written 8.4 years ago by | modified 2.9 years ago by |
Subject: System Web Security
Topic: Software Security
Difficulty: Medium
written 8.4 years ago by | modified 2.9 years ago by |
Subject: System Web Security
Topic: Software Security
Difficulty: Medium
written 8.4 years ago by | • modified 8.4 years ago |
Software Reverse engineering, also called back engineering, is the processes of extracting knowledge or design information from anything man-made and re-producing it or reproducing anything based on the extracted information.
The process often involves disassembling something (a mechanical device, electronic component, computer program, or biological, chemical, or organic matter) and analyzing its components and workings in detail.
Reverse engineering has its origins in the analysis of hardware for commercial or military advantage. However, the reverse engineering process in itself is not concerned with creating a copy or changing the artifact in some way; it is only an analysis in order to deduce design features from products with little or no additional knowledge about the procedures involved in their original production.
In some cases, the goal of the reverse engineering process can simply be a redocumentation of legacy systems.
Even when the product reverse engineered is that of a competitor, the goal may not be to copy them, but to perform competitor analysis.
Depending on the program and it’s level of protection, different software reverse engineering tools can be used.
Reasons for reverse engineering:
i. Interoperability.
ii. Lost documentation: Reverse engineering often is done because the documentation of a particular device has been lost (or was never written), and the person who built it is no longer available. Integrated circuits often seem to have been designed on obsolete, proprietary systems, which means that the only way to incorporate the functionality into new technology is to reverse-engineer the existing chip and then re-design it.
iii. Product analysis: To examine how a product works, what components it consists of, estimate costs, and identify potential patent infringement.
iv. Digital update/correction: To update the digital version (e.g. CAD model) of an object to match an "as-built" condition.
v. Security auditing: Acquiring sensitive data by disassembling and analysing the design of a system component.
vi. Military or commercial espionage. Learning about an enemy's or competitor's latest research by stealing or capturing a prototype and dismantling it.
Some of the tools are given as follows:
i. Disassemblers
a. A disassembler is used to convert binary code into assembly code and also used to extract strings, imported and exported functions, libraries etc.
b. The disassemblers convert the machine language into a user-friendly format.
c. There are different dissemblers that specialize in certain things.
d. Most commonly used disassemblers are: WIN32DASM and IDA.
ii. Debuggers
a. This tool expands the functionality of a disassembler by supporting the CPU registers, the hex duping of the program, view of stack etc.
b. Using debuggers, the programmers can set breakpoints and edit the assembly code at run time.
c. Debuggers analyse the binary in a similar way as the disassemblers and allow the reverser to step through the code by running one line at a time to investigate the results.
d. Widely used debuggers are: SoftICE and OllyDbg.
iii. Hex Editors
a. These editors allow the binary to be viewed in the editor and change it as per the requirements of the software.
b. There are different types of hex editors available that are used for different functions.
c. Available hex editors are : Ultraedit, biew and hiew
iv. PE and Resource Viewer
a. The binary code is designed to run on a windows based machine and has a very specific data which tells how to set up and initialize a program. b. All the programs that run on windows should have a portable executable that supports the DLLs the program needs to borrow from.
To perform software reverse engineering, following things are required:
i. Disassembler and debugger tools.
ii. Patience and optimism
iii. Working knowledge of target assembly language.
iv. Experience of handling tools (disassembler and debugger).
To make software reverse engineering attack more difficult, some anti-debugging and anti-disassembly techniques are used.
These techniques obscure the attacker’s static and dynamic view of the code.
Anti-Disassembly Techniques:
i. It is an anti-reversing method used to avoid disassemblers.
ii. Due to this technique, disassembler generate incorrect disassembled code.
iii. Anti-Disassembly methods include:
a. Encrypted object code
b. False disassembly
c. Self Modifying Code(SMC)
Anti-Debugging Technique:
These techniques are used to monitor:
i. Use of debug-register.
ii. Inserted breakpoints.
i. Analysis through observation of information exchange, most prevalent in protocol reverse engineering, which involves using bus analyzers and packet sniffers, for example, for accessing a computer bus or computer network connection and revealing the traffic data thereon.
ii. Bus or network behavior can then be analyzed to produce a stand-alone implementation that mimics that behavior.
iii. This is especially useful for reverse engineering device drivers. Sometimes, reverse engineering on embedded systems is greatly assisted by tools deliberately introduced by the manufacturer, such as JTAG ports or other debugging means.
iv. In Microsoft Windows, low-level debuggers such as SoftICE are popular.
v. Disassembly using a disassembler, meaning the raw machine language of the program is read and understood in its own terms, only with the aid of machine-language mnemonics.
vi. This works on any computer program but can take quite some time, especially for someone not used to machine code. The Interactive Disassembler is a particularly popular tool.
vii. Decompilation using a decompiler, a process that tries, with varying results, to recreate the source code in some high-level language for a program only available in machine code or bytecode.