Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Reverse Engineering Software Cracking

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Reverse Engineering Software Cracking"— Presentation transcript:

1 Software Reverse Engineering Software Cracking
Sometimes, the best way to advance is in reverse K. Salah

2 What is Reverse Engineering?
The process of extracting the knowledge or design blueprints from anything man-made. It is different than conventional scientific research (e.g, coming up with blueprints of the atom) With reverse engineering, the artifact being investigated is man-made With Scientific research, the artifact is a natural phenomenon Software Reverse Engineering About opening up a program’s “box” and looking inside No screwdrivers needed, but integrates several arts of Code breaking Puzzle solving Programming Logical analysis K. Salah

3 Why Reverse Engineering?
Application development Why reinvent the wheel Undocumented API Interoperability with proprietary software Used enormously for all MS products Software quality and robustness Security-Related Malicious Software Black-Hat Hackers To find vulnerabilities and exploit them White-Hat Hackers To identify, dissect and analyze malware Reversing ciphers Defeating copy right protection Must-do when it comes to propriety software Really unknown what the code does and how secure K. Salah

4 Is reversing legal? Jury is still out Bottom line
What is “reverse engineering” used for? K. Salah

5 “Software Cracking is a scientific process as much as it is an art,”
Greg Hoglund Taking measurements Analysis to draw proper conclusions K. Salah

6 Reversing 101 Books Web sites
Elad Eilam, “Reversing: Secretes of Reverse Engineering,” Wiley, 2005 Greg Hoglund, “Exploiting Software: How to Break Code,” Addison-Wesley, 2004 Kris Kaspersky, “Hacker Disassebmling Uncovered,” A-List Publishing, 2003 Web sites Learn to crack Crack Find K. Salah

7 Approaches to reverse engineering
White Box Analysis Analyzing and understanding source code Code coverage – walking down dark allies Black Box Analysis Analyzing a running program by probing it with various inputs Gray Box Analysis A combination K. Salah

8 Program Structure Static libraries Dynamic libraries
Third party library external to program Added to program while being built Become integral part of the final executable Dynamic libraries Idea is to utilize memory Multiple processes can use the same DLL Remains separate from the executable Update to DLL requires no update to program Simplify the reversing process and give many hints on program behavior. K. Salah

9 The .exe format and DLLs Before loading DLLs, addresses of functions in DLL are pointing to dummy addresses in an import table When process is loaded, the OS loader loads every module listed in the imported table, and resolves the addresses of each of the functions listed in each modules. The addresses are found in the exported table of the module. K. Salah

10 Important Flags K. Salah

11 Reversing Tools No all-in-one Disassemblers and low-level debuggers
IDA Pro ILDasm OllyDbg Win32Dasm WinDbg Numega SoftICE Decompilers Dream to come true In development: Andromeda and Boomerang For Java and C#, the dream has come true System monitors FileMon, TCPView, TDIMon, RegMon, PortMon, WinObj, Process Exporer Hex Editors Hex Workshop Hiew WinHex K. Salah

12 IDA-generated function flowchart
K. Salah

13 IDA-generated function interactions at high level
K. Salah

14 Copyright Protection Open Architecture
CPU can not check “authorized” or “legal” code Only execution mode and process memory protection by OS– useless When program runs, its data and code has to be exposed or decrypted Decryption key or decrypted data are impossible to hide – It is the CPU that does the decryption operation Make no mistake: It is virtually impossible to create a totally uncrackable copy protection scheme One crack is not the issue, “class breaks” is K. Salah

15 Design Considerations
Resistance to attack End-user transparency The annoyance factor K. Salah

16 Types of Protection Media-Based Protections Watermarking
Deliberately writing bad sectors on floppy Easy to break Watermarking Check for watermark on media before running Can be broken Serial Numbers Program has “secret validation algorithm” to check for good serial numbers Checksum Check for valid checksum before or during running Challenge Response and Online Activations A step up Hardware-Based Protections Program runs or keeps running if a dongle is attached Software as a Service Highly secure Vendor is in control Advanced Protection Concepts -- Crypto-Processors Violates Open Architecture K. Salah

17 Crypto Processors Originated by Robert M. Best in his patent, “Executing Enciphered Programs.” Decrypt code then Execute Each Crypto-mP has (assigned by CA) Two pair of keys A serial number The Steps Software is shipped by the vendor with binary executable encrypted mP decrypts with private key Machine code is placed in a special memory not software-accessable Similar to macrocode for each machine instruction Only accessed by the process itself. Any other access by OS or IDT or any software is a violation. Code is executed from this (theoretically) inaccessable memory K. Salah

18 Is this unbreakable? Power usage analysis attacks
Differential power analysis by Paul Kocher, Joshu Jaffe, and Benjamin Jun Watch the power consumption to ascertain the value of the key being used K. Salah

19 Antireversing Techniques
Lets get one thing out of the way It is never possible to entirely prevent reversing What is possible is to hinder and obstruct reversers by wearing them out and making it so slow and painful. drown the reverser into a sea of irrelevant information Outcome: they give up K. Salah

20 Basic Approaches to Antireversing
Eliminate Symbolic Antireversing Non-byte-code Imported and exported and internal Function names. String names. Byte-code (Java and .NET) Intermediate code of a compiler Uses internal cross-references than addresses Make it so easy to decompile to source code! More: class names, class member names, names of instantiated global objects Use inlining & addresses for function names Obfuscating the program Functionally identical yet far less readable E.g. rename all symbolic links into meaningless symbols Code Encryption Part of the binary executable is encrypted and is decrypted at runtime Only hinders static analysis Embedding Antidebuggers Code Check for debugger existence. If so, terminate or better yet confuse it! Workaround is using static analysis Powerful combination: use encryption with antidebugging. Why? K. Salah

21 Detecting Debugger TF set in EFLAGS Check handlers in IDT
Enable TF and see if exception is swallowed by debugger Code checksum Slowdown runtime Use only for sensitive functions Use a special thread to see if program was stopped for long time Inserting junk bytes into code Use opcode: db or ds Disassemblers get confused Linear sweep vs. recursive traversal K. Salah

22 Example of Obfuscation – Code Interleaving
K. Salah

23 Keygenning Definition: The process of creating programs that mimic the key-generation algorithm for everyone to use Software can be blacklisted if it always works with same pair of (serialnumber or username.) Better yet: Key depends on pair of username plus computer-specific info (disk driver serial number) Ripping Keygen Algorithms The process is somewhat easy Locate/copy/paste/modify K. Salah

24 JAVA, C#, and .NET Reversing is incredibly trivial task
Bytecode and MSIL is highly detailed Full definition of every data structure Name of every symbol Every object, data member, and member function Decompile and modify Countermeasures Renaming symbols Control flow obfuscation Breaking decompilation and disassembley Corrupting the metadata with bogus references, strings, methods, etc. K. Salah

25 Decompiling C# function
K. Salah

Download ppt "Software Reverse Engineering Software Cracking"

Similar presentations

Part IV: Memory Management

Part IV: Memory Management
Dynamic Self-Checking Techniques for Improved Tamper Resistance Bill Horne, Lesley Matheson, Casey Sheehan, Robert E. Tarjan STAR Lab, InterTrust Technologies.

Dynamic Self-Checking Techniques for Improved Tamper Resistance Bill Horne, Lesley Matheson, Casey Sheehan, Robert E. Tarjan STAR Lab, InterTrust Technologies.
White-Box Cryptography

White-Box Cryptography
Systems Software.

Systems Software.
DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 8. Cracking. Cracking Magnitude of piracy  All kinds of digital content (music, software, movies)  Huge economic repercussions.

DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 8. Cracking. Cracking Magnitude of piracy  All kinds of digital content (music, software, movies)  Huge economic repercussions.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Java Bytecode Teodoro (Ted) Cipresso,

CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Java Bytecode Teodoro (Ted) Cipresso,
DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 9. Técnicas anti-ingeniería inversa.

DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 9. Técnicas anti-ingeniería inversa.
.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.
Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)

Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Software Testing and Reliability Testing Real-Time Systems Aditya P. Mathur Purdue University May 19-23, Corporation Minneapolis/St Paul,

Software Testing and Reliability Testing Real-Time Systems Aditya P. Mathur Purdue University May 19-23, Corporation Minneapolis/St Paul,
Chapter 10 Application Development. Chapter Goals Describe the application development process and the role of methodologies, models and tools Compare.

Chapter 10 Application Development. Chapter Goals Describe the application development process and the role of methodologies, models and tools Compare.
SRE  Introduction 1 Software Reverse Engineering (SRE)

SRE  Introduction 1 Software Reverse Engineering (SRE)
Compiled by Benjamin Muganzi 3.2 Functions and Purposes of Translators Computing 9691 Paper 3 1.

Compiled by Benjamin Muganzi 3.2 Functions and Purposes of Translators Computing 9691 Paper 3 1.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.

Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Similar presentations

Ads by Google