Reverse Engineering

AN INTRODUCTION TO REVERSE ENGINEERING, THE TOOLS AND

ASSEMBLY

Ali Mohamed
What is Reverse Engineering?
• When you take a final product (e.g. a compiled program) and
attempt to break it down and understand what it’s doing, and
possibly modifying it for a new purpose.
• This involves the use of specialized tools such as debuggers and
disassemblers
• Debuggers allow you monitor things live as they happen
• Disassemblers attempt to analyze the program and show you what
it looks like in assembly
Why would you need to reverse engineer something?
• When you have a program that you don’t have the source code for
but what to find out how it does things
• Improving/modifying something you don’t have the source code for
• This may not be legal for every program out there, so exercise it
with caution
We’ll be looking at reverse engineering
through “romhacking”
Why romhacking?
• It’s in a bit of a grey area, however, many hobbyists have written
highly specialized and useful debuggers/emulators that can help
one learn this process
• A game is a good way to break into reverse engineering (and by
extension assembly)
• It’ll be easier to work with gameplay concepts as things we want to
find/alter
Why does it have to be in assembly?
• There is no real way to convert
something back from a High Level Language
compiled format to the original
source code
• The best we can manage is
turning it back into assembly Compiler

• Don’t be scared of assembly! It

is daunting at first but it’s a Executable File
good skill to have (Machine Code
/Assembly)
 The CPU
Registers – storage locations, values move around here

Processor Status/Flag Register – keeps track of flags that

are set during calculations

Program Counter – address of current instruction

Stack Pointer – keeps track of call stack

 Assembly Basics
Basic operators:
add, sub, mul*, div*
A very basic example.
mov (move):
copies value from source and puts it into the destination.
You will probably see this instruction a lot.

jmp (jump) and other conditional jumps:

used to hop to certain addresses

nop:
no operation (I believe it’s used for when you need to wait)

*older, simpler CPUs might not have those luxuries, you may have to do your
multiplication/division through bit-shifting
I highly recommend keeping a reference
document up while working on assembly to make it simpler.
 Basic approach to reverse engineering
Task we want to accomplish
-> hunt for relevant info (such as RAM addresses & values)
-> set breakpoints (freeze CPU during a certain action)
-> slowly trace through instructions and attempting to figure things out
-> modify (test & check) OR document how it works
Our Target: The GameBoy
T H E S P EC S

CPU :
SHARP LR35902 @ 4.19 MHZ

D I S P L AY:
2 . 6 ” LC D

R E S O LU T I O N :
1 6 0 X 1 4 4 PX

MEDIA: A Gameboy cartridge PCB.

R O M C A R T R I D G ES
 Metroid II
Changing bomb timers

DDX0 – Bomb State, DDX1 – Bomb Timer

After searching we find that setting the timer is quite simple.
This one (thankfully) was quite simple and very easy to modify.
 Super Mario Land
How does the score update?

Score is stored at RAM values C0A0 – C0A2

After a lot of searching, we stumble upon this routine.
 Basically HL points to location in ram,
point value is loaded from register D,
then moved to register A,
and score is tabulated and stored back to
target RAM Location.
Things to remember:
- Assembly can be a valuable asset, it’s quite confusing at first
but debugging a program (that you have source code access
to or not) is an invaluable tool for fixing problems!

- Reverse Engineering is a challenging process but you’ll learn quite a lot

about a program and the architecture it’s designed for

- Don’t ever be afraid to dive into assembly, it may look scary but
given enough time you can figure things out and will learn
a lot of useful info
STUXNET
Background

• Spread on Microsoft Windows

• Developed June 2009
• Spreading began late 2009/early 2010
• Discovered in July 2010
o Microsoft out-of-band patch released August 2010 - .lnk exploit
o More patches with the September 'Patch Tuesday' - print spooler exploit
• Around half a megabyte
• C, C++, and other object oriented languages
What the news says it was

• Iranian centrifuge destroyer!

o It's one goal was to destroy the Iranian nuclear program
• Developed by the United States and Israel
• Contributed to the Gulf oil leak
• 'Mission: Impossible'-like virus
• It will kill your unborn children
o Assuming they are born in a hospital using PLC machines
What it really was

• Malware that spread on networks to infect systems running WinCC and PCS
7 SCADA
• Took advantage of the fact that PLCs are usually unsecured
o They are behind firewalls and run by other computers that ARE secured
• Once inside, had the ability to reprogram PLC controlling machinery
o Gave the possibility of altering how machinery being controlled will run

*PLC: Programmable Logic Controller

How it did it

• USB drive for initial infection, then spread on network

• .lnk file exploit
o As soon as the shortcut is displayed, exploit is run
• Windows vulnerabilities
o EoP
▪ Task scheduler
o MS08-067 (Conficker) - Already patched!!!! (but not on these systems)
o Printspooler exploit
o Used at least 4 previously undiscovered vulnerabilities

• Searched for WinCC and PCS 7 SCADA management programs

o Tried default Siemens passwords to gain access
o If access is granted, PLC software could be reprogrammed
• Used stolen signed digital certificates
o looked like genuine software to antivirus scanners

*EoP: Elevation of Privileges

How it did it (cont.)
• Installed a RPC server
• Self-updating
o Machines check on other machines running Stuxnet and do a version check
o Newer versions automatically push their version onto the other machines
o Older versions automatically request newer version to be pushed
▪ If central server goes down, updates still spread

*RPC: Remote Procedure Call

What a story! I mean theory...

"As the story goes, the Stuxnet worm was designed and released by a government--the U.S.
and Israel are the most common suspects--specifically to attack the Bushehr nuclear power
plant in Iran. How could anyone not report that? It combines computer attacks, nuclear
power, spy agencies and a country that's a pariah to much of the world. The only problem
with the story is that it's almost entirely speculation." - Bruce Schneier

What we "know" it does:

• Infects windows
• Looks for Siemens SIMATIC WinCC/Step 7 controller software
• Reads and changes bits in the PLC
• Spreads through network/USB
• Various updating mechanisms
What a story! I mean theory...

The media focuses on these types of quotes:

• The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched
vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it
apart believe it may be the work of state-backed professionals.

• "I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab.
In comparison, other notable attacks, like the one dubbed Aurora that hacked Google's network and
those of dozens of other major companies, were child's play.

• But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber
security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is
essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy
one real-world target of high importance – a target still unknown.
What a story! I mean theory...

Once you pop you just can't stop:

• The word "myrtus" appears in the worm:

o an artifact that the compiler left, possibly by accident.
o refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in
the 4th century B.C. "Hadassah" means "myrtle" in Hebrew.

• Sets a registry value of "19790509":

o a date
o refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel.

• The hex 0xDEADF007 appears in the worm:

o Symantec suggests it may mean Dead Fool or Dead Foot, a term referring to an airplane engine
failure.
o "This suggests failure of the targeted system is a possible aim, though whether Stuxnet aims to
simply halt the system or blow it up remains unknown."
What a story! I mean theory...

These markers COULD:

• Point to Israel as the author.

• Point to being deliberately planted by someone who wanted to frame Israel
• Point to being deliberately planted by Israel, who wanted us to think they were planted by someone
who wanted to frame Israel.

When do you stop?

• Deepwater Horizon did have some Siemens PLC systems on it!
• Did stuxnet contribute to the Gulf of Mexico oil spill?!?!

Stuxnet's Authors:
• extremely careful to not leave any traces
What a story! I mean theory...

• We don't know who wrote Stuxnet.

o Government
o Individual
o Research Group
• We don't know why.
o Criminal worm to demonstrate capability
o Research efforts
o Social/Political
• We don't know what the target is, or if Stuxnet reached it.
o control alarm systems
o access controls on doors
o motors
o conveyor belts
o pumps
o chemical plants
o oil refineries
o pipelines
o nuclear power plants!?!?!
What a story! I mean theory...

Stuxnet is sophisticated.
It is fun to speculate its purposes.

But we do not know the author's true intentions.

Questions?
Sources

http://www.networkworld.com/news/2010/091610-is-stuxnet-the-best-malware.html?page=2

http://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_worm

http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_industrial_systems

http://www.symantec.com/connect/blogs/stuxnet-p2p-component

http://blogs.technet.com/b/mmpc/archive/2010/07/30/stuxnet-malicious-lnks-and-then-there-was-sality.aspx

http://www.internetnews.com/security/article.php/3903541/Patch+Tuesday+Fixes+Another+Stuxnet+Vulner
ability.htm

http://www.abc.net.au/science/articles/2011/11/01/3353334.htm

http://www.schneier.com/blog/archives/2010/10/stuxnet.html

http://www.schneier.com/blog/archives/2010/09/the_stuxnet_wor.html

http://www.wired.com/threatlevel/2010/10/stuxnet-deconstructed/
THE END!