TDOH 南區 WorkShop 2016 Reversing on Windows

aaaddress1 at The Declaration of Hacker (TDOH)
Reversing

On

WINDOWS

Who Am I

⾺聖豪 (aaaddress1, aka adr)
義守⼤學資訊⼯程三年級
Reverse Engineering, Pwn
C/C++, C#, x86, Node.js
Blog: Adr.Horse, 30cm.tw
Speaker
✓ HITCON 2015
✓ SITCON 2016
✓ Besides Las Vegas 2016
✓ TDOHxNTSTU Security Lecture
Reversing
Windows Pwn

MapleHack
CrackShield
Tower Of Savior Hack
Adr’s FB
Isu.30cm.tw
AIDS
PykemonGo, MadPocket
My Little Ransomware

introduction

這是⼀一場屬於⼯工具⼈人 C/C++ 的開發⾃自我修養

今天務必保持清醒！

此議程內容需要⼤大量量艱深 C/C++ 開發底⼦子
如有任何問題請立即舉⼿手 break; 我！

Trial
https://goo.gl/ky7SsW
Slide
https://goo.gl/HBLtkm

Outline

Requirement
✓IDA (Pro)
✓OllyDbg
✓Cheat Engine
✓Windows7 x86
✓Dev C++

Windows PE & Process
✓Have fun in PE structure
✓Import Address Table (IAT)
✓ImageBase & Find the entry

Assembly
✓sizeof( variable )
✓eax, ebx, ecx, edx, etc
✓add, sub, inc, dec
✓xor
✓Flag & Branch
✓Loop
✓x86 Calling Convention
Function Call
esp & ebp

Analyzer
✓IDA (Pro)
PE, IAT, EAT
Strings List
Flow Chart
Function & Variable Anti-Trace
✓OllyDbg
Create Process & Attach
Hook & Trace
✓Cheat Engine
Create Process & Attach
Memory Scan for data
Hook & Trace

Bonus
✓IDA Dynamic Analysis
✓Patch
Executable ﬁle patch
Dynamic Patch
✓Cheat Engine PE View
✓Assembly & Special

Portable Executable

Return 0 for what?

View → Open subviews → Proximity browser
IDA

IDA

IDA
The return value of main function is the ‘Exit Status’

IDA
PE Loader will ﬁnd ‘_start’ function
from Exports Address Table (EAT)
View → Open subviews → Exports

Is it true?
Nope, Not at all.
It will take too much time to search.

Wiki

Wiki The head of PE ﬁle is DOS header,
and that starts with sginature 0x5A4D

Wiki
That’s why it’s also called DOS-MZ

Wiki
And (DOS Header + 0x3C) stores the oﬀset of NT Header

Wiki
This is the real header of PE

Wiki
(NT Header + 0x028) stores the oﬀset of
the ﬁrst entry function that as known as ‘start’ function.

Wiki
(NT Header + 0x034) stores the oﬀset
of the PE ﬁle loaded at where in memory e.g. 0x400000

CE
Right click → ‘Go to address’ → Input ‘main.exe’
You will ﬁnd the main.exe loaded at 0x400000
MZ

CE
0x0000110b + 0x400000 = 0x40110b
That’s the same as the address in IDA

If you understand the whole PE structure,
you can make a great PE packer :P

IMPORT ADDRESS TABLE

View → Open subviews → Imports
IDA
IAT stores all API program calls

Double Click & Show the API detail at IAT
IDA

Strings List

View → Open subviews → Strings
IDA

Assembly:

Data

C Data Type

Program counter

Stack Pointer

Base Pointer

ByteByte ByteByte
EAX = 4Byte = int = long
Register Type

ByteByte ByteByte
AX = 2 Byte = Short
Register Type

ByteByte ByteByte
AH = 1 Byte = Char
Register Type

ByteByte ByteByte
AL = 1 Byte = Char
Register Type

Assembly:

Opcode

Nop (0x90)
→ Nothing to do.

Mov dest,source
→ dest = source
Mov dest, [source]
→ source = value of dest

Add dest,source
→ dest += source
Add dest, [source]
→ dest += value of source

Sub dest, source
→ dest -= source
Sub dest, [source]
→ dest -= value of source

Inc dest
→ dest ++
Inc [dest]
→ (value of dest)++

Dec dest
→ dest --
Dec [dest]
→ (value of dest)--

Cmp [source], value
//Compare *(long*)source with value
Je blockOne
// Jump to blockOne if they’re equal
Jl blockTwo
// Jump to blockTwo if [source] less than value
Jg blockThree
// Jump to blockThree if [source] greater than value

Cmp [source], value
Jne blockOne
// Jump to blockOne if they’re not equal
Jnl blockTwo
// Jump to blockTwo if [source] not less than value
Jng blockThree
// Jump to blockThree if [source] not greater than value

Test [source], value
Jz blockOne
// Jump to blockOne if ([source] - value) is zero
Ja blockTwo
// Jump to blockTwo if ([source] - value) is above zero
Jb blockThree
// Jump to blockThree if ([source] - value) is below zero

Test v.s. Cmp
Using Cmp & Jl/Je/Jg If source & dest are signed number
Using Test & Jb/Jz/Ja If source & dest are unsigned

Jmp near +0x200
→ EIP = EIP + 0x200

Jmp long 0x400000
→ EIP = 0x400000

Ret
→ EIP = [ESP+0] & pop [ESP+0]

Ret 0x0C
→ pop 0x0C bytes from stack,
i.e. ESP += 0x0C  
→ EIP = [ESP+0] & pop [ESP+0]

Xor dest, source
→ mov dest, ‘A’ //0x41
→ xor dest, 0x20
//dest is ‘a’(0x61) now

Xor dest, source
→ mov dest, ‘a’ //0x61
→ xor dest, 0x20
//dest is ‘A’(0x41) now

0100 0001 ‘A’(0x41)
0x200010 0000
Xor
‘a’(0x61)0110 0001

Assembly:

Function Call

void Func()
{
int A = 0;
Int B = 1;
Int C = 2;
}
[EBP - 4] =0
[EBP - 8] =1
[EBP - C] =2
push EBP
mov EBP,ESP
sub ESP, LEN

void Func() {
nFunc(ARG1,ARG2,ARG3…);
}
push ebb
mov ebp,esp
.
.
push arg3
push arg2
push arg1
call nFunc

[EBP+0 ] = Pointer to old EBP
[EBP+4 ] = Return Address
[EBP+8 ] = Parameter 1
[EBP+C] = Parameter 2
[EBP+10]= Parameter 3
…etc

Assembly:

Calling Convention

Stack
ESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14

Stack
ESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP

Stack
EBP + 0
=ESP
Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP

Stack
EBP - 8
=ESP
Buﬀer
EBP - 4 Buﬀer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP

Stack
EBP - 8
=ESP
1
EBP - 4 Buﬀer
EBP + 0 Buﬀer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP

Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buﬀer
EBP + 4 Buﬀer
EBP + 8 Old EBP
EBP + C
_______EIP

Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buﬀer
EBP + 4 Buﬀer
EBP + 8 Old EBP
EBP + C

Stack
EBP - 8
=ESP
Old EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buﬀer
EBP + 8 Buﬀer
EBP + C Old EBP
_______EIP

Stack
EBP + 0
=ESP
Old EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buﬀer
EBP + 10 Buﬀer
EBP + 14 Old EBP
_______EIP

Stack
EBP - 4
=ESP
Buﬀer
EBP + 0 Buﬀer
EBP + 4 Old EBP
EBP + 8
EBP + C
EBP + 10
_______EIP

x86 Disassembly

&

Calling Conventions

It’s time to talk about each register
meanings and their functions used for.

I collect the simple parts from wiki,
and they’re real useful for reversing.
read more: x86 Disassembly/Calling Conventions

CDECL

STDCALL

FASTCALL

C++ THISCALL

DEBUGGing

Debug:

Ollydbg

Debug:

Cheat Engine

Debug:

IDA Pro

Trial:

TDOH Hello World

Play the game & Find the ﬂag :P

Game Time

Live Demo

IDA, CE, Olly

‘Generate Pseudocode(F5)’ of IDA Pro might lose
something important in assembly for accessible
reading.
It’s important to use debugger and trace opcode
of every step.
IDA

Trial:

Lucky Day

TDOH{Debug_is_Fun!}

Game Time

清华⽹网络安全技术协会

GAME TIme

AIS3 2016 Final Binary 1

Using ‘Strings Window’ to ﬁgure out the format string of printf
and double click for detail.

Click the xref and follow

Just check every char of the input is lower case

RC4 but a little diffrent.
I will take this function into three parts
for you understanding well.

If the result after RC4 cipher is the same as input,
that will be the really key.

Game TIme

特訓99

I prepare the same one but patched.
If you can set bullet count to zero, the game
will give you ﬂag.

Game Time

CrackMe#1 [UBC] by bRaINbuSY

We don’t care those, that don’t
make any effect on the checking
Here is used for SEH ExceptionList
but it’s not the point

We can make it simple like this.

We should ﬁgure how to get this value ( you can debug and get
this without doubt, but it’s import to know how it works for
creating a keygen)

Q&A
aaaddress1@gmail.com

TDOH 南區 WorkShop 2016 Reversing on Windows

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to TDOH 南區 WorkShop 2016 Reversing on Windows

Similar to TDOH 南區 WorkShop 2016 Reversing on Windows (20)

Recently uploaded

Recently uploaded (20)

TDOH 南區 WorkShop 2016 Reversing on Windows