Reverse Engineering

Andrew Tomko
COT 4810
3 April 2008
 Reverse Engineering

 “Process of analyzing a subject system to

create representations of the system at a
higher level of abstraction”
 “Going backwards through the development
cycle”
 Discovering how a device works usually by
taking it apart.
 REing Mechanical Devices

 Not what you may think.

 Actually the reverse of the
engineering process, going
from a finished product to
design.
 Used to “digitize” old parts
and systems.
 Antikythera mechanism

 A famous example
of reverse
engineering
 Ancient mechanical
computer
 Discovered in wreck
in 1900, dated
around 150-100 BC
 Development Cycle

 The waterfall model

 Reverse
Engineering moves
through this process
in reverse.
 May not end up with
the same
implementation.
 Software Techniques

 Analysis through observation of information

exchange
 Disassembly
 Decompilation
 Analysis Through Observation

 Very common for protocol reverse

engineering.
 Usually use a bus analyzer and or packet
sniffers.
 Can be assisted through the use of low-level
debuggers
SoftICE

 Kernel mode
debugger
 Originally played
role of operating
system
 Sold for $386
 Discontinued April
3rd, 2006
OllyDbg
 OllyDbg

 Has a more windows feel

 Latest production release on May 23, 2004
 Latest alpha release on March 11, 2008
 Only 32bit binaries available, but unlike
SoftICE, they're free
 Disassembly

 Most programs when compiled are turned

into architecture specific machine code.
 Disassemblers just take the binary
executable and display it's assembly code.
 Need a good understanding of assembly and
usually a hex editor.
 W32Dasm

 No longer exists?
 Basically an
assembly debugger
 Can't edit program
directly
 ! ATTENTION !

 The following example is done for

educational purposes only.
 Do not attempt similar types of reverse
engineering which is considered “cracking”
 If it is a good program or one that you use
often, pay for it, software developers deserve
the money for creating the program.
 Example

 Simple program that creates crosswords.

 Program is a demo, won't let you save
puzzles greater than 10x10
 However all the code is actually there, it is
just crippled
10x10 Save check
Fixed save check
 Nag screen

 Pops up every time

the program starts
 Does not exist in the
non-demo version
 Serves no other
function than to nag
you
Nag screen
 Nag screen fixed

 Please don't ever do this, it makes children cry

Decompilation
 Common examples

 Samba – Program for Unix like systems that

allows file sharing with Windows machines.
 Wine – Program for Unix like systems that
attempts to emulate Windows API calls
 OpenOffice – Open source program which
emulates Microsoft Office
 Motivation

 Interoperability
 Lost documentation
 Product analysis
 Security auditing
 Removal of access restrictions
 Creation of duplicates
 Fraud
 Interoperability

 Getting a device / piece of software to work

on another platform.
 Linux drivers
 Learning the protocols the device uses to
communicate
 Lost Documentation

 Similar to interoperability
 Need to relearn how the device operates,
how the device communicates
 Usually only done on antiquated devices or
integrated circuits
 Product Analysis

 To determine how the product works

 Can be used to estimate product costs
 Determine if a product is infringing on patent
rights (legalities?)
 Security Auditing

 An audit determines if systems are

safeguarding assets, maintaining data
integrity, and operating effectively.
 The company usually knows about its own
products.
 Used to evaluate risk of new products it may
be creating itself or using from other
companies.
 Access Restriction Removal

 Possible legal issues

 Usually done to demo programs, full version
released as warez
 Sometimes it becomes legal when a program
or game becomes very old.
 Create Duplicates

 This can be very difficult, trying to reproduce

the entire system.
 Reverse engineering of copy restrictions on
CDs and other media.
 In certain cases the user is allowed a
duplicate.
 Fraud

 Any device (usually embedded or integrated)

that stores critical information
 Most common example is of credit cards /
smart cards
 Passwords and other information are often
stored on the card
 Military applications

 The famous Engima machine from WWII

 Jerry cans invented by the Germans in WWII
 Tupolev Tu-4: American B-29 bombers are
forced to land in the USSR, within a few
years the Soviets created the Tu-4 an almost
exact replica.
 A Taiwanese AIM-9B missile hit a Chinese
MiG without exploding, was later reproduced
by the Soviets.
 Legalities

 Generally considered lawful if the system

was obtained legitimately.
 "...[W]here disassembly is the only way to
gain access to the ideas and functional
elements embodied in a copyrighted
computer program and where there is a
legitimate reason for seeking such access,
disassembly is a fair use of the copyrighted
work, as a matter of law."
 References

 http://en.wikipedia.org/wiki/Reverse_engineering
 Chikofsky, E.J.; J.H. Cross II (January 1990).
"Reverse Engineering and Design Recovery: A
Taxonomy in IEEE Software". IEEE Computer
Society: 13–17.

Sega v. Accolade, 203 F.3d 596 (9th Cir. 1993)
 http://www4.law.cornell.edu/uscode/html/uscode17/
usc_sec_17_00001201----000-.html
 Questions

 1) What is the definition of reverse

engineering in terms of software?
 2) List three reasons to reverse engineer
something.