3. aaaddress1 at The Declaration of Hacker (TDOH)
⾺聖豪 (aaaddress1, aka adr)
義守⼤學資訊⼯程三年級
Reverse Engineering, Pwn
C/C++, C#, x86, Node.js
Blog: Adr.Horse, 30cm.tw
Speaker
✓ HITCON 2015
✓ SITCON 2016
✓ Besides Las Vegas 2016
✓ TDOHxNTSTU Security Lecture
Reversing
Windows Pwn
4. aaaddress1 at The Declaration of Hacker (TDOH)
MapleHack
CrackShield
Tower Of Savior Hack
Adr’s FB
Isu.30cm.tw
AIDS
PykemonGo, MadPocket
My Little Ransomware
11. aaaddress1 at The Declaration of Hacker (TDOH)
Requirement
✓IDA (Pro)
✓OllyDbg
✓Cheat Engine
✓Windows7 x86
✓Dev C++
12. aaaddress1 at The Declaration of Hacker (TDOH)
Windows PE & Process
✓Have fun in PE structure
✓Import Address Table (IAT)
✓ImageBase & Find the entry
13. aaaddress1 at The Declaration of Hacker (TDOH)
Assembly
✓sizeof( variable )
✓eax, ebx, ecx, edx, etc
✓add, sub, inc, dec
✓xor
✓Flag & Branch
✓Loop
✓x86 Calling Convention
Function Call
esp & ebp
14. aaaddress1 at The Declaration of Hacker (TDOH)
Analyzer
✓IDA (Pro)
PE, IAT, EAT
Strings List
Flow Chart
Function & Variable Anti-Trace
✓OllyDbg
Create Process & Attach
Hook & Trace
✓Cheat Engine
Create Process & Attach
Memory Scan for data
Hook & Trace
15. aaaddress1 at The Declaration of Hacker (TDOH)
Bonus
✓IDA Dynamic Analysis
✓Patch
Executable file patch
Dynamic Patch
✓Cheat Engine PE View
✓Assembly & Special
22. aaaddress1 at The Declaration of Hacker (TDOH)
IDA
The return value of main function is the ‘Exit Status’
23. aaaddress1 at The Declaration of Hacker (TDOH)
IDA
PE Loader will find ‘_start’ function
from Exports Address Table (EAT)
View → Open subviews → Exports
24. aaaddress1 at The Declaration of Hacker (TDOH)
Is it true?
Nope, Not at all.
It will take too much time to search.
27. aaaddress1 at The Declaration of Hacker (TDOH)
Wiki The head of PE file is DOS header,
and that starts with sginature 0x5A4D
28. aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
That’s why it’s also called DOS-MZ
29. aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
And (DOS Header + 0x3C) stores the offset of NT Header
30. aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
This is the real header of PE
31. aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
(NT Header + 0x028) stores the offset of
the first entry function that as known as ‘start’ function.
32. aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
(NT Header + 0x034) stores the offset
of the PE file loaded at where in memory e.g. 0x400000
33. aaaddress1 at The Declaration of Hacker (TDOH)
CE
Right click → ‘Go to address’ → Input ‘main.exe’
You will find the main.exe loaded at 0x400000
MZ
34. aaaddress1 at The Declaration of Hacker (TDOH)
CE
0x0000110b + 0x400000 = 0x40110b
That’s the same as the address in IDA
35. aaaddress1 at The Declaration of Hacker (TDOH)
If you understand the whole PE structure,
you can make a great PE packer :P
56. aaaddress1 at The Declaration of Hacker (TDOH)
Add dest,source
→ dest += source
Add dest, [source]
→ dest += value of source
57. aaaddress1 at The Declaration of Hacker (TDOH)
Sub dest, source
→ dest -= source
Sub dest, [source]
→ dest -= value of source
58. aaaddress1 at The Declaration of Hacker (TDOH)
Inc dest
→ dest ++
Inc [dest]
→ (value of dest)++
59. aaaddress1 at The Declaration of Hacker (TDOH)
Dec dest
→ dest --
Dec [dest]
→ (value of dest)--
60. aaaddress1 at The Declaration of Hacker (TDOH)
Cmp [source], value
//Compare *(long*)source with value
Je blockOne
// Jump to blockOne if they’re equal
Jl blockTwo
// Jump to blockTwo if [source] less than value
Jg blockThree
// Jump to blockThree if [source] greater than value
61. aaaddress1 at The Declaration of Hacker (TDOH)
Cmp [source], value
//Compare *(long*)source with value
Jne blockOne
// Jump to blockOne if they’re not equal
Jnl blockTwo
// Jump to blockTwo if [source] not less than value
Jng blockThree
// Jump to blockThree if [source] not greater than value
62. aaaddress1 at The Declaration of Hacker (TDOH)
Test [source], value
//Compare *(long*)source with value
Jz blockOne
// Jump to blockOne if ([source] - value) is zero
Ja blockTwo
// Jump to blockTwo if ([source] - value) is above zero
Jb blockThree
// Jump to blockThree if ([source] - value) is below zero
63. aaaddress1 at The Declaration of Hacker (TDOH)
Test v.s. Cmp
Using Cmp & Jl/Je/Jg If source & dest are signed number
Using Test & Jb/Jz/Ja If source & dest are unsigned
64. aaaddress1 at The Declaration of Hacker (TDOH)
Jmp near +0x200
→ EIP = EIP + 0x200
65. aaaddress1 at The Declaration of Hacker (TDOH)
Jmp long 0x400000
→ EIP = 0x400000
66. aaaddress1 at The Declaration of Hacker (TDOH)
Ret
→ EIP = [ESP+0] & pop [ESP+0]
67. aaaddress1 at The Declaration of Hacker (TDOH)
Ret 0x0C
→ pop 0x0C bytes from stack,
i.e. ESP += 0x0C
→ EIP = [ESP+0] & pop [ESP+0]
68. aaaddress1 at The Declaration of Hacker (TDOH)
Xor dest, source
→ mov dest, ‘A’ //0x41
→ xor dest, 0x20
//dest is ‘a’(0x61) now
69. aaaddress1 at The Declaration of Hacker (TDOH)
Xor dest, source
→ mov dest, ‘a’ //0x61
→ xor dest, 0x20
//dest is ‘A’(0x41) now
70. aaaddress1 at The Declaration of Hacker (TDOH)
0100 0001 ‘A’(0x41)
0x200010 0000
Xor
‘a’(0x61)0110 0001
71. aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Function Call
77. aaaddress1 at The Declaration of Hacker (TDOH)
void Func()
{
int A = 0;
Int B = 1;
Int C = 2;
}
[EBP - 4] =0
[EBP - 8] =1
[EBP - C] =2
push EBP
mov EBP,ESP
sub ESP, LEN
78. aaaddress1 at The Declaration of Hacker (TDOH)
void Func() {
nFunc(ARG1,ARG2,ARG3…);
}
push ebb
mov ebp,esp
.
.
push arg3
push arg2
push arg1
call nFunc
83. aaaddress1 at The Declaration of Hacker (TDOH)
[EBP+0 ] = Pointer to old EBP
[EBP+4 ] = Return Address
[EBP+8 ] = Parameter 1
[EBP+C] = Parameter 2
[EBP+10]= Parameter 3
…etc
84. aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:
Calling Convention
85. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
ESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
86. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
ESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP
87. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP + 0
=ESP
Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP
88. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
Buffer
EBP - 4 Buffer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP
89. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP
90. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
91. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
92. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
Old EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buffer
EBP + 8 Buffer
EBP + C Old EBP
_______EIP
93. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP + 0
=ESP
Old EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
94. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP + 0
=ESP
Old EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
95. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
96. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
97. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP
98. aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 4
=ESP
Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
EBP + 10
_______EIP
99. aaaddress1 at The Declaration of Hacker (TDOH)
x86 Disassembly
&
Calling Conventions
100. aaaddress1 at The Declaration of Hacker (TDOH)
It’s time to talk about each register
meanings and their functions used for.
101. aaaddress1 at The Declaration of Hacker (TDOH)
I collect the simple parts from wiki,
and they’re real useful for reversing.
read more: x86 Disassembly/Calling Conventions
120. aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo
IDA, CE, Olly
121. aaaddress1 at The Declaration of Hacker (TDOH)
‘Generate Pseudocode(F5)’ of IDA Pro might lose
something important in assembly for accessible
reading.
It’s important to use debugger and trace opcode
of every step.
IDA
159. aaaddress1 at The Declaration of Hacker (TDOH)
I prepare the same one but patched.
If you can set bullet count to zero, the game
will give you flag.
168. aaaddress1 at The Declaration of Hacker (TDOH)
We don’t care those, that don’t
make any effect on the checking
Here is used for SEH ExceptionList
but it’s not the point
169. aaaddress1 at The Declaration of Hacker (TDOH)
We can make it simple like this.
170. aaaddress1 at The Declaration of Hacker (TDOH)
We should figure how to get this value ( you can debug and get
this without doubt, but it’s import to know how it works for
creating a keygen)