ITGY400 – REVERSE

ENGINEERING AND
MALWARE ANALYSIS
Topic – Reversing Tools
Reversing Tools

● Reversing is impossible without having the right tools.

● There are hundreds of different software tools available out there that can
be used for reversing, some freeware and others costing thousands of
dollars.
● Understanding the differences between these tools and choosing the right
ones is critical.
● There are no all-in-one reversing tools available
● This means that you need to create your own little toolkit that will include
every type of tool that you might possibly need
Different Reversing Approaches

● There are many different approaches for reversing and choosing the right
one depends on the target program, the platform on which it runs and on
which it was developed, and what kind of information you’re looking to
extract
● There are two fundamental reversing methodologies:
− Offline analysis and
− Live analysis.
Offline Code Analysis

● Offline analysis of code means that you take a binary executable and use a
disassembler or a decompiler to convert it into a human-readable form.
● Reversing is then performed by manually reading and analyzing parts of that
output.
● Offline code analysis is a powerful approach because it provides a good
outline of the program and makes it easy to search for specific functions that
are of interest
● The downside of offline code analysis is usually that a better understanding
of the code is required because you can’t see the data that the program
deals with and how it flows.
Offline Code Analysis

● You must guess what type of data the code deals with and how it flows
based on the code. Offline analysis is typically a more advanced approach
to reversing
● There are some cases (particularly cracking-related) where offline code
analysis is not possible.
● This typically happens when programs are “packed,” so that the code is
encrypted or compressed and is only unpacked in runtime.
Live Code Analysis

● Live Analysis involves the same conversion of code into a human-readable

form, but here you don’t just statically read the converted code but instead
run it in a debugger and observe its behavior on a live system
● This provides far more information because you can observe the program’s
internal data and how it affects the flow of the code.
● You can see what individual variables contain and what happens when the
program reads or modifies that data
● Live analysis is the better approach for beginners because it provides a lot
more data to work with.
Disassemblers

● The disassembler is one of the most important reversing tools

● A disassembler decodes binary machine code (which is just a stream of
numbers) into a readable assembly language text.
● Examples of disassembler include
− IDA Pro: (Interactive Disassembler) by DataRescue
(www.datarescue.com) is an extremely powerful disassembler
that supports a variety of processor architectures. IDA also
supports a variety of executable file formats, such as PE
(Portable Executable, used in Windows), ELF (Executable and
Linking Format, used in Linux), and even XBE, which is used
on Microsoft’s Xbox
Disassemblers

– ILDasm is a disassembler for the Microsoft Intermediate

Language (MSIL), which is the low-level assembly
language—like language used in .NET programs. ILDasm
is a fundamental tool for .NET reversing.
Debuggers

● Debuggers exist primarily to assist software developers with locating and

correcting errors in their programs, but they can also be used as powerful
reversing tools
● The following are the key debugger features that are required for reversers.
– Powerful Disassembler feature - A powerful disassembler
is a mandatory feature in a good reversing debugger, for
obvious reasons. Being able to view the code clearly, with
cross-references that reveal which branch goes where and
where a certain instruction is called from, is critical.
Debuggers

– Software and Hardware Breakpoints - Breakpoints are a basic debugging

feature, and no debugger can exist without them, but it’s important to be
able to install both software and hardware breakpoints.
Software breakpoints are instructions added into the program’s code by the
debugger at runtime. These instructions make the processor pause
program execution and transfer control to the debugger when they are
reached during execution.
Hardware breakpoints are a special CPU feature that allow the processor to
pause execution when a certain memory address is accessed, and
transfer control to the debugger.
Debuggers

– View of Registers and Memory - A good reversing

debugger must provide a good visualization of the
important CPU registers and of system memory.
It is also helpful to have a constantly updated view of the
stack that includes both the debugger’s interpretation of
what’s in it and a raw view of its contents.
Debuggers

– Process Information - It is very helpful to have detailed

process information while debugging. There is an endless
list of features that could fall into this category, but the
most basic ones are a list of the currently loaded
executable modules and the currently running threads,
along with a stack dump and register dump for each
thread.
Debuggers

● Debuggers can be divided into two types:

– user-mode debuggers and
– kernel-mode debuggers.
● User-mode debuggers are the more conventional debuggers that are typically used by
software developers
● As the name implies, user-mode debuggers run as normal applications, in user mode, and
they can only be used for debugging regular user-mode applications.
● Kernel-mode debuggers are far more powerful. They allow unlimited control of the target
system and provide a full view of everything happening on the system, regardless of
whether it is happening inside application code or inside operating system code.
Debuggers

● Example of user-mode debuggers that are well suited for reversing

– OllyDbg - For reversers, OllyDbg, written by Oleh
Yuschuk, is probably the best user-mode debugger out
there (though the selection is admittedly quite small).
– The beauty of Olly is that it appears to have been
designed from the ground up as a reversing tool, and as
such it has a very powerful built-in disassembler.
Debuggers

– WinDbg - WinDbg is a free debugger provided by

Microsoft as part of the Debugging Tools for Windows
package (available free of charge at
www.microsoft.com/whdc/devtools/debugging/default.msp
x). While some of its features can be controlled from the
GUI, WinDbg uses a somewhat inconvenient command-
line interface as its primary user interface. WinDbg’s
disassembler is quite limited, and has some annoying
anomalies (such as the inability to scroll backward in the
disassembly window).
Debuggers

– IDA Pro - Besides it being a powerful disassembler, IDA

Pro is also a capable user-mode debugger, which
successfully combines IDA’s powerful disassembler with
solid debugging capabilities
– PEBrowse Professional Interactive - PEBrowse
Professional Interactive is an enhanced version of the
PEBrowse Professional PE Dumping software that also
includes a decent debugger. PEBrowse offers multiple
informative views on the process such as a detailed view
of the currently active memory heaps and the allocated
blocks within them
Debuggers

● Example of kernel-mode debuggers that are well suited for reversing

– WinDbg is primarily a kernel-mode debugger. The way this
works is that the same program used for user-mode
debugging also has a kernel-debugging mode. Unlike the
user-mode debugging functionality, WinDbg’s kernel-mode
debugging is performed remotely, on a separate system
from the one running the WinDbg GUI.
Debuggers

– Numega SoftICE - SoftICE is probably the most popular

reversing debugger out there. Originally, SoftICE was
developed as a device-driver development tool for
Windows, but it is used by quite a few reversers. The
unique quality of SoftICE that really sets it apart from
WinDbg is that it allows for local kernel-debugging. You
can theoretically have just one system and still perform
kernel-debugging
Decompiler

● Decompilers are a reverser’s dream tool—they attempt to produce a high-

level language source-code-like representation from a program binary.
● It is never possible to restore the original code in its exact form because the
compilation process always removes some information from the program.
● The amount of information that is retained in a program’s binary executable
depends on the high-level language, the low-level language to which the
program is being translated by the compiler, and on the specific compiler
used.
Decompiler

● Decompilers are a reverser’s dream tool—they attempt to produce a high-

level language source-code-like representation from a program binary.
● It is never possible to restore the original code in its exact form because the
compilation process always removes some information from the program.
● The amount of information that is retained in a program’s binary executable
depends on the high-level language, the low-level language to which the
program is being translated by the compiler, and on the specific compiler
used.
Decompiler

● For example, .NET programs written in one of the .NET-compatible

programming languages and compiled to MSIL can typically be decompiled
with decent results
System-Monitoring Tools

● System monitoring is an important part of the reversing process.

● System-monitoring tools is a general category of tools that observe the
various channels of I/O that exist between applications and the operating
system.
● These are tools such as file access monitors that display every file operation
(such as file creation, reading or writing to a file, and so on) made from
every application on the system.
● Example of system monitoring tools