Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
DISCLAIMER
ALL THE INFORMATION PROVIDED ON THIS TALK ARE FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OF THE INFORMATION!
MOTIVATION
• REVERSE ENGINEERING ROCKS • YOUR COMPUTER, YOUR RULES • AND ABOVE ALL, CURIOSITY! • JUST TO CLARIFY, NOT A TYPO! • AT LEAST NOT MY TYPO
• INSPIRED IN ZERO WING FAMOUS MISTRANSLATION MEME
OLLYDBG
• OLLYDBG IS A 32-BIT ASSEMBLER LEVEL ANALYZING DEBUGGER FOR WINDOWS. • PRETTY USEFUL TOOL FOR DEBUGGING ON WINDOWS • SUPPORTS PLUGINS, WHICH CAN EXTEND IT’S FEATURES
DEMO TIME!
ANTI-DEBUG
• TOO MANY TECHNIQUES TO DESCRIBE ALL • DEBUGGER DETECTION
• NTSETINFORMATIONTHREAD - THREADHIDEFROMDEBUGGER • ISDEBUGGERPRESENT
• TIMING HOOKS • GETTICKCOUNT • NTQUERYPERFORMANCECOUNTER
• BREAKPOINT DETECTION • GETTHREADCONTEXT • INT3 (0XCC) AND INT 3 (0XCD03)
• …
ANTI-DISASSEMBLE
• JUNK CODE • OVERLAPPING INSTRUCTIONS • CALL/RET ABUSE • SELF-MODIFYING CODE • …
ANTI-ANTI-DEBUG/DISASM
• PLENTY OF OPTIONS! • USER SPACE
• SCYLLAHIDE • KERNEL SPACE
• TITANHIDE
DEMO TIME!
ENCODER /* Parte 1 */ tmp = (data2 << 4) ^ (data2 >> 5); tmp += data2;
j = local2 & 3; tmp2 = c[j] + local2;
data1 += (tmp ^ tmp2);
/* Atualiza local2 */ local2 += local3;
/* Parte 2 */ tmp = (data1 << 4) ^ (data1 >> 5); tmp += data1;
j = (local2 >> 0xb) & 3; tmp2 = c[j] + local2;
data2 += (tmp ^ tmp2);
DEMO TIME!
ROGUE AUTH $state = $_GET["state"]; $name = $_GET["name"]; $pass = $_GET["pass"];
if ($state == "syn") { $session = md5(time()); if (strpos($name,'nullbyte') !== false) { print "ack|" . $session; } else { print "bad|Invalid username or password!"; } } elseif ($state == "synack") { $what1 = md5(time()); $what2 = md5(time() + 1);
print "good|" . $what1 . "|" . $what2 . "|ALL YOUR B1N4R13S ARE BELONG TO US!!!";
}
QUESTIONS?
THANK YOU!
BUT REMEMBER…
DON’T TO THIS AT HOME!!!
Related Documents
