Reverse Engineering with IDA Pro
Posted on September 14, 2007 - Filed Under Application Security
IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment. Quite a mouthful, isn’t it? We are aware that the above speaks only to geeks.
As a disassembler, IDA Pro explores binary programs, for which source code isn’t always available,to create maps of their execution. The real interest of a disassembler is that it shows the instructions that area ctually executed by the processor in a symbolic representation called assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a disassembler can reveal it.
The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to single step through the code being investigated, the debugger often bypasses the obfuscation and helps obtain data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a local and as a remote debugger on the 80×86 (typically Windows/Linux) and the ARM platform (typically
Windows CE PDAs). Remote debuggers are very useful when one wants to safely dissect potentially harmful programs.
IDA Pro is also interactive and programmable. It great for code analysis, vulnerability research, COTS validation and privacy protection.
Some of its major features include:
- Suports Windows, Linux and some Mac OSX
- ‘instant debugger’: the debugger can be launched and a process started without a database. This feature is available locally and remotely and allows the debugger to be attached to any running process in the system. IDA can be used as the default system debugger.
- Remote 64-bit debugger for MS Windows 64 running on AMD64/EMT64. IDA itself runs in 32-bit mode while the debugger server runs in 64-bit mode to launch and debug 64-bit applications.
- full type system support for the ARM processor. IDA supports the function calling conventions and comments function parameters in the same way as it does on PC. The ARM module has been significantly improved: see a list of all the ARM specific enhancements below.
- Wizard-like interface to load new files. IDA assists the user in the initial load process by asking relevant questions about the file. This interface is configurable with XML files.
Check it out at: http://www.datarescue.com/
Here is also my favorite one page cheat sheet of short cut keys… IDA Pro Short Cuts
Reverse Engineering - Tools and Resources
Posted on September 13, 2007 - Filed Under Application Security
Debuggers - A debugger is a computer program that is used to test and debug other programs. The code to be examined might alternatively be running on an instruction set simulator (ISS), a technique that allows great power in its ability to halt when specific conditions are encountered but which will typically be much slower than executing the code directly on the appropriate processor.
- OllyDebug - OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is a shareware, but you can download and use it for free.
- SoftICE ($$$) from Numega - SoftICE is a powerful system-wide debugger that supports source level debugging of any software, driver, service, and most bios code on either a single or dual machine configuration. SoftICE not only debugs SYS files and VxDs, but also can debug Ring 3 applications as well as system internals and through-ring transitions.
There are other debuggers that are specific to different operating systems, compilers, etc that you may prefer or at least be more familiar.
Decompilers - A decompiler is the name given to a computer program that performs the reverse operation to that of a compiler. That is, it translates a file containing information at a relatively low level of abstraction (usually designed to be computer readable rather than human readable) in to a form having a higher level of abstraction (usually designed to be human readable).
- uncc - C Decompiler
- Decompiler of Visual Basic programs. Decompiling forms, pseudo code (with parse opcodes to standard vb instructions and decompile objects references), disassembling native code procedures (with power Pentium Pro disassembler, supporting MMX and FPU instruction sets), syntax coloring in decompiled code, string reference list and search engine, fast decompiling speed.
- - .Net Decompiler that decompiles /disassembles .Net assemblies from MSIL (MS Intermediate Language) binary format to well-formed and optimized source code (6 languages: MSIL, C#, VB.NET, Delphi.Net J# and managed C++).
There are also many other specialized decompilers for java, flash, and other development environments.
A disassembler is a computer program that translates machine language into assembly language — the inverse operation to that of an assembler. A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.
- IdaPro - IDA Pro is a Windows or Linux hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. This and all of its pluggins and scripts is the defacto standard for most RE needs.
Resources:
This little online tutorial is a great place to start with learning the process of RE: http://www.acm.uiuc.edu/sigmil/RevEng/
Reverse Engineering - ELF
Posted on September 12, 2007 - Filed Under Application Security
One of the basic concepts for RE is to understand the Executable and Linking Format (ELF).
The executable and linking format (ELF) was originally developed by Unix System Laboratories and is rapidly becoming the standard in file formats. The ELF standard is growing in popularity because it has greater power and flexibility than the a.out and COFF binary formats. ELF now appears as the default binary format on operating systems such as Linux, Solaris 2.x, and SVR4. Some of the capabilities of ELF are dynamic linking, dynamic loading, imposing runtime control on a program, and an improved method for creating shared libraries. The ELF representation of control data in an object file is platform independent, an additional improvement over previous binary formats. The ELF representation permits object files to be identified, parsed, and interpreted similarly, making the ELF object files compatible across multiple platforms and architectures of different size.
The three main types of ELF files are executable, relocatable, and shared object files. These file types hold the code, data, and information about the program that the operating system and/or link editor need to perform the appropriate actions on these files. The three types of files are summarized as follows:
- An executable file supplies information necessary for the operating system to create a process image suitable for executing the code and accessing the data contained within the file.
- A relocatable file describes how it should be linked with other object files to create an executable file or shared library.
- A shared object file contains information needed in both static and dynamic linking.
The ELF file format includes each of these five section types (1) the ELF header, (2) the program header table, (3) the section header table, (4) the ELF sections, and (5) the ELF segments.
There are a number of types of sections described by entries in the section header table. Sections can hold executable code, data, dynamic linking information, debugging data, symbol tables, relocation information, comments, string tables, and notes. Some sections are loaded into the process image and some provide information needed in the building of a process image while still others are used only in linking object files.
There are a number of good locations on the internet to learn more about ELF and how to identify the sections within a decompiler.
Types of Reverse Engineering
Posted on September 11, 2007 - Filed Under Application Security
As computer-aided design has become more popular, reverse engineering has become a viable method to create a 3D virtual model of an existing physical part for use in 3D CAD, CAM, CAE and other software. The reverse engineering process involves measuring an object and then reconstructing it as a 3D model. The physical object can be measured using 3D scanning technologies like CMMs, laser scanners, structured light digitizers or computed tomography. The measured data alone, usually represented as a point cloud, lacks topological information and is therefore often processed and modeled into a more usable format such as a triangular faced mesh, a set of NURBS surfaces or a CAD model. Applications like Imageware, PolyWorks, Rapidform or Geomagic are used to process the point clouds themselves into formats usable in other applications such as 3D CAD, CAM, CAE or visualization.
Reverse engineering is often used by military in order to copy other nations’ technology, devices or information, or parts of which, have been obtained by regular troops in the fields or by intelligence operations. It was often used during the Second World War and the Cold War.
Reverse engineering software or hardware systems which is done for the purposes of interoperability (for example, to support undocumented file formats or undocumented hardware peripherals), is mostly believed to be legal, though patent owners often contest this and attempt to stifle any reverse engineering of their products for any reason.
On a related note, black box testing in software engineering has a lot in common with reverse-engineering. The tester usually has the API, but his goals are to find bugs and undocumented features by bashing the product from outside.
Other purposes of reverse engineering include security auditing, removal of copy protection (”cracking”), circumvention of access restrictions often present in consumer electronics, customization of embedded systems (such as engine management systems), in-house repairs or retrofits, enabling of additional features on low-cost “crippled” hardware (such as some graphics card chipsets), or even mere satisfaction of curiosity.
Reverse engineering is also used by businesses to bring existing physical geometry into digital product development environments, to make a digital 3D record of their own products or assess competitors’ products. It is used to analyze, for instance, how a product works, what it does, what components it consists of, estimate costs, identify potential patent infringement, etc.
Value engineering is a related activity also used by business. It involves deconstructing and analysing products, but the objective is to find opportunities for cost cutting.
Finally, reverse engineering often is done because the documentation of a particular device has been lost (or was never written), and the person who built the thing is no longer working at the company. Integrated circuits often seem to have been designed on obsolete, proprietary systems, which means that the only way to incorporate the functionality into new technology is to reverse-engineer the existing chip and then re-design it.
Reverse Engineering
Posted on September 10, 2007 - Filed Under Application Security
This week we are going to be looking at a process called Reverse Engineering. Reverse engineering (RE) is the process of discovering the technological principles of a device or object or system through an abductive analysis of its structure, function and operation[citation needed]. It often involves taking something (e.g. a mechanical device, an electronic component, a software program) apart and analyzing its workings in detail, usually to try to make a new device or program that does the same thing without copying anything from the original.
In the United States and many other countries, even if an artifact or process is protected by trade secrets, reverse-engineering the artifact or process is often lawful as long as it is obtained legitimately. Patents, on the other hand, need a public disclosure of an invention, and therefore patented items do not necessarily have to be reverse engineered to be studied. One common motivation of reverse engineers is to determine whether a competitor’s product contains patent infringements or copyright infringements.
RE is also used to dissect and analyze malware, look for security issues in application code and understand threats that may be embedded in unknown software.
As the week progresses, we will be looking at different types of RE and some RE tools, such as, IDA Pro.
