base ptr
0x1337
0x1337
EBP ->
ESP -> addr of mov eax, 0xbeef

Assembly
Example
0x1337
0x1337
EBP ->
ESP -> addr of mov eax, 0xbeef
RET = POP EIP
base ptr

Assembly
Example
0x1337
0x1337
EBP ->
ESP ->
base ptr
EAX = 0x1337
EAX = 0xbeef

Assembly
Example
0x1337
0x1337
EBP ->
ESP ->
base ptr
LEAVE = MOV ESP, EBP
POP EBP

Assembly
LEA
• Load Effective Address
• Does not dereference square brackets – []
• Often used with pointer arithmetic
• Often used for loading the address of a local buffer into
a register
• LEA EAX, [EBP-0x64]

Assembly
JMP
• Unconditional Jump
• Changes EIP to the address of the jump
• Does not push the return address to the stack like a
CALL does
• Relative and Absolute

Assembly
Jcc
• Conditional Jump – jump is taken only if the condition is
met

Assembly
JNE / JNZ
• Jump if Not Equal / Jump if Not Zero
• Both check if the ZF is 0
• Jump is taken if the ZF is 1

Assembly
JE / JZ
• Jump if Equal / Jump if Zero
• Both check if the ZF is 0
• Jump is taken if ZF is 0

Assembly
JLE / JNG
• Jump if Less or Equal / Jump if Not Greater
• Jump if ZF == 1
• Jump if SF != OF

Assembly
JGE / JNL
• Jump if Greater or Equal / Jump if Not Less
• Jump if ZF == 1
• Jump if CF == 1

Assembly
JBE
• Jump if Below or Equal
• Jump if ZF == 1
• Jump if CF == 1

Assembly
JB / JL
• Jump if Below / Jump if Less
• Jump if CF == 1

Assembly
What sets the EFLAGS ?
• What we care about: CMP and TEST
• Any arithmetic can set a flag !

Assembly
CMP
• Compare
• CMP does a SUB but discards the result
• Affects flags: CF, OF, SF, ZF, AF and PF

Assembly
TEST
• Does bitwise logical AND
• Sets the flags and discards the result
• Affected flags: SF, ZF and PF
• Very frequently used for checking if value in question is
0 or anything else

Assembly
Example
int main(int argc, char* argv[]){
if (argc != 2) {
return 1;
}
else {
return 0;
}
}

Assembly
AND
• Logical AND - ‘&’
• Source can be register, immediate or memory
• Destination can be register or memory
• 1 & 1 = 1
• 1 & 0 = 0
• 0 & 1 = 0
• 0 & 0 = 0

Assembly
OR
• Logical OR – ‘|’
• Destination can be register or memory
• 1 | 1 = 1
• 1 | 0 = 1
• 0 | 1 = 1
• 0 | 0 = 0

Assembly
XOR
• Logical Exclusive Or – ‘^’
• Destination can be register or immediate
• 1 ^ 1 = 0
• 1 ^ 0 = 1
• 0 ^ 1 = 1
• 0 ^ 0 = 0

Assembly
NOT
• Flips the bits – One’s compliment
• Single source/destination operand can be register,
immediate or memory

Assembly
What we know so far
• NOP
• PUSH/POP
• CALL/RET/LEAVE
• MOV/LEA
• ADD/SUB
• JMP/Jcc
• CMP/TEST
• AND/OR/XOR/NOT

Assembly
LOOPS
• Identify the initialization of the loop counter variable
• Identify the limit of the loop
• Identify the increment/decrement

Assembly
Example
#include <stdio.h>
int i;
for (i = 0; i < 10; i++){
printf("Looping %dn", i);
}
}

Assembly
• Identify the initialization of the loop counter variable

Assembly
• Identify the limit of the loop

Assembly
• Identify the increment/decrement

Assembly
SHL
• Shift Logical Left – ‘<<‘
• Destination operand can be register or memory
• Source operand can be CL (lowest byte of ECX) or 1 byte
immediate
• It multiplies the destination operand by 2 for each bit shifted
• Bits shifted off the left side of the operand set the carry flag
• 00110011 << 2 = 11001100 with CF = 0
• 01100110 << 2 = 10011000 with CF = 1

Assembly
SHR
• Shift Logical Right – ‘>>’
• Destination operand can be register or memory
• Source operand can be CL (lowest byte of ECX) or 1 byte
immediate
• It divides the destination operand by 2 for each bit shifted
• Bits shifted off the right side of the operand set the carry flag
• 00110011 >> 2 = 00001100 with CF = 1
• 01100100 >> 2 = 00011001 with CF = 0

Assembly
IMUL
• Signed Multiply
• Three forms
• imul r/m32 edx:eax = eax * r/m32
• imul reg, r/m32 reg = reg * r/m32
• imul reg, r/m32, imm reg = r/m32 * imm

Assembly
MUL
• Same as IMUL but unsigned

Assembly
DIV
• Unsigned Division
• Two forms:
• div AX by r/m8
• AL = quotient, AH = remainder
• div EDX:EAX by r/m32
• EAX = quotient, EDX = remainder
• Division by 0 raises an exception

Assembly
IDIV
• Same as DIV but signed

Assembly
REP STOS
• Repeat Store String
• REP is standalone repetition instruction
• STOS is also standalone instruction
• Uses ECX as a counter
• Can move a byte or dword at at time
• Moves byte AL into [EDI] or dword EAX into [EDI]
• Increments EDI register by 1 or 4
• Pre-requisites:
• Set EDI to the destination address
• Initialize EAX with value to store
• Initialize ECX as counter

Assembly
REP MOVS
• Repeat Move Data String to String
• Same as REP STOS but instead of storing a single
byte/dword from EAX we can copy data from source to
destination via ESI as source operand and EDI as
destination operand
• Each loop increments ESI, EDI and decrements ECX
• REP MOVS DWORD PTR [ESI], DWORD PTR [EDI]
• Pre-requisites:
• Initialize ESI with the address of the data source
• Initialize EDI with the address of the data dest
• Initialize ECX as the counter

Assembly
NEG
• Negate – Performs two’s compliment
• Single operand can be r/m32
• Two’s Compliment = Flip the bits and add 1
• Turns positive to negative and vice versa

Assembly
What we know so far
• NOP
• PUSH/POP
• CALL/RET/LEAVE
• MOV/LEA
• ADD/SUB
• JMP/Jcc
• CMP/TEST
• AND/OR/XOR/NOT
• SHL/SHR
• MUL/IMUL
• DIV/IDIV
• REP STOS
• REP MOVS
• NEG
• LOOPS

Assembly
Example
#include <stdio.h>
int int_array[5] = {0x5, 0x10, 0x15, 0x20, 0x25};
int i;
for (i = 0; i < 5; i++){
printf("Int at index %d is %dn", i, int_array[i]);
}
}

Assembly
Example
Array access is always
Base address + offset element (index element) *
(times) scale (size of each element of the array)

Calling Conventions
What are calling conventions ?
• How arguments are passed to functions

Calling Conventions
What are calling conventions ?
• How arguments are passed to functions
• Who cleans the stack
• Return values

Calling Conventions
CDECL
• C Declaration
• Arguments are pushed to the stack right to left –
meaning the first argument will be on top of the stack
• Return value is stored in EAX or EDX:EAX
• Caller is responsible for cleaning the stack – meaning
cleaning up the arguments pushed

Calling Conventions
STDCALL
• Standard Call
• Arguments are pushed to the stack right to left –
meaning the first argument will be on top of the stack
• Return value is stored in EAX
• Callee is responsible for cleaning the stack – meaning
callee function is responsible for cleaning up the
arguments pushed by the Caller function

Debuggers and
Disassemblers
Decompilers
• Opposite to compiler, takes compiled binary as input
and produces high level source code.
• Hex-Rays Decompiler ~$3,000 per architecture
• The Hopper ~$80
• Free - https://retdec.com/

Debuggers and
Disassemblers
Disassemblers
• Translates machine language into assembly language
• Static Analysis – The binary application is not executed
• IDA Pro – The Interactive Disassembler
• The Hopper
• Objdump

Debuggers and
Disassemblers
Disassemblers Hotkeys
• space – Switch between linear view / graph view
• n – name a variable/function/argument
• g – Go to address
• x – Cross reference
• esc – Go back to the previous location / Move out of a function
• d – Convert code to data or change the data type from
byte/word/dword/qword
• c – Convert data to code
• p – Define a procedure
• u – Undefine a procedure
• ; – Set a comment

Debuggers and
Disassemblers
Debuggers
• Can disassemble
• Dynamic Analysis – Executes the binary program
• GDB
• OllyDbg
• WinDbg
• Radare2
• IDA Pro
• Edb

Debuggers and
Disassemblers
GDB Commands
• break <func>/*<addr> – sets a breakpoint
• disassemble <func> – disassemblers a routine
• x – Examine
• x/2wx $esp – examine 2 words (4 bytes) in hex from
ESP (top of the stack) towards EBP, UP
• x/10i $eip – examine 10 instructions from EIP
• x/2bx $eax – examine 2 bytes in hex from EAX
• x/s $esp – examine as ASCII string

Debuggers and
Disassemblers
GDB Commands
• set $eax = 1 – set EAX to 1
• set *$eax = 1 – write 1 to the address where EAX points
to
• info registers – display content of the registers
• si/stepi – single step
• ni/nexti – step over
• finish – step out

Where to Now ?
• CTFs !!!
• Lena’s tutorials
• Practical Malware Analysis book
• CrackMe !!!
• Malware
• Practice Practice Practice… and more practice

Intro to reverse engineering owasp

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Intro to reverse engineering owasp (20)

Recently uploaded (20)

Intro to reverse engineering owasp

Editor's Notes