d

Reverse Engineering: The Complete Documentation

• This category contains 13 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Reverse Engineering Hostile Code

Published on 2002-10-23, by Joe Stewart, ©SecurityFocus.

Computer criminals are always ready and waiting to compromise a weakness in a system. When they do, they usually leave programs on the system to maintain their control. We refer to these programs as "Trojans" after the story of the ancient Greek Trojan horse. Often these programs are custom compiled and not widely distributed. Because of this, anti-virus software will not often detect their presence. It also means information about what any particular custom Trojan does is also not generally available, so a custom analysis of the code is necessary to determine the extent of the threat and to pinpoint the origin of the attack if possible.

Alien Autopsy: Reverse Engineering Win32 Trojans on Linux

Published on 2002-11-14, by Joe Stewart, ©SecurityFocus.

In my last article, Reverse Engineering Hostile Code, I described the tools and processes involved in basic reverse engineering of a simple trojan. This article will offer a more detailed examination of the reversing process, using a trojan found in the wild. At the same time, this article will discuss some techniques for reversing Windows-native code entirely under Linux. As an added bonus, all the tools used in this article are either freeware or free software.

Anti-Hacker Tool Kit: Reverse Engineering Binaries

Published on 2006-02-09, by Mike Shema, ©McGraw-Hill Osborne Media.

Your computer seems to be running slower than normal. The router shows that your computer is transmitting data out to the Internet without you knowing it. Friends are complaining about you sending them e-mails you never composed. Determined to see if you have a Trojan running on your computer, you take a look at your process list to see if there is anything out of the ordinary. Much to your dismay, you notice a program running that you have never seen before and didn’t explicitly start. You have been backdoored by malware.

There are many questions you should be asking in these situations. What does the program do? Does it use network resources? Can outside hackers now access my computer? Am I being used as a zombie for DDoS attacks? This chapter will focus on methods and tools you can use to determine what these programs do and how they do them, without having the source code. In the past, reverse engineering was something of a black art. Typically it involved some type of decompilation using a tool such as IDA or GDB to extract the assembly out of the binary, and the best you could hope for was to have that assembly converted into a low-level C code that you could use to understand what was going on. These tools have evolved, however, and you no longer need a PhD in Computer Science to be able to reverse engineer binaries. That being said, however, a brief primer will go miles in helping you understand when to use certain tools and when to use others.

Brief Tutorial on Reverse Engineering OS X (A)

Published on 2005-04-20, by Rich Wareham, ©Rich Wareham.

I have written (and continue to write) an application called Desktop Manager for OS X. It provides virtual desktops to those refugees from Unix like myself :). Recently it became apparent that it would no longer work under Apple's forthcoming Tiger release of OS X. This proved a little bit of a problem for me since I have no copy of Tiger to test with and don't wish to risk Apple's wrath by obtaining a less-than-legitimate copy. Instead I have relied on a network of people I correspond with via my blog to tell me when things break. It also means I have to attempt to reverse engineer something I don't have in front of me. I am indebted to these people and would like to thank them for their hard work.

File Format Reversing - EverQuest II VPK

Published on 2005-09-06, by daeken, ©OpenRCE.

In this article I will cover the basics of reverse-engineering binary file formats, starting with the simple archive format used in the popular game EverQuest™ II known as VPK. This is the first of many articles I'll be writing on the subject as time goes on. You can find VPK files in any EverQuest™ II installation, and any will do for the purposes of this article. For the purposes of this article, I will assume the reader has knowledge of programming in C. The architecture being used is x86, and thus, everything is unsigned and little-endian. The tools you will need to follow along with this article are a decent hex editor (I recommend HexEditor for Mac OS X™) and a copy of Python.

Introduction to Reverse Engineering Software

Published on 2004-02-02, by Mike Perry and Nasko Oskov, ©Mike Perry and Nasko Oskov.

This book is an attempt to provide an introduction to reverse engineering software under both Linux and Microsoft Windows©. Since reverse engineering is under legal fire, the authors figure the best response is to make the knowledge widespread. The idea is that since discussing specific reverse engineering feats is now illegal in many cases, we should then discuss general approaches, so that it is within every motivated user's ability to obtain information locked inside the black box. Furthermore, interoperability issues with closed-source proprietary systems are just plain annoying, and something needs to be done to educate more open source developers as to how to implement this functionality in their software.

Linux anti-debugging techniques (fooling the debugger)

Published on 1999, by Silvio Cesare, ©Silvio Cesare.

This article describes anti debugger techniques for x86/Linux (though some of these techniques are not x86 specific). That is techniques to either fool, stop, or modify the process of debugging the target program. This can be useful to the development of viruses and also to those implementing software protection.

Reconstructing binaries to C for beginners

Published on 2003-01-20, by mercy, ©DTORS SECURITY RESEARCH.

An example of reverse engineering code: Hopefully at the end of this small disassembly dump, we will have been able to analyze what is happening in the assembly, and construct a roughly accurate code to go with it.

Reverse engineering - functions... functions! functions!? sheeeeeeeeeesh

Published on 2003-04-23, by mercy, ©DTORS SECURITY RESEARCH.

This paper is the second part to my reconstruction series. You will essentially need a basic understanding of ASM, C, and be able to navigate gdb. I recommend if you have not done anything along these lines before, you read my first article titled "Reconstructing Binaries to C for Beginners". This is a beginners article and no advanced techniques will be shown, so if you need something more advanced, branch out by yourself.

Reverse Engineering Backdoored Binaries

Published on 2004-07-01, by ChrisR, ©Infosecwriters.com.

This paper is on reverse engineering backdoored binaries on an x86 Linux Operating System. It is meant for the beginner reverse engineer with some knowledge of ELF, C, x86 ASM, and Linux. We will begin by explaining the basics of our binary from what we can determine by disassembling and then we will recreate the source code for the evil part of our backdoored binary. You will need a few basic tools for this, objdump, elfsh, hexdump, a text editor. . . and your brain.

Reverse Engineering Microsoft OLE

Published on 2005-09-12, by Joe Stewart, ©OpenRCE.

For the experienced reverse-engineer, a basic analysis of what a particular piece of malware does can be a relatively quick and painless process. Simply load up the executable component into IDA or OllyDbg and let the auto-analysis match up import names with function calls. Presented with these scraps of information, a guess can be made pertaining to what function a particular subroutine performs. Labeling these subroutines creates more function cross-references that can in turn reveal more about the overall functionality of the program.

Reverse Engineering: Memory Analysis

Published on 2003-12-29, by skape, ©skape.

Trying to analyze a black box can sometimes seem quite the daunting task. Whether the focus be on analyzing the functionality of a given application or on analyzing its internal structures, one is not likely to get far without the proper resources. This document attempts to take the reader through the basic methodologies of accessing process memory on various platforms and then proceeds to build on this platform by bringing about techniques that can be used to understand and decode internal data structures of an application. It is the hope of the author that the reader will walk away with a refreshed or better sense of understanding as it pertains to being able to reverse engineer the internals, at least in part, of an application based solely on the process memory layout.

Reverse-Engineering the First Pocket PC Trojan, Part 1

Published on 2004-10-01, by Cyrus Peikari, Seth Fogie, Ratter/29A, Jonathan Read, ©Pearson Education, InformIT..

Recently we were the first to provide a detailed analysis and fix for WinCE4.Dust, the inaugural Pocket PC virus. We also gave the first detailed analysis of Mosquito, the inaugural Symbian Trojan horse. Now we're going to present a detailed analysis of Brador, the inaugural Trojan horse for the Windows Mobile operating system.