SlideShare a Scribd company logo

Reverse engineering – debugging fundamentals

Eran Goldstein, profile picture
Eran Goldstein

This document discusses debugging fundamentals and provides an overview of different debuggers. It summarizes how debuggers like Immunity Debugger, WinDbg, and OllyDbg work to test and troubleshoot target programs. The document also introduces security fuzzers and describes how they work with debuggers to detect vulnerabilities by providing unexpected input data to programs and monitoring for exceptions or memory leaks. An example is provided of using the Immunity Debugger and Infigo FTPStress Fuzzer to analyze and attempt to crash an FTP server.

Technology
Related topics:
Reverse Engineering
1 of 6
Downloaded 17 times
1
2
3
4
5
6
Reverse Engineering – Debugging Fundamentals The debugger concept and purpose is to test and troubleshoot another written program. Whether the debugger is a simple script, tool or a more complex computer program the idea is to utilize it in order see and verify the functionality of the “target” program / application in such a form that one can see and understand via the debugger what is happening while the “target” program / application runs and especially when it stops. The “target” program’s / application’s code that is examined (by the debugger) might al-ternatively be running on an Instruction Set Simulator (ISS). The ISS is a certain form of tech-nique that gives the ability to halt when specific conditions are encountered but which will typically be somewhat slower than executing the code di-rectly on the appropriate (or the same) processor. When the “target” program / application reach-es a running condition or when the program can-not normally continue due to a programming bug (what is commonly known as a “crash”) the debug-ger typically shows the location in the original code whether it is a source-level debugger (which gives the line or expression within the source code that resulted from the debugger’s actions.) or symbolic debugger (which displays procedure and variable names that are stored in the debugger). The Various Debuggers There are many debuggers available for the pur-pose in question, among the more common names are; WinDbg, Valgrind, LLDB Debugger, GNU De-bugger (GDB), Immunity Debugger, OllyDbg and many more. As the list is quite long and this ar-ticle’s purpose is to focus on the fundamentals of the debugger concept we’ll put an emphasis on three debugger types this time: The immunity De-bugger, WinDbg and OllyDbg. The first is the Immunity Debugger. This debug-ger has both interfaces types; the GUI and a com-mand line. The command line can be seen at all times on the bottom of the GUI. The Immunity De-bugger can write exploits, analyze malware, and reverse engineer binary files. The base platform of this tool is a solid user interface with graphing function and a fine analysis tool built especially for heap creation. This debugger has a well-support-ed Python API on top of its other features. The second debugger we’ll review is the WinDbg – this is a multipurpose tool for Microsoft’s Win-dows operation system. The WinDbg can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. The third and last debugger tool we’ll review is the OllyDbg. This is an x86 debugger who can trace reg-isters, recognizes procedures, API calls, switches, tables, constants and strings, as well as locate rou-tines from object files and libraries. The main focus for this debugger is the binary code analysis which is useful when the source code is unavailable. Launching the environment Pre-Requisites • Microsoft windows XP/Vista/7 machine. • Immunity Debugger – http://debugger.immuni-tyinc. com/ 50 02/2013
EXTRA • Vulnerable FTP Server – http://frogteam.go-zure. com/FTP-Server.zip • FTP Fuzzer – http://frogteam.gozure.com/ Infigo.zip In this section we’ll show the basic actions re-quired to work with the debugger. Prior to starting this section please note that you’ll need to estab-lish the environment based on the pre-requisites listed above. Once you’ve completed the relevant actions you should have a windows machine with all the files from the links above, and you have in-stalled the Immunity Debugger which we will be used during this section. Once the machine is up and running, you may launch the Immunity Debugger. Immunity Debugger is a debugger with function-ality designed specifically for the security industry. Once the Immunity Debugger is up and running as can be seen in the image below we can start our FTP Server and then attach the Immunity De-bugger to the FTP Server process (Figure 1). In order to attach the Immunity Debugger to the FTP Server process we’ll need to perform the fol-lowing actions: • On Windows machine, extract the ‘FTP-Server. zip’ compressed file you’ve downloaded. • Double-click on ‘FTPServer.exe’ to start the FTP Server. • Return to the Immunity Debugger and click on File -> Attach (or Ctrl+F1) • On the Process list, select the “FTPServer” (TCP: 21) and click on the Attach button. When you attach the debugger to a running pro-cess it will pause. In the Immunity Debugger up-per bar, you can resume the process by click the “Play” button or create a new thread by choos-ing the “Restart” button and then the “Play” button (Figure 2 and Figure 3). In order to connect and authenticate the FTP Server simply flow up on the standard procedure and type the relevant username and password (e.g. user credentials). One should assume that these variables need to be passed from the client to the server and there-fore, the program needs to store them somehow Figure 1. Immunity Debugger Started Figure 2. Attaching the “FTPServer” Process Figure 3. New thread Created and FTPServer is Ready for Connections Figure 4. Connect and Authenticate to the FTP Server www.hakin9.org/en 51
in memory. For our analysis we need to ask our-selves the following questions: • What kind of information it should contain (user info, program info, etc...)? • Which type of data they are able to accept (In-teger, String, etc...)? • How many characters should there be (there is a chance for Buffer-Overflow)? • Are there any characters that the variables should ignore (Bad-Characters)? In order to find these answers, we need to find a vulnerable FTP function or command- this can be done automatically or manually. For an easy start (which will save time) it is sometimes recom-mended to use automated tools. Once a “buffer-overflow” vulnerability exists, we have to find the amount of “junk data” that, when sent to the appli-cation, will overwrite the register. Stack-based buffer overflows techniques Users may exploit stack-based buffer overflows to manipulate the program to their advantage in one of the following ways: • By overwriting a local variable which is near the memory‘s buffer on the stack to change the behavior of the program which may benefit the attacker. • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as it was specified by the at-tacker. Usually a user’s input fills the buffer. • By overwriting a function pointer, or exception handler, which is subsequently executed. With a method called trampolining, if the address the user-supplied is listed as data unknown and the location will still be stored in a register, then the return address can be overwritten with the ad-dress of an opcode (operation code, a part of a language instruction that specifies the operation which will be performed) – this will cause the exe-cution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause ex-ecution of user supplied data. The locations of suit-able opcodes, or bytes in memory, can be found in DLLs or the executable itself. Please note that the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. Security Fuzzer Another important term is the fuzzer. Security Fuzzer is a tool used by security professionals and profes-sional hackers to test a parameter of an application. Typical fuzzers test an application for buffer over-flows, format string vulnerabilities, and error handling. Both fuzzer and debugger work together to de-tect security problems on a system, and it’s soft-ware. The fuzzer provides invalid, unexpected, or random data to the inputs of the target program and then monitors for exceptions such as failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test and exploit development tools. More advanced fuzzers incorporate function-alities to test for directory traversal attacks, com- Figure 5.*OñHP'514USFTT'V[[FSW Figure 6. FTPStress Fuzzer Detected the Vulnerable Commands 52 02/2013
EXTRA mand execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Infigo FTPStress Fuzzer is a specific fuzzer for finding vulnerabilities in FTP server products. Al-though it is a simple tool, it has proved its efficiency by the number of vulnerabilities discovered in dif-ferent FTP server software tested with this tool. The parameters which are used for the fuzzing process are configurable. User can precisely de-fine which FTP commands will be fuzzed along with the size and type of the fuzzing data. On the windows machine from before we’ll acti-vate the “Infigo FTPStress Fuzzer” and try to crash the FTP server: • Extract the ‘Infigo.zip’ compressed file you’ve downloaded. • Double-click on the ‘ftpfuzz.exe’ file. You can try to crash the FTP Server from any oth-er external machine and to perform this step us-ing instance of ftpfuzz.exe running on deferent computer (Figure 5). Once The Fuzzer is up we’ll need to find the commands that are supported by the FTP server: • Enter the IP Address of the computer Host on which the FTP server is running (e.g. 127.0.0.1). • Next, click on Discover button. FTP Fuzzer detected the FTP commands sup-ported by FTP server. See example in Figure 6. Next we need to examine the behavior of these commands while sending “junk data”, Therefore we will configure the amount of “junk data” we want to send to the FTP server: • Click on Config button • On the configuration window, go to Fuzzing da-ta tab and click Deselect All • Check the “A” letter and then click on OK. Figure 7. FTPStress Fuzzer Configuration Window Figure 8. The Outcome Can Be Seen as the FTP Server Has Crashed Table 1.YQFDUFE3FTQPOTFJTi3$7u Total FTP commands: 2 FTP commands to fuzz: 2 Number of Fuzz tests: 26 [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 30 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 70 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood www.hakin9.org/en 53
Assuming your Infigo Fuzzer looks like the im-age below, the fuzzing process can start. Click on Start button (Figure 7). The outcome can be seen as the FTP Server has crashed (Figure 8). The Analysis Phase In this section we’ll review on the procedure of an-alyzing the log data. The normal flow of the fuzzer is to connect to the target FTP Server, get the 220 Hello Message and then, send the “A”s junk data in different amounts (1 “A” = 1 Byte) each time fol-lowed by the “FEAT” command, while the expected response is RECV: 500 (Table 1). In order to understand what actually happened in the memory process, we can look at the diagram on the next page (Table 2). Next we can observe that after 330 bytes of junk data sent the FTP fuzzer was not able to receive 520 bytes of junk data and disconnected. This indicates that if we send junk data of a size between 330 and 520 bytes, the FTP server will crash (Table 3). Now, that we know the amount of junk bytes to send to overwrite EIP register we’ll try to find the exact amount of data that will overwrite EIP register. The Following Table Describes What Actually Happened in the Process Memory (Table 4). After examining the FTP Fuzzer log we can return to Immunity Debugger and see what happened to the process during the fuzzing test (Figure 9). In the Immunity Debugger main window we can see that our x41 (“A”s) floods the memory stack until the EIP register and modified the address so it’s x41x41x41x41 (“AAAA”) as can be seen in the “Registers window” – this helped us find the “JMP” but leads to an access violation as we can see in the Immunity Debugger status bar. Table 2. #ZUFTPGKVOLEBUB Table 3. The crash of ftp server [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 330 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 520 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 700 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 1400 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). 54 02/2013
EXTRA To summarize our actions, we’ve found a stack-based buffer overflow in the FTP Server. In order to better understand the procedure we need to modify the exact register (4 bytes EIP in that case) with JMP value so we are able to hit an accessible register. In the upcoming articles we’ll learn how to write our first exploit test script that will help us to control the data we send to the target. ERAN GOLDSTEIN Eran Goldstein is the founder of Frogteam|Security, a cyber securi-ty vendor company in USA and Israel. He is also the creator and developer of “Total Cyber Security – TCS” product line. Eran Goldstein is a senior cyber security expert and a software devel-oper with over 10 years of experience. He specializes at penetration testing, reverse engineering, code reviews and application vulnerability assessments. Eran has a vast experience in leading and tutoring courses in appli-cation security, software analysis and secure develop-ment as EC-Council Instructor (C|EI). For more informa-tion about Eran and his company you may go to: http:// www.frogteam-security.com. Table 4.#ZUFTPGKVOLEBUB Figure 9. Examine the Buffer Overflow Immunity Debugger www.hakin9.org/en 55

More Related Content

PDF
Reverse engineering - Shellcodes techniques
Eran Goldstein
 
PDF
Hacking ingress
Eran Goldstein
 
PDF
Anti Debugging
n|u - The Open Security Community
 
PDF
Richard Johnson, high performance fuzzing
PacSecJP
 
ODP
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
PDF
Writing simple buffer_overflow_exploits
D4rk357 a
 
PPT
Secure Ftp Java Style Rev004
Rich Helton
 
PDF
Breaking av software
Thomas Pollet
 
Reverse engineering - Shellcodes techniques
Eran Goldstein
 
Hacking ingress
Eran Goldstein
 
Anti Debugging
n|u - The Open Security Community
 
Richard Johnson, high performance fuzzing
PacSecJP
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
Writing simple buffer_overflow_exploits
D4rk357 a
 
Secure Ftp Java Style Rev004
Rich Helton
 
Breaking av software
Thomas Pollet
 

What's hot (20)

PPTX
C#Web Sec Oct27 2010 Final
Rich Helton
 
PDF
Bypassing anti virus scanners
martacax
 
PDF
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Infinum
 
PPT
Intro Java Rev010
Rich Helton
 
PDF
Analysis of bugs in Orchard CMS
PVS-Studio
 
ODP
Inter-process communication of Android
Tetsuyuki Kobayashi
 
DOCX
Backtrack Manual Part7
Nutan Kumar Panda
 
DOC
Debugging over tcp and http
Kaniska Mandal
 
PDF
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
PDF
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
PDF
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
Anup Singh
 
PDF
What is the Joomla Framework and why do we need it?
Rouven Weßling
 
PDF
sponsorAVAST-VB2014
Martin Hron
 
PPT
Taming Deployment With Smart Frog
Steve Loughran
 
PPT
.NET Debugging Tips and Techniques
Bala Subra
 
PDF
Armitage – The Ultimate Attack Platform for Metasploit
Ishan Girdhar
 
DOCX
Backtrack Manual Part4
Nutan Kumar Panda
 
PDF
Slmail Buffer Overflow
Eric alleshouse
 
PPT
Writing Metasploit Plugins
amiable_indian
 
PDF
Vulnserver bufferoverflow
Eric alleshouse
 
C#Web Sec Oct27 2010 Final
Rich Helton
 
Bypassing anti virus scanners
martacax
 
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Infinum
 
Intro Java Rev010
Rich Helton
 
Analysis of bugs in Orchard CMS
PVS-Studio
 
Inter-process communication of Android
Tetsuyuki Kobayashi
 
Backtrack Manual Part7
Nutan Kumar Panda
 
Debugging over tcp and http
Kaniska Mandal
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
Anup Singh
 
What is the Joomla Framework and why do we need it?
Rouven Weßling
 
sponsorAVAST-VB2014
Martin Hron
 
Taming Deployment With Smart Frog
Steve Loughran
 
.NET Debugging Tips and Techniques
Bala Subra
 
Armitage – The Ultimate Attack Platform for Metasploit
Ishan Girdhar
 
Backtrack Manual Part4
Nutan Kumar Panda
 
Slmail Buffer Overflow
Eric alleshouse
 
Writing Metasploit Plugins
amiable_indian
 
Vulnserver bufferoverflow
Eric alleshouse
 
Ad

Similar to Reverse engineering – debugging fundamentals (20)

PDF
Advanced System Security and Digital Forensics
Dr. Ramchandra Mangrulkar
 
PPTX
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
PDF
Fuzzing - Part 1
UTD Computer Security Group
 
PPTX
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
PDF
Crash Analysis with Reverse Taint
marekzmyslowski
 
PPTX
Vulnerability, exploit to metasploit
Tiago Henriques
 
PDF
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
PDF
Dive into exploit development
Payampardaz
 
PDF
FUZZING & SOFTWARE SECURITY TESTING
MuH4f1Z
 
PPTX
Binary Analysis - Luxembourg
Abhik Roychoudhury
 
PDF
CNIT 126: 8: Debugging
Sam Bowne
 
PPTX
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
PDF
[USENIX-WOOT] Introduction to Procedural Debugging through Binary Libification
Moabi.com
 
PDF
Malware Analysis -an overview by PP Singh
n|u - The Open Security Community
 
PDF
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
PDF
Fuzzing sucks!
Yury Chemerkin
 
PDF
Secure Programming With Static Analysis
ConSanFrancisco123
 
PPTX
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
PPT
Dll injection
KarlFrank99
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Advanced System Security and Digital Forensics
Dr. Ramchandra Mangrulkar
 
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Fuzzing - Part 1
UTD Computer Security Group
 
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
Crash Analysis with Reverse Taint
marekzmyslowski
 
Vulnerability, exploit to metasploit
Tiago Henriques
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
Dive into exploit development
Payampardaz
 
FUZZING & SOFTWARE SECURITY TESTING
MuH4f1Z
 
Binary Analysis - Luxembourg
Abhik Roychoudhury
 
CNIT 126: 8: Debugging
Sam Bowne
 
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
[USENIX-WOOT] Introduction to Procedural Debugging through Binary Libification
Moabi.com
 
Malware Analysis -an overview by PP Singh
n|u - The Open Security Community
 
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
Fuzzing sucks!
Yury Chemerkin
 
Secure Programming With Static Analysis
ConSanFrancisco123
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Dll injection
KarlFrank99
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Ad

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Cloud computing and distributed systems.
kkkkkhan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Approach and Philosophy of On baking technology
30anthuong17
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

Reverse engineering – debugging fundamentals

  • 1. Reverse Engineering – Debugging Fundamentals The debugger concept and purpose is to test and troubleshoot another written program. Whether the debugger is a simple script, tool or a more complex computer program the idea is to utilize it in order see and verify the functionality of the “target” program / application in such a form that one can see and understand via the debugger what is happening while the “target” program / application runs and especially when it stops. The “target” program’s / application’s code that is examined (by the debugger) might al-ternatively be running on an Instruction Set Simulator (ISS). The ISS is a certain form of tech-nique that gives the ability to halt when specific conditions are encountered but which will typically be somewhat slower than executing the code di-rectly on the appropriate (or the same) processor. When the “target” program / application reach-es a running condition or when the program can-not normally continue due to a programming bug (what is commonly known as a “crash”) the debug-ger typically shows the location in the original code whether it is a source-level debugger (which gives the line or expression within the source code that resulted from the debugger’s actions.) or symbolic debugger (which displays procedure and variable names that are stored in the debugger). The Various Debuggers There are many debuggers available for the pur-pose in question, among the more common names are; WinDbg, Valgrind, LLDB Debugger, GNU De-bugger (GDB), Immunity Debugger, OllyDbg and many more. As the list is quite long and this ar-ticle’s purpose is to focus on the fundamentals of the debugger concept we’ll put an emphasis on three debugger types this time: The immunity De-bugger, WinDbg and OllyDbg. The first is the Immunity Debugger. This debug-ger has both interfaces types; the GUI and a com-mand line. The command line can be seen at all times on the bottom of the GUI. The Immunity De-bugger can write exploits, analyze malware, and reverse engineer binary files. The base platform of this tool is a solid user interface with graphing function and a fine analysis tool built especially for heap creation. This debugger has a well-support-ed Python API on top of its other features. The second debugger we’ll review is the WinDbg – this is a multipurpose tool for Microsoft’s Win-dows operation system. The WinDbg can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. The third and last debugger tool we’ll review is the OllyDbg. This is an x86 debugger who can trace reg-isters, recognizes procedures, API calls, switches, tables, constants and strings, as well as locate rou-tines from object files and libraries. The main focus for this debugger is the binary code analysis which is useful when the source code is unavailable. Launching the environment Pre-Requisites • Microsoft windows XP/Vista/7 machine. • Immunity Debugger – http://debugger.immuni-tyinc. com/ 50 02/2013
  • 2. EXTRA • Vulnerable FTP Server – http://frogteam.go-zure. com/FTP-Server.zip • FTP Fuzzer – http://frogteam.gozure.com/ Infigo.zip In this section we’ll show the basic actions re-quired to work with the debugger. Prior to starting this section please note that you’ll need to estab-lish the environment based on the pre-requisites listed above. Once you’ve completed the relevant actions you should have a windows machine with all the files from the links above, and you have in-stalled the Immunity Debugger which we will be used during this section. Once the machine is up and running, you may launch the Immunity Debugger. Immunity Debugger is a debugger with function-ality designed specifically for the security industry. Once the Immunity Debugger is up and running as can be seen in the image below we can start our FTP Server and then attach the Immunity De-bugger to the FTP Server process (Figure 1). In order to attach the Immunity Debugger to the FTP Server process we’ll need to perform the fol-lowing actions: • On Windows machine, extract the ‘FTP-Server. zip’ compressed file you’ve downloaded. • Double-click on ‘FTPServer.exe’ to start the FTP Server. • Return to the Immunity Debugger and click on File -> Attach (or Ctrl+F1) • On the Process list, select the “FTPServer” (TCP: 21) and click on the Attach button. When you attach the debugger to a running pro-cess it will pause. In the Immunity Debugger up-per bar, you can resume the process by click the “Play” button or create a new thread by choos-ing the “Restart” button and then the “Play” button (Figure 2 and Figure 3). In order to connect and authenticate the FTP Server simply flow up on the standard procedure and type the relevant username and password (e.g. user credentials). One should assume that these variables need to be passed from the client to the server and there-fore, the program needs to store them somehow Figure 1. Immunity Debugger Started Figure 2. Attaching the “FTPServer” Process Figure 3. New thread Created and FTPServer is Ready for Connections Figure 4. Connect and Authenticate to the FTP Server www.hakin9.org/en 51
  • 3. in memory. For our analysis we need to ask our-selves the following questions: • What kind of information it should contain (user info, program info, etc...)? • Which type of data they are able to accept (In-teger, String, etc...)? • How many characters should there be (there is a chance for Buffer-Overflow)? • Are there any characters that the variables should ignore (Bad-Characters)? In order to find these answers, we need to find a vulnerable FTP function or command- this can be done automatically or manually. For an easy start (which will save time) it is sometimes recom-mended to use automated tools. Once a “buffer-overflow” vulnerability exists, we have to find the amount of “junk data” that, when sent to the appli-cation, will overwrite the register. Stack-based buffer overflows techniques Users may exploit stack-based buffer overflows to manipulate the program to their advantage in one of the following ways: • By overwriting a local variable which is near the memory‘s buffer on the stack to change the behavior of the program which may benefit the attacker. • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as it was specified by the at-tacker. Usually a user’s input fills the buffer. • By overwriting a function pointer, or exception handler, which is subsequently executed. With a method called trampolining, if the address the user-supplied is listed as data unknown and the location will still be stored in a register, then the return address can be overwritten with the ad-dress of an opcode (operation code, a part of a language instruction that specifies the operation which will be performed) – this will cause the exe-cution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause ex-ecution of user supplied data. The locations of suit-able opcodes, or bytes in memory, can be found in DLLs or the executable itself. Please note that the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. Security Fuzzer Another important term is the fuzzer. Security Fuzzer is a tool used by security professionals and profes-sional hackers to test a parameter of an application. Typical fuzzers test an application for buffer over-flows, format string vulnerabilities, and error handling. Both fuzzer and debugger work together to de-tect security problems on a system, and it’s soft-ware. The fuzzer provides invalid, unexpected, or random data to the inputs of the target program and then monitors for exceptions such as failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test and exploit development tools. More advanced fuzzers incorporate function-alities to test for directory traversal attacks, com- Figure 5.*OñHP'514USFTT'V[[FSW Figure 6. FTPStress Fuzzer Detected the Vulnerable Commands 52 02/2013
  • 4. EXTRA mand execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Infigo FTPStress Fuzzer is a specific fuzzer for finding vulnerabilities in FTP server products. Al-though it is a simple tool, it has proved its efficiency by the number of vulnerabilities discovered in dif-ferent FTP server software tested with this tool. The parameters which are used for the fuzzing process are configurable. User can precisely de-fine which FTP commands will be fuzzed along with the size and type of the fuzzing data. On the windows machine from before we’ll acti-vate the “Infigo FTPStress Fuzzer” and try to crash the FTP server: • Extract the ‘Infigo.zip’ compressed file you’ve downloaded. • Double-click on the ‘ftpfuzz.exe’ file. You can try to crash the FTP Server from any oth-er external machine and to perform this step us-ing instance of ftpfuzz.exe running on deferent computer (Figure 5). Once The Fuzzer is up we’ll need to find the commands that are supported by the FTP server: • Enter the IP Address of the computer Host on which the FTP server is running (e.g. 127.0.0.1). • Next, click on Discover button. FTP Fuzzer detected the FTP commands sup-ported by FTP server. See example in Figure 6. Next we need to examine the behavior of these commands while sending “junk data”, Therefore we will configure the amount of “junk data” we want to send to the FTP server: • Click on Config button • On the configuration window, go to Fuzzing da-ta tab and click Deselect All • Check the “A” letter and then click on OK. Figure 7. FTPStress Fuzzer Configuration Window Figure 8. The Outcome Can Be Seen as the FTP Server Has Crashed Table 1.YQFDUFE3FTQPOTFJTi3$7u Total FTP commands: 2 FTP commands to fuzz: 2 Number of Fuzz tests: 26 [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 30 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 70 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood www.hakin9.org/en 53
  • 5. Assuming your Infigo Fuzzer looks like the im-age below, the fuzzing process can start. Click on Start button (Figure 7). The outcome can be seen as the FTP Server has crashed (Figure 8). The Analysis Phase In this section we’ll review on the procedure of an-alyzing the log data. The normal flow of the fuzzer is to connect to the target FTP Server, get the 220 Hello Message and then, send the “A”s junk data in different amounts (1 “A” = 1 Byte) each time fol-lowed by the “FEAT” command, while the expected response is RECV: 500 (Table 1). In order to understand what actually happened in the memory process, we can look at the diagram on the next page (Table 2). Next we can observe that after 330 bytes of junk data sent the FTP fuzzer was not able to receive 520 bytes of junk data and disconnected. This indicates that if we send junk data of a size between 330 and 520 bytes, the FTP server will crash (Table 3). Now, that we know the amount of junk bytes to send to overwrite EIP register we’ll try to find the exact amount of data that will overwrite EIP register. The Following Table Describes What Actually Happened in the Process Memory (Table 4). After examining the FTP Fuzzer log we can return to Immunity Debugger and see what happened to the process during the fuzzing test (Figure 9). In the Immunity Debugger main window we can see that our x41 (“A”s) floods the memory stack until the EIP register and modified the address so it’s x41x41x41x41 (“AAAA”) as can be seen in the “Registers window” – this helped us find the “JMP” but leads to an access violation as we can see in the Immunity Debugger status bar. Table 2. #ZUFTPGKVOLEBUB Table 3. The crash of ftp server [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 330 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 520 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 700 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 1400 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). 54 02/2013
  • 6. EXTRA To summarize our actions, we’ve found a stack-based buffer overflow in the FTP Server. In order to better understand the procedure we need to modify the exact register (4 bytes EIP in that case) with JMP value so we are able to hit an accessible register. In the upcoming articles we’ll learn how to write our first exploit test script that will help us to control the data we send to the target. ERAN GOLDSTEIN Eran Goldstein is the founder of Frogteam|Security, a cyber securi-ty vendor company in USA and Israel. He is also the creator and developer of “Total Cyber Security – TCS” product line. Eran Goldstein is a senior cyber security expert and a software devel-oper with over 10 years of experience. He specializes at penetration testing, reverse engineering, code reviews and application vulnerability assessments. Eran has a vast experience in leading and tutoring courses in appli-cation security, software analysis and secure develop-ment as EC-Council Instructor (C|EI). For more informa-tion about Eran and his company you may go to: http:// www.frogteam-security.com. Table 4.#ZUFTPGKVOLEBUB Figure 9. Examine the Buffer Overflow Immunity Debugger www.hakin9.org/en 55