Guidance on reverse code chaos

 
 
By: xikug (xikug_at_163.com)
From: Security Focus

Guidance on reverse code chaos

Collation

I want to write something for a long time. I don't know what I am busy with in a day. I didn't start my work until recently... I would like to share some of my experiences with you through this talk series. I plan to introduce some methods and ideas in this series of articles. Of course, many methods are not my original ones, but I have used these methods and ideas to solve my actual problems. Due to my limited level, many of my statements are my personal understanding. I can express them in my own language, but they may not be professional. So I am not responsible for talking about it here. Thank you for choosing one.

What is code inversion?

The Code reversely analyzes the behavior, data stream, and code generated by the compiler of the target program without source code, through analysis, we can understand and discover program functions, processes, rules, and technical implementation details, through analysis, we can optimize it, enhance its functions, fill vulnerabilities, and even restore it to the source code. This analysis process is called reverse analysis or reverse engineering.

For us personally, perhaps the biggest benefit we can get from the reverse analysis process is to learn the design ideas and technical implementation details of excellent programs.

Today, reverse analysis technology has been applied in many places. Typical applications include malware analysis, vulnerability mining, BUG Locating, and Technical Exploration.

Some people may say that the reverse direction is too shameless, so they will steal others' code without writing them... I don't believe that the person who said this would do anything. I don't believe that he has not analyzed other people's things and learned other people's things. I can only say that he is ignorant... However, we do not know that reverse is a way to explore the unknown. It is a learning attitude and a spirit that does not yield to difficulties. If there is no reverse direction, many of the current scientific advances cannot be so fast, or progress may not be made. Scientific research is to explore the unknown and make the analysis and research of our unknown things known, it is not only the application of reverse engineering in the software field, but also the application of reverse engineering in other fields such as genetic re-engineering, chemical engineering, pharmaceutical, electronics, construction, aviation, and military, reverse Engineering helps researchers to break down, research, combine, improve, and even create new things. Science is just a little progress.

The benefits of reverse analysis are obvious. However, any technology is a double-edged sword, and reverse analysis technology is no exception. It may be used by people to learn, solve technical problems, or do something beneficial to software security, or be used for damage.

Reverse Method

White Box Analysis
The white box analysis is to analyze and understand the functions and logic of a program through dynamic debugging or static disassembly at the code level (which may be decompiling code or pseudo code or source code, find program security issues.

Black box Analysis
Black box analysis refers to the prediction and Determination of possible implementation methods of programs by observing the behavior and rules when the program runs.

Gray box Analysis
Gray-box analysis usually requires the use of some proprietary tools (which may need to be compiled by yourself), such as api monitoring tools, trap tools, memory comparison tools, and file monitoring tools to monitor the target program, check what operations it has, what APIs it has called, what results it has produced, and where hooks or filters are inserted in the system to guess and determine the possible implementation details of the program.

At present, more and more programs are adding VMS or code distortion, and analysis of such programs using white boxes may take a lot of effort and cannot find a breakthrough, black box and gray box analysis may have unexpected results for such programs.

Reverse means

Dynamic debugging
Tracing and Analysis of the target program through the debugger can clearly understand the internal status and calculation results after the program runs.

Static disassembly/decompilation Analysis
Convert the target program into readable assembly code or pseudo code by using the anti-assembler or anti-compiler, and then analyze the program structure, process, and logic.

How to Learn

Reverse engineering is not as difficult as imagined, but it is not as simple as imagined. What is really difficult is how to effectively run these methods and means to achieve our goal faster and better, this requires a lot of experience in programming and reverse engineering.

We usually want to achieve the following goals in Reverse Engineering:

Technical Exploration/code Restoration

Software vulnerability Mining

Software Bug Locating

Software behavior/Rule Analysis

Remove software restrictions

Develop auxiliary programs

Different purposes are achieved, and the methods and techniques used in reverse engineering are not as delicate as they are, for example, when we perform "Technical Exploration/code restoration" on the kernel driver of a win32 platform, we may use all the methods and methods of white box, black box, and gray box, we must understand each piece of assembly code, what functions the code implements, what is the relationship with another piece of code, and understand the architecture and ideas of the entire code; we may only need to use the black box or gray box analysis method to perform "software behavior/Rule Analysis". We know which files and registry items are read and written after pressing this button, which APIs are called. During the analysis process, sometimes we only need to perform static disassembly and check it. Sometimes we may need to perform dynamic debugging. In short, there is no fixed routine, and everything depends on the situation.

A solid programming foundation is the key to learning the reverse, and the foundation is easy to learn. The foundation of a program is algorithms and data structures. A language is only a tool for implementation. Most languages are the same. We only need to master one language. In the future, if we need to learn other languages, we will get started quickly, basic knowledge:

1. At least one advanced programming language. C language or Pascal is recommended.
2. x86 Assembly Language
3. common algorithms and data structures

Software is generally run on a specific platform, such as Windows, Linux, WinCE, Java, Symbian, and Plam platforms... For reverse engineering of software under a specific platform, you need to have knowledge about program design under a specific platform, including its SDK, process management, memory management, and file system. These things do not need to be fully proficient, but you need to have a general understanding of common APIs, and have the best programming experience on a specific platform, it is enough to know where to find the information you want. The reverse process itself is a learning process. Therefore, we can supplement our own knowledge in the reverse process. This is the best learning result. (Due to my narrow contact surface, the most exposed is the reverse of the native program on the x86 Windows platform, therefore, unless otherwise specified, the content in this series refers to native programs and codes on the x86 Windows platform)

The best way to learn the reverse is to practice and learn it in practice. In general, what we face in reverse engineering is unknown to us or may be known but uncertain. If it is known, there is no need to reverse it. Targeted learning is to supplement knowledge when we lack any knowledge in the reverse direction. After the accumulation of time, our gains are considerable, not only the growth of experience values, there is also an increase in knowledge and depth.

Programming experience is also very important for us to practice reverse engineering. For example, when we conduct "vulnerability mining", we may think about the role of the program designer and where the program needs to be prevented, where vulnerabilities may occur, and so on. If we have enough experience, we can quickly locate the relevant code to analyze the vulnerability and check whether the vulnerability exists. Another example is that in the process of "Technical Exploration/code restoration", since the current program scale is getting bigger and bigger, it is impossible for us to look at every code segment and reverse it, if a 1 M program needs to do this, the cost is quite high in terms of time cost, so we need to quickly locate key code segments, and rich programming experience will help us to do this. It is equally important to broaden your programming knowledge, accumulate programming experience, and accumulate reverse experience. Rich programming experience can help us get twice the result with half the effort.

In addition, we 'd better use the implementation language of the original program to restore the Code, in order to avoid trouble, because modern programming languages usually have their own frameworks and provide a variety of class libraries, they have different functions and are not compatible with each other. For example, we have to use MFC to restore a VCL program. A very complicated mechanism or function of VCL may not exist in MFC, if you implement it in MFC, the workload is quite large, and the result may be half the result. Therefore, it is recommended that you use the original language for code restoration. C is used for C, and Delphi is used for Delphi. Python is used for Python...

Reverse Engineering often has the effect of "getting two hundred pounds", and I am not very likely to express it. After you have enough practice, you will probably be able to understand it. This can only be said: P.

Learning Resources
As mentioned above, it is time to introduce some learning resources. These resources are basic and necessary in the learning stage, I hope this will help you in your learning and practice.

Books
Windows Programming (version 5th)-tutorials on programming on the Windows platform. URL-http://www.china-pub.com/2382

Windows core programming-an experience book that helps you increase the Programming Technology in Windows. URL-http://www.china-pub.com/131

In-depth analysis of Windows operating system (version 4th)-This book is an authoritative work on the core mechanism of Windows. This book is also of great help to improve your reverse level. Of course, the premise is that after you understand it. URL-http://www.china-pub.com/32775

Encryption and decryption-good entry books, coming out of the third edition, http://www.china-pub.com/12210

Website
Www.rootkit.com-a lot of information and Code on system security and system kernel
Www.codeproject.com-many programming code and articles
Msdn.microsoft.com-contains the latest development materials on the Microsoft platform

Forum
Bbs.pediy.com-watching the snow forum, the largest encryption and decryption forum in China, has transformed to software security, which brings together a large number of experts in China.
Www.unpack.cn-yiyanyu, the most professional shelling forum in China, has a wide range of concerns, in addition to shelling, there are also Chinese, software security, Trojan viruses, programming, games, literature, music, art, and many other experts above.
Bbs.driverdevelop.com-The drive Network Forum and the driver development forum have many experts, but few speakers. You can visit them.
Forum.sysinternals.com-Sysinternals.
Www.debugman.com-8th men. In the forum they created, they aim to provide a communication platform for friends with similar interests. Currently, they focus on program design, reverse engineering, code security, and the underlying system.

Tools
There are only a few tools listed here. My point of view is