Software Re-Engineering

Week 2
Reverse
Engineering
[email protected]
Reverse Engineering

Reverse engineering is the process of analyzing a system (software,

hardware, or both) to extract design and implementation information.

This is often done when source code or design documents are

unavailable.

It can involve both static and dynamic techniques to achieve various

goals like understanding, improving, or replicating a system.
Goals of Reverse Engineering

Analyze Analyze security vulnerabilities.

Recover Recover lost or unavailable design documents.

Enable Enable system maintenance and modernization.

Ensure Ensure interoperability and integration with other systems.

Techniques for Reverse Engineering

Static Techniques

Dynamic Techniques

Hybrid Techniques
Static Techniques
Static Technique

The process of analyzing a program or system

without executing it.

This involves examining the structure, code, or

binary of the software to understand its design and
functionality.
Static Analysis Techniques

Model Binary Signature-

Decompilation Disassembly
Extraction Inspection based Analysis
Decompilation

It refers to converting binary code back into higher-level

programming languages, like C++, Java or Python. While it's
difficult to recover the exact original code, decompilers generate
pseudocode that extracts the original logic, making it easier to
understand.

Decompilation is particularly useful when you want Ghidra: Ghidra features a built-in decompiler
for reverse engineering various architectures.
to retrieve the logic or algorithms used in the
program for modification, debugging, or analysis IDA Pro: It also includes an advanced
decompiler that generates high-level
purposes. It is also valuable in identifying pseudocode, making it easier to reverse
vulnerabilities or understanding malware behaviors. engineer complex software.
Disassembly

Disassembly refers to converting machine code or bytecode into

assembly code. It allows to view the low-level instructions used by
the computer's CPU.

Ghidra: It includes a powerful disassembler that supports various

Disassembly is used to analyze how a binary works processor architectures, and it provides a user-friendly interface to
by identifying the functions, loops, and system view code flow, make changes, and run scripts.
calls made by the program. It’s commonly used for IDA Pro: It can disassemble and analyze complex binaries. It has a
built-in decompiler to convert machine code back into more
malware analysis, and vulnerability discovery. human-readable C-like pseudocode.
Model Extraction

It refers to the process of converting low-level code, such as binaries

or source code, into high-level representations like UML diagrams,
flowcharts, or data flow diagrams.

This technique is used to represent a system’s Enterprise Architect: A comprehensive UML modeling tool that can
reverse-engineer code into UML diagrams for various programming
architecture or behavior visually, making it languages.

easier for developers or analysts to understand Eclipse MoDisco: A tool which is often used to extract architectural
models from existing systems and generate UML diagrams from
the overall structure of the software. source code.
Business Process Modeling Frameworks
• Archimate View
• It provides a uniform way to describe the construction and operation of business
processes, organizational structures, information flows, IT systems, and technical
infrastructures.
• Business Layer
• Focused on how an organization operates, encompassing its processes, people, and
products.
• Application Layer
• Describes the software systems and applications that support the business
processes.
• Technology Layer
• Focuses on the physical and technological infrastructure that supports the
application layer
Business Process Modeling Frameworks
• Zachman Framework
• It provides a structured way of viewing and defining an enterprise. It was developed
by John Zachman in 1987 and is often referred to as a taxonomy for enterprise
architecture.
• The Framework is structured as a two-dimensional grid. It consists of six columns
representing different perspectives and six rows representing different aspects of an
enterprise.
Business Process Modeling Frameworks
Perspective / Aspect What (Data) How (Function) Where (Network) Who (People) When (Time) Why (Motivation)

Planner Contextual Data Contextual Function Contextual Network Contextual People Contextual Time Contextual Motivation

Owner Business Data Business Function Business Network Business People Business Time Business Motivation

Designer System Data System Function System Network System People System Time System Motivation

Builder Technology Data Technology Function Technology Network Technology People Technology Time Technology Motivation

Subcontractor Component Data Component Function Component Network Component People Component Time Component Motivation

Enterprise Detailed Data Detailed Function Detailed Network Detailed People Detailed Time Detailed Motivation
Business Process Modeling Frameworks
• TOGAF (The Open Group Architecture Framework)
• It is used by organizations to design, plan, implement, and govern enterprise architecture. It provides a
structured approach for designing, managing, and improving an organization’s information technology.
1. Preliminary Phase: Establishing the architecture framework.
2. Architecture Vision: Developing a high-level vision of the project.
3. Business Architecture: Designing the business process architecture.
4. Information Systems Architecture:
• Data Architecture: Structure of an organization’s data assets.
• Application Architecture: Software applications supporting business processes.
5. Technology Architecture: Infrastructure supporting the business processes.
6. Opportunities and Solutions: Identifying candidate solutions for implementation.
7. Migration Planning: Creating a roadmap for implementation.
8. Implementation Governance: Ensuring compliance with the architecture.
9. Architecture Change Management: Managing changes to the architecture.
Binary Inspection

It refers to the examination and analysis of a compiled program's binary code without
executing it.

The binary file (e.g., .exe, .dll, or other compiled formats) is inspected to understand the
underlying structure, functionality, and behavior of the software.
Symbol Tables Hexadecimal Control Flow Data Flow
Disassembly Decompilation Code Patterns String Analysis File Structure
and Metadata Representation Analysis Analysis
Signature-based Analysis
• A method where specific known patterns or “signatures” in a
program's binary code are compared to a database of predefined
signatures.
• This technique is commonly used to detect known malware, identify
functions, or recognize particular code behaviors by looking for
matching byte sequences, API calls, or other distinct code
characteristics.
• YARA
• Antivirus Engines
• Ghidra
• IDA Pro
Dynamic Techniques
Dynamic Technique
• Dynamic analysis involves executing the software and monitoring its behavior in real-
time.
• This approach helps to understand how the software interacts with the operating system,
hardware, network, and other components under actual working conditions.
Dynamic Analysis Techniques

System Binary
Tracing Profiling Debugging
Monitoring Instrumentation
Tracing
• A technique that involves monitoring the execution flow of a program
to record its behavior during runtime.
• It focuses on capturing critical runtime information, such as system
calls, function invocations, memory access, and interactions between
different components of the software or system.
Profiling
• A technique used to measure the performance of a program while it runs.
• It helps to understand how much time the program spends on different
tasks, how much memory it uses, and how efficiently it uses system
resources like the CPU and network.
• A bottleneck is a part of the program that slows everything down.
• Profiling helps you find these bottlenecks by showing which parts of the program
take the longest to run or use the most resources.
• CPU Profiling
• Memory Profiling
• I/O Profiling
• Functional Level Profiling
System Monitoring
• Observing how a program interacts with the entire operating system
and external resources in real time.
• It’s mainly used to track external actions a program takes, such as
reading/writing files, making network connections, or using system
resources like memory and CPU.
• Tools
• Process Monitor
• Wireshark
• Sysdig
 Tracing vs Profiling vs System Monitoring

Aspect Tracing Profiling System Monitoring

Purpose Captures detailed, step-by-step execution of code Measures performance (e.g., CPU, memory usage) Tracks overall system health and resource usage

Broad view covering system-wide metrics (CPU,

Scope Focuses on the sequence of events or function calls Aggregates resource usage (CPU, memory, I/O)
memory, disk, network traffic)

Output Logs of events/method calls with timestamps Statistical performance data per function/thread Dashboard of metrics, logs, graphs, alerts

System-wide resource consumption and performance

Granularity Function-level data, event-level data Aggregated, high-level/low-level performance metrics
trends
Debugging, tracking flow of execution, identifying System health monitoring, detecting abnormal
Use Case bugs
Performance optimization, finding bottlenecks
behavior
Shows which methods consume the most CPU or Alerts when CPU usage spikes or memory is nearly
Examples Logs method calls in an application’s lifecycle
memory full

Focus Specific functions or processes Code-level resource usage Entire system performance

Tools Android Systrace, Event Tracing for Windows (ETW) Android Studio Profiler, VisualVM System Activity Monitor, Nagios, Prometheus
Debugging

It involves running software in a

controlled environment to step
It helps to understand how
through its execution in real time,
software operates, detect
allowing to observe its behavior,
vulnerabilities, and uncover hidden
monitor the state of variables,
functionalities or obfuscated code.
registers, and memory, and
identify the flow of execution.
 Breakpoints

Watchpoints

Debugging Step Execution

Call Stack Inspection

Register and Memory Inspection

Debugging
• Breakpoints
• Think of a breakpoint as a stop sign in your code. When the program reaches
this point, it stops running.
• This allows you to pause the program, take a close look at what's happening.
• If you want to see what happens before a function executes, you set a
breakpoint there. When the program stops, you can inspect its current state.
• Watchpoints
• It is like a break point, but instead of stopping at a specific part of the code, it
stops when a certain piece of data changes.
• If you're tracking when a variable gets modified, you can set a watchpoint and
the debugger will stop whenever that variable changes.
Debugging
• Step Execution
• Let you move through the program one step at a time. There are different
ways to do this:
• Step into: Go inside a function and see what happens inside.
• Step over: Skip over the function but let it run normally.
• Step out: Leave the current function and return to where it was called.
• It helps you understand what each part of the code does by slowly
executing one line at a time.
• If a bug happens inside a function, you can “Step into" that function
to see exactly what goes wrong.
Debugging
• Call Stack Inspection
• A history of all the functions that the program has called to reach the current
point.
• Shows the path the program has taken, which helps you understand the
sequence of function calls.
• If an error happens deep in the program, the call stack can show you which
functions were called and in what order.
• Register and Memory Inspection
• Registers are small, fast storage locations in the CPU.
• Memory is where the program stores data while it runs.
• By inspecting memory and registers, you can see what data the program is
handling and how it's being manipulated.
Binary Instrumentation
• A technique that allows you to modify a program's binary code while
it is running.
• This helps in observing the program's behavior, analyze how it works,
and identify vulnerabilities or bugs without having the original source
code.
• Tools
• Intel PIN
• DynamoRIO
• Valgrind
Questions?