DISHA NIRDESHAN

Enlightens your career

Saturday, December 29, 2012

Reverse Engineering Presentation

ABSTARCT

Today the market of software is covered by an incredible number of protected applications, which don't allow you to use all features of programs if you aren't a registered user of these. Reverse engineering is simply the art of removing protection from programs also known as "cracking".                                                          
In Some other words cracking is described as follows: - "When you create a program you engineer it, in fact you build the executable from the source-code. The reverse engineering is simply the art of generate a source-code from an executable. Reverse engineering is used to understand how a program does an action, to bypass protection etc.
Usually it's not necessary to disassemble all code of the application not only the part of
the application that we are interested must be reversed. Reverse engineering used by a cracker to understand the protection scheme and to break it, so it's a very important thing in the whole world of the crack."
In short: - "Reverse Engineering referred to a way to modify a program such that it
behaves as the way a reverse engineer wish." "Cracking is a method of making a software program function other than it was Originally intended by means of investigating the code, and, if necessary, patching It."













INTRODUCTION

Reverse engineering (RE) is the process of discovering the technological principles of a device, object or system through analysis of its structure, function and operation. It often involves taking something (e.g., a mechanical device, electronic component, or software program) apart and analyzing its workings in detail to be used in maintenance, or to try to make a new device or program that does the same thing without utilizing any physical part of the original.
Reverse engineering has its origins in the analysis of hardware for commercial or military advantage [1]. The purpose is to deduce design decisions from end products with little or no additional knowledge about the procedures involved in the original production. The same techniques are currently being researched for application to legacy software systems, not for industrial or defence ends, but rather to replace incorrect, incomplete, or otherwise unavailable documentation
Reveres engineering. Most probably start with the DOS based computer games. The aim is that a player has full life and armed in the final stage of the game. So what a reverse engineering. Do is just find the memory location where the life and number of weapons are store and then modify this values. They used memory-cheating tools such as game hack etc. So that they have full life and armed in the last stage of the program. But in today's world with the advent of the shareware concept more and more software author releases the shareware versions. Hence with this reverse engineering become more tedious, more complex, and trickier.
Today to protect the software a programmer use various kind of technique, some of them
are old, bad repetitive techniques but some are new. We will discuss them in next section
Reverse Engineering (RE) is the decompilation of any application, regardless of the programming language that was used to create it, so that one can acquire its source code or any part of it.
The reverse engineer can re-use this code in his own programs or modify an existing (already compiled) program to perform in other ways. He can use the knowledge gained from RE to correct application programs, also known as bugs. But the most important is that one can get extremely useful ideas by observing how other programmers work and think, thus improve his skills and knowledge

Reasons for reverse engineering:
Ø  Lost documentation: Reverse engineering often is done because the documentation of a particular device has been lost (or was never written), and the person who built it is no longer available. Integrated circuits often seem to have been designed on obsolete, proprietary systems, which means that the only way to incorporate the functionality into new technology is to reverse-engineer the existing chip and then re-design it.
Ø  Product analysis. To examine how a product works, what components it consists of, estimate costs, and identify potential patent infringement.
Ø  Digital update/correction. To update the digital version (e.g. CAD model) of an object to match an "as-built" condition.
Ø  Security auditing.
Ø  Military or commercial espionage. Learning about an enemy's or competitor's latest research by stealing or capturing a prototype and dismantling it.
Ø  Removal of copy protection, circumvention of access restrictions.
Ø  Creation of unlicensed/unapproved duplicates.
Ø  Academic/learning purposes.
Ø  Curiosity
Ø  Competitive technical intelligence (understand what your competitor is actually doing versus what they say they are doing)
Ø  Learning: learn from others' mistakes. Do not make the same mistakes that others have already made and subsequently corrected

Reverse engineering in mechanics:
As computer-aided design (CAD) has become more popular, reverse engineering has become a viable method to create a 3D virtual model of an existing physical part for use in 3D CAD,CAMCAE or other software. The reverse-engineering process involves measuring an object and then reconstructing it as a 3D model. The physical object can be measured using 3D scanning technologies like CMMslaser scannersstructured light digitizers or computed tomography. The measured data alone, usually represented as a point cloud, lacks topological information and is therefore often processed and modeled into a more usable format such as a triangular-faced mesh, a set of NURBS surfaces or a CAD model. Reverse engineering is also used by businesses to bring existing physical geometry into digital product development environments, to make a digital 3D record of their own products or to assess competitors' products. It is used to analyze, for instance, how a product works, what it does, and what components it consists of, estimate costs, and identify potential patent infringement, etc.
Value engineering is a related activity also used by businesses. It involves de-constructing and analyzing products, but the objective is to find opportunities for cost cutting.

Reverse engineering of software:
The term reverse engineering as applied to software means different things to different people, prompting Chikofsky and Cross to write a paper researching the various uses and defining a taxonomy. From their paper, they state, "Reverse engineering is the process of analyzing a subject system to create representations of the system at a higher level of abstraction."[4] It can also be seen as "going backwards through the development cycle".[5] In this model, the output of the implementation phase (in source code form) is reverse-engineered back to the analysis phase, in an inversion of the traditional waterfall model. Reverse engineering is a process of examination only: the software system under consideration is not modified (which would make itre-engineering). Software anti-tamper technology is used to deter both reverse engineering and re-engineering of proprietary software and software-powered systems. In practice, two main types of reverse engineering emerge. In the first case, source code is already available for the software, but higher-level aspects of the program, perhaps poorly documented or documented but no longer valid, are discovered. In the second case, there is no source code available for the software, and any efforts towards discovering one possible source code for the software are regarded as reverse engineering. This second usage of the term is the one most people are familiar with. Reverse engineering of software can make use of the clean room design technique to avoid copyright infringement.
On a related note, black box testing in software engineering has a lot in common with reverse engineering. The tester usually has the API, but their goals are to find bugs and undocumented features by bashing the product from outside.
Other purposes of reverse engineering include security auditing, removal of copy protection ("cracking"), circumvention of access restrictions often present in consumer electronics, customization of embedded systems (such as engine management systems), in-house repairs or retrofits, enabling of additional features on low-cost "crippled" hardware (such as some graphics card chip-sets), or even mere satisfaction of curiosity.
The Certified Reverse Engineering Analyst (CREA) is a certification provided by the IACRB that certifies candidates are proficient in reverse engineering software.

Binary software

This process is sometimes termed Reverse Code Engineering, or RCE. As an example, decompilation of binaries for the Java platform can be accomplished using Jad. One famous case of reverse engineering was the first non-IBM implementation of the PC BIOS which launched the historic IBM PC compatible industry that has been the overwhelmingly dominant computer hardware platform for many years. An example of a group that reverse-engineers software for enjoyment is CORE which stands for "Challenge Of Reverse Engineering". Reverse engineering of software is protected in the U.S. by the fair use exception in copyright law.[7] The Samba software, which allows systems that are not running Microsoft Windows systems to share files with systems that are, is a classic example of software reverse engineering[8], since the Samba project had to reverse-engineer unpublished information about how Windows file sharing worked, so that non-Windows computers could emulate it. The Wine project does the same thing for the Windows API, and OpenOffice.org is one party doing this for the Office file formats. The ReactOS project is even more ambitious in its goals, as it strives to provide binary (ABI and API) compatibility with the current Windows OSes of the NT branch, allowing software and drivers written for Windows to run on a clean-room reverse-engineered GPL open-source counterpart.

Binary software techniques

Reverse engineering of software can be accomplished by various methods. The three main groups of software reverse engineering are
1.     Analysis through observation of information exchange, most prevalent in protocol reverse engineering, which involves using bus analyzers and packet sniffers, for example, for accessing a computer bus or computer network connection and revealing the traffic data thereon. Bus or network behaviour can then be analyzed to produce a stand-alone implementation that mimics that behaviour. This is especially useful for reverse engineering device drivers. Sometimes, reverse engineering on embedded systems is greatly assisted by tools deliberately introduced by the manufacturer, such as JTAG ports or other debugging means. In Microsoft Windows, low-level debuggers such as SoftICE are popular.
2.     Disassembly using a disassembler, meaning the raw machine language of the program is read and understood in its own terms, only with the aid of machine-language mnemonics. This works on any computer program but can take quite some time, especially for someone not used to machine code. The Interactive Disassembler is a particularly popular tool.
3.     Decompilation using a decompiler, a process that tries, with varying results, to recreate the source code in some high-level language for a program only available in machine code or byte code.

Reverse engineering in integrated circuits/smartcards:
Reverse engineering is an invasive and destructive form of analyzing a smart card. The attacker grinds away layer by layer of the smart card and takes pictures with an electron microscope. With this technique, it is possible to reveal the complete hardware and software part of the smart card. The major problem for the attacker is to bring everything into the right order to find out how everything works. Engineers try to hide keys and operations by mixing up memory positions, for example, bus scrambling. In some cases, it is even possible to attach a probe to measure voltages while the smart card is still operational. Engineers employ sensors to detect and prevent this attack. [11] It takes very high effort to break a smart card used for payment, and the technical equipment is only available to large chip producers. Additionally, the gain is low because of other security mechanisms like shadow accounts

Reverse engineering for military applications:
Reverse engineering is often used by militaries in order to copy other nations' technologies, devices or information that have been obtained by regular troops in the fields or  by intelligence operations. It was often used during the Second World War and the Cold War. Well-known examples from WWII and later include
Ø  Jerry can: British and American forces noticed that the Germans had gasoline cans with an excellent design. They reverse-engineered copies of those cans. The cans were popularly known as "Jerry cans".
Ø  Tupolev Tu-4: Three American B-29 bombers on missions over Japan were forced to land in the USSR. The Soviets, who did not have a similar strategic bomber, decided to copy the B-29. Within a few years, they had developed the Tu-4, a near-perfect copy.
Ø  V2 Rocket: Technical documents for the V2 and related technologies were captured by the Western Allies at the end of the war. Soviet and captured German engineers had to reproduce technical documents and plans, working from captured hardware, in order to make their clone of the rocket, the R-1, which began the postwar Soviet rocket program that led to the R-7 and the beginning of the space race.
Ø  K-13/R-3S missile (NATO reporting name AA-2 'Atoll), a Soviet reverse-engineered copy of the AIM-9 Sidewinder, made possible after a Taiwanese AIM-9B hit a Chinese MiG-17 without exploding; amazingly, the missile became lodged within the airframe, the pilot returning to base with what Russian scientists would describe as a university course in missile development.
Ø  BGM-71 TOW Missile: In May 1975, negotiations between Iran and Hughes Missile Systems on co-production of the TOW and Maverick missiles stalled over disagreements in the pricing structure, the subsequent 1979 revolution ending all plans for such co-production. Iran was later successful in reverse-engineering the missile and are currently producing their own copy: the Toophan.
Ø  China has reversed many examples of Western and Russian hardware, from fighter aircraft to missiles and HMMWV cars

Here are just a few reasons that RE exists nowadays and its usage is increasing each year:
Ø  Personal education
Ø  Understand and work around (or fix) limitations and defects in tools
Ø  Understand and work around (or fix) defects in third-party products.
Ø  Make a product compatible with (able to work with) another product.
Ø  Make a product compatible with (able to share data with) another product.
Ø  To learn the principles that guided a competitor's design.
Ø  Determine whether another company stole and reused some of source code.
Ø  Determine whether a product is capable of living up to its advertised claims.
Not all actions performed can be considered "legal". Hence, extreme caution must be taken, not to violate any copyright laws or other treaties. Usually each product comes with a copyright law or license agreement.

Typical Examples

What comes in our minds when we hear RE, is cracking. Cracking is as old as the programs themselves. To crack a program, means to trace and use a serial number or any other sort of registration information, required for the proper operation of a program. Therefore, if a shareware program (freely distributed, but with some inconveniences, like crippled functions, nag screens or limited capabilities) requires a valid registration information, a reverse engineer can provide that information by decompiling a particular part of the program.
Many times in the past, several software corporations have accused others for performing RE in their products and stealing technology and knowledge. RE is not limited to computer applications, the same happens with car, weapons, hi-fi components etc. All major software developers do have knowledge of RE and they try to find programmers that are familiar with the concepts that will be taught during this class. RE are well paid, sometimes their salaries are double or even more, depending on the skills
they have.
1.3.1 Hacking
Hackers are able to penetrate into public or private servers and modify some of their parameters. This may sound exotic and rather difficult, but it is basically based on REing the operating system and seeking for vulnerabilities.
Consider a server which is located at the web address http://www.hackme.com/. When we log on this server with ftp, telnet, http, or whatever else this server permits for its users, we can easily find out what operating system is running on this server. Then, we reverse engineer the security modules of this operating system and we look for exploits. An example is for Windows servers. A hacker reversed the run32.dll module and discovered that the variable, which determines the number of open Command Prompts, is a byte (can vary from 0 to 255). Therefore, if he could open 257 command prompt windows, we would crash the system! This vulnerability has been cured long time ago. The cures come with the form of "patches" or brand new releases. Each time a patch is created, old vulnerabilities vanish and new ones appear. As long as someone can find and exploit system's flaws like this, there'll always be hacking.
1.3.2 Hiding Information from Public
Companies are hiding a lot of things: their mistakes, security vulnerabilities, privacy violations and trade secrets. Usually, if someone finds out how a product works by reverse engineering, the product will be less valuable. Companies think they have everything to lose with reverse engineering. This may be true, but the rest of the world has much to gain.
Take for example the CueCat barcode scanner from Digital Convergence, which Radio Shack, Forbes and Wired Magazine have been giving away. It scans small bar codes found in magazines and catalogs into your computer, then sends you to a Web site, which gives you more information. Linux programmers, ever eager to get a new device to work with the Linux operating system, took the thing apart.
They reverse engineered the encoding the device used and found out how it worked. This allowed them to write their own applications for the device. One of the better applications was one that allowed you to create a card catalog for your home library. By scanning in the ISBN barcodes on the back of your books the application is able to download information from Amazon.com and build a database. So here we have someone building something new by stitching together the CueCat, Linux and Amazon.
Digital Convergence didn't like this at all. It wanted to be in control of the Web site you went to when you swiped a barcode. The company didn't like the fact that other people could write software for the device it was giving away and that they didn't make any money from that. It also didn't like the fact that, in the process of reverse engineering the CueCat, programmers discovered that every one of them has a unique serial number. These programmers later found out and publicized that this serial number is tied into the customer information you give when you register your CueCat on the Digital Convergence Web site. The end result is Digital Convergence can record every barcode swipe you make along with your customer information.
Reverse engineering allowed people to truly understand what the product was doing. This wasn't at all clear from information that Digital Convergence originally gave out. Many of the privacy risks we face today such as the unique computer identification numbers in Microsoft Office documents, the sneaky collection of data by Real Jukebox, or the use of Web bugs and cookies to track users were only discovered
by opening up the hood and seeing how things really work. Companies do not publish
this kind of information publicly.
Sometimes they even disavow that they meant to design and build their products to work way it ends up working. People engaged in reverse engineering are a check on the ability of companies to invade our privacy without our knowledge. By going public with the information they uncover they are able to force companies to change what they are doing lest they face a consumer backlash.
Uncovering security vulnerabilities is another domain where reverse engineers are sorely needed. Whether by poor design, bad implementation, or inadequate testing, products ship with vulnerabilities that need to be corrected. No one wants bad security, except maybe criminals, but many companies are not willing to put in the time and energy required to ship products without even well known classes of problems. They use weak cryptography, they don't check for buffer overflows, and they use things like cookies insecurely. Reverse engineers, who publicly release information about flaws, force companies to fix them, and alert their customers in a timely manner.
The only way the public finds out about most privacy or security problems is from the free public disclosures of individuals and organizations. There are privacy watchdog groups and security information clearinghouses but without the reverse engineers who actually do the research we would never know where the problems are. There are some trends in the computer industry now that could eliminate the benefits reverse engineering has to offer. The Digital Millennium Copyright Act (DMCA)
was used by the Motion Pictures Association of America (MPAA) to successfully stop 2600 Magazine from publishing information about the flawed DVD content protection scheme. The information about the scheme, which a programmer uncovered by reverse engineering, was now contraband. It was illegal under the DMCA. Think about that. There are now black boxes, whether in hardware or software, that are illegal to peek inside. You can pay for it and use it, but you are not allowed to open up the hood. You cannot look to see if the box violates your privacy or has a security vulnerability that puts you at risk.
Companies that make hardware and software products love this property and are
going to build their products so that they fall under the protection of the DMCA. :CueCat
did this when they built their product. They added a trivial encoding scheme, which they
call encryption, so that their bar code scanner was protected against reverse
engineering by the DMCA. We can expect to see many more companies do this.
1.3.3 Cell Phones
Cell phones run software. Their menus, functionality, problems and features are all the result of the software, which is usually stored in memory modules. Since we have to deal with software programs we can perform RE on them and seek for undocumented features and/or problems.
Take for example the NOKIA 5210 cell phone. The manufacturer claims that the security code is unbreakable. Once set, only a hard reset can unlock the phone. Wrong! In any locked cell phone type "*3001#12345#". A secret menu will pop-up and display among all the other interesting stuff, your security code. This is what the customer service is using to retrieve your lost security code.
Cool! But how could someone discover this secret sequence of numbers? It would take practically infinite number of random attempts to find something like this. Simple. Dump the software in computer disks (dumping is a common used procedure, see arcade coin-ups and emulators). Then RE the software and you'll find plenty of "secret" codes.
1.3.4 Computer Applications
Consider the game MineSweeper; it's been shipping with every windows version, from 3.0 to windows ME and windows XP (the newest upcoming version, former known as Whistler). So, it's been over 10 years now that people have been playing MineSweeper. It's a really simple game with not much functionality (and literally no bugs). We all know that to play the game, we go to Programs, then Accessories, then Games and click on MineSweeper (it's where it usually resides, if it has been installed). What most people don't know, or if they do, they don't really care, is that MineSweeper consists of two program files (let aside the help files). These two files are in Windows installation directory (usually named \Windows or \Winnt) and are "Winmine.exe" and "Winmine.ini". We do know that the .exe file is the executable (or main program) and the .ini file holds the settings. Let's take a close look in the .ini file.
It looks like this:
[Minesweeper]
Difficulty=1
Height=16
Width=16
Mines=40
Mark=1
Color=1
Xpos=80
Ypos=76
Time1=999
Time2=999
Time3=999
Name1=Anonymous
Name2=Anonymous
Name3=Anonymous
We do understand most of the fields and we can guess about the rest. Now let's
add some lines:
Menu=1
Sound=3
The line menu=1 will cause Minesweeper's menu disappear. The other line will force the game to play a little song when you win (number 3 varies, experiment with higher numbers). Also, there is another setting named "Tick" but I haven't discovered what it does yet ☺.
So, why is that? Why these undocumented functions? Here are a few reasons: " These functions are buggy. If we can't correct a bug, let's force it out of our program.
" Documentation. For everything you create, however simple it may be, you MUST document it. That may be more difficult than creating the program itself and more time consuming. Now, try to explain why you can remove the menus from minesweeper.
" User Interface. You should add an option under a configuration menu that says "hide menus" and then implement a way to reveal them in case we need them again and blah blah blah… Time consuming, need programming, we can't afford it! " Useless. Yes, it may be useless and pointless. So hide it. It might take more time to remove it from the actual program, so just make sure that the user won't be able to access this feature.
" Marketing. For marketing purposes, we want to maintain the simplicity of our programs.
And all these tricks come from a simple and innocent program. Can you imagine what is hidden in the whole operating system?
1.4 Requirements
Although it may sound difficult in the beginning, RE is actually simple and much simpler than creating a program. When one is programming, he has to invent, think and create. On the other hand, when decompiling a program, the engineer is just reading the programmer's thoughts and he tries to make sense out of them.
No programming experience is required. However, if programming experience exists, it will significantly help students to gain a better understanding of the subject. What is necessary for the needs of this class, if a general knowledge of any Windows Operating System (from version 3.0 to windows 2000, it really does not matter). Also, an Internet connection and an email account will prove valuable since a great deal of teaching material will be distributed via the Internet.
1.5 Scope
Our major goal will be the ability to RE any computer application and to be able to partially understand what happens in a program. Everyone should be able to perform RE techniques and achieve certain simple tasks. In particular we will focus on:
Ø  The ins and outs of a computer
Ø  How the OS (Operating System) works
Ø  Analyze an executable file
Ø  Assembly and Disassembling
Ø  Commercial and Freeware Tools for RE
Ø  Advanced techniques for RE

1.6 Ethics
Most commercial programs (if not all), are protected by copyright laws that prevent unauthorized usage, duplication or reproduction of the packages (including hard copies). This does NOT apply for reverse engineering the compiled code of these programs. In other words, one cannot possibly prevent users from reversing his program since there is no "regular" or "consistent" way to reverse a program. For example, if one wants to make a copy of a program, then all he has to do is follow the instruction provided (officially) in his  Operating System's user manual, in the section titled "Copying files". Also, he can use a program without paying it in whole. Consider the case where you buy a program and you install it in your PC, in your friends' PCs and in your work's PC. The license usually is for a sole installation and not for multiple (although you can of course buy additional licenses). This is highly illegal! But there are no manuals around that can tell you how to reverse engineer a program. The reason is that something generic is impossible. There are no recipes to RE a program (as we'll realize in the next few lectures). One could claim that the amount of techniques requires to reverse all existing programs is equal to the amount of programs you have! To determine better the ethics behind RE copyrighted programs, we can consider
the following: for what purpose do we want to RE a program? If our goal is to obtain knowledge by monitoring the behavior and the routines that make a program run then it's absolutely right. Sometimes, we might want to correct an annoying feature of a program or a bug. That's also acceptable. We should refrain from using these techniques for direct violation of the copyright laws,

0 comments :