chevron_left chevron_right
Login Register invert_colors photo_library


Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 0 Vote(s) - 0 Average


[#2] Introduction To Reverse Engineering With OllyDBG filter_list
Author
Message
[#2] Introduction To Reverse Engineering With OllyDBG #1
[Image: Logo_OllyDbg.svg]
Introduction To Reverse Engineering With OllyDBG


Greetings everyone!

Welcome to the second part of my malware analysis series, if you’ve made it to this point you deserve a pat on the back! Malware analysis is just like I said before a journey, not an easy one but definitely a fun one!

In this part of the series, we’ll be picking where the first part of our series Introduction to Malware Analysis was left off. We’ll soon be on our way of exploring how static reverse engineering techniques can be used to understand what a piece of malware does. However, before we do that we need to understand how the reverse engineering tools work and understand the very basics of them  in order to be able to perform some basic malware analysis.

What is exactly Reverse Engineering?
If we look up the definition of the term “Reverse engineering” it’ll be defined as:
"To disassemble and examine or analyze in detail (a product or device) to discover the concepts involved in manufacture usually in order to produce something similar".
However, it’s a bit different in our case since we’re not reverse engineering, physical products, but rather software which runs on the Windows platform. Thereby, we can define reverse engineering as the reproduction of another person’s source code following detailed examination of the executable machine code. In layman terms, it can be explained as, figuring out what a program does by examining the instructions the program "gives" to the CPU.

Assembly language is the language of reversing, there’s not a single action the program can make without it being translated in Assembly. In order to become a master in reverse engineering, one has to understand the Assembly language. I won’t be covering that because it’s a giant section and reading a book about it will be far better than anything you can find online. I hope you now understand the importance of knowing Assembly (particularly, the x86 assembly dialect) for the process of reverse engineering. Now that we know what reverse engineering means and that it’s based on the assembly language, it’s time to dive In to the world of reversing.

Prerequisites:
OllyDBG
A Windows Machine
The Will To Learn

OllyDBG
For reversers, OllyDbg is the best tool out there because it has been designed from the ground up as a reversing tool, and as such it has a very powerful built-in disassembler. However, it’s greatest strength lies in its disassembler, which provides incredibly powerful code-analysis features. OllyDbg’s code analyzer can identify everything from loops and switch blocks to running a program instruction by instruction, adding breakpoints and changing the assemble which is basically the code. Another wonderful feature is the built-in assembling and patching engine, which makes it every cracking enthusiast’s favorite. Analysing binaries with the tool is incredibly useful when the source code isn’t available in simpler words. Remember that OllyDbg is primarily seen as a debugger even tough it does have an amazingly integrated code disassembler.

Step 1: Starting OllyDbg
To start OllyDbg, locate the shortcut or the directory of the installation and start the software. Upon launching the program you’ll notice that it has the familiar dropdown list menu for navigating around the different functions.

[Image: be3c2c0c6bc183c9ebab7a904ac653a7.png]

Step 2: Loading a Executable into OllyDbg
In order to load a executable in OllyDbg you need to navigate to File > Open and load your executable from there.
Pro tip: You could also drag a executable directly into OllyDbg.

Once you’ve loaded the executable into OllyDbg, it will begin analysing the code and converting it to readable assembly language. In this case I picked a random executable laying around my SSD. In future tutorials, it’s important to know that I won’t be using OllyDbg because it’s very complex for beginners and requires a good understand of the Assembly language. I’ll most likely make a few reversing tutorials with IDA Pro since it has a better disassembler and is a bit easier to use. OllyDbg is within the malware field mostly for doing exactly what the program was made for, debugging.
 
[Image: KQXfpU3.png]

If we take a look at the above image I’ve attached, you’ll see that OllyDbg takes the disassembled code and separates it into several windows. In the top left window you’ll be able to see thevirtual addresses of the instructions and in the top right window you’ll see the CPU registers. If we take a look at the bottom section we’ll be able to see what kind of data is residing in the memory and in the lower right window we can see the stack calls. Don’t forget the lower right corner which displays the status.

Step 3: The different code views
We can view our Assembly code in different ways by clicking on the View button of the top menu. You’ll see that each list view option will have a key bind associated with it, with the exception of "patches" which uses the Ctrl key.

[Image: 262d0e43494d753d94adcc18a517cc01.png]

If we select the Executable modules from the list of options we’ll see a list of all the file executables associated below. The Executable Modules Window shows the base virtual address to the far left, the virtual size of the binary in memory in the second column, the Entry Point’s virtual address in the third column, the name of the module in the fourth column, file version, and file path for each module loaded in the process. If the text appears in Red, that means the module was loaded dynamically.

[Image: c2ce8d2a70991bf8108d038cb2e9ef92.png]

From there you can right click in order to open up the context menu and do many different things, click “View names”. You’ll be granted with a list of all the functions used and imported by the program. It’s a great option to use when you’re analysing malware because you’ll be able to decipher the functionality of themalware on a much deeper level. The MSDN API documentation outlines what the different functions do which is essential in order to understand how the malware operates.

[Image: 0c643dfbb4755036dfac405820ccd96a.png]

By right clicking on a function we can set a breakpoint (BP), alternatively pressing the shortcut key F2.

[Image: 8e1f68f0ae57631a7e07990439cd64b8.png]

If we head over to View > Memory we’ll be taken to OllyDbg’s Memory Map window which shows the different virtual address, the virtual size, the owner module, section names, memory allocation type and memory protection for each allocated region of memory in the process.

[Image: f900a986f1185f5f8298f9a0c0bd5a31.png]

OllyDbg’s Threads window can be found by going to View > Threads. You’ll see the thread ID, Entry Point virtual address, the Thread Environment Block (TEB) virtual address, the last-error value, status such as, active or suspended, the priority, and the timing information for each thread in the process.

[Image: 5a94d467c339c021b7e379cc899eb335.png]

The Windows window displays the Handle, Title, Parent Window, Window ID, Window Style, and Window Class Information for each window owned by the process.

[Image: 36d5d8e2358869f75bfb13cebcd969f1.png]

The Handles window shows the object type, reference count, access flags, and the object name for each handle owned by the process.

[Image: f940c2ee23e11ec4d41a81f62cf61f13.png]

The SEH (Structured Exception Handler) chain window shows the Structured Exception Handler functions for the current thread.  

[Image: e63ac37e5500f18a9542307b49f7886c.png]

OllyDbg Frequently Used Shortcuts
Spoiler:
UI

Open new program F3

Close program Alt+F2

Maximize/restore active windows F5

Make OllyDbg topmost window Alt+F5

Close OllyDbg Alt+X

Windows

Open breakpoints window Alt+B

Open CPU window Alt+C

Open modules window Alt+E

Open log window Alt+L

Open memory window Alt+M

Editing

Add label : (Colon)

Add comment ; (Semicolon)

Edit memory Ctrl+

Assemble Space

Undo changes Alt+BkSp


Execution

Step into F7

Animate into Ctrl+F7

Step over F8

Animate over Ctrl+F8

Run application F9

Pass exception handler and run Shift+F9

Execute till return Ctrl+F9

Execute till user code Alt+F9

Trace into Ctrl+F11

Trace over Ctrl+F12

Pause F12

Pause trace conditional Ctrl+T

Run to selection F4

Breakpoints

Set/Unset breakpoint F2

Set/Edit conditional breakpoint Shift+F2

Set/Edit conditional log breakpoint Shift+F4

Temporarily disable/restore BP Space

Data

Analyze executable code Ctrl+A

Scan object files Ctrl+O

Display symbolic names Ctrl+N

Searching

Find selected address xrefs Ctrl+R

Find jumps to line Ctrl+J

Search for sequence Ctrl+S

Search allocated memory Ctrl+L

Search binary Ctrl+B

Search for a command Ctrl+F

Repeat last search Ctrl+L

Navigation

Go to origin * (Asterisk)

Go to address of expression Ctrl+G

Go to previous address - (Minus)

Go to next address + (Plus)

Go to previous procedure Ctrl+-

Go to next procedure Ctrl++

Go to previous reference Alt+F7

Go to next reference Alt+F8

Follow expression Ctrl+G

Follow jump or call Enter

View call tree

Final Words

Please do note that it takes me a tremendous amount of time to write this and format it. Nonetheless, I hope you enjoyed reading my second part of the malware analysis series and I’m looking forward to hear what your take is on this, would you be interested in more?
Let me know!
(This post was last modified: 07-29-2019, 02:50 PM by Tracefl0w. Edit Reason: Typos. )


Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.

[+] 1 user Likes Tracefl0w's post
Reply

RE: [#2] Introduction To Reverse Engineering With OllyDBG #2
I remember using this tool a long time ago. Although I never actually figured it out. I just used my basic knowledge on other tools like it. For reverse engineering anything binary file now, I just use ILSpy.
[Image: tumblr_n4fsswcwZa1sbhzgao1_250.gif]

"Crack it open, throw it in a pan and let it cook." ~ Filthy Frank

Reply

RE: [#2] Introduction To Reverse Engineering With OllyDBG #3
(07-28-2019, 11:25 PM)Drako Wrote: I remember using this tool a long time ago. Although I never actually figured it out. I just used my basic knowledge on other tools like it. For reverse engineering anything binary file now, I just use ILSpy.
It's very rare that you have to use a native disassembler these days, but it's essential in the malware world. I used to be a very faithful user of ILSpy, but eventually switched to DnSpy. The switch was mainly that DnSpy had an integrated Debugger, basically being able to attach a running process and debug it without having the source code, even though it feels like it. Being able to edit the disassembled C# code directly and later on simply recompile it and save a new version of the software, was just marvelous.
(This post was last modified: 07-28-2019, 11:34 PM by Tracefl0w. Edit Reason: Typos. )


Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.

Reply

RE: [#2] Introduction To Reverse Engineering With OllyDBG #4
(07-28-2019, 11:34 PM)Tracefl0w Wrote:
(07-28-2019, 11:25 PM)Drako Wrote: I remember using this tool a long time ago. Although I never actually figured it out. I just used my basic knowledge on other tools like it. For reverse engineering anything binary file now, I just use ILSpy.
It's very rare that you have to use a native disassembler these days, but it's essential in the malware world. I used to be a very faithful user of  ILSpy, but eventually switched to DnSpy. The switch was mainly that DnSpy had an integrated Debugger, basically being able to attach a running process and debug it without having the source code, even though it feels like it. Being able to edit the disassembled C# code directly and later on simply recompile it and save a new version of the software, was just marvelous.

Oh I did mean DnSpy. I just remembered that ILSpy was close to DnSpy, and I didn't feel like digging for its name. I also thought that DnSpy was way better than the latter option, ILSpy.
[Image: tumblr_n4fsswcwZa1sbhzgao1_250.gif]

"Crack it open, throw it in a pan and let it cook." ~ Filthy Frank

[+] 1 user Likes Drako's post
Reply

RE: [#2] Introduction To Reverse Engineering With OllyDBG #5
Along with Import Rec, PEiD, W32DASM and a few others, I haven't used OllyDBG In years. I still have almost every plugin.

That aside, an excellent tutorial Indeed.
[Image: AD83g1A.png]

Reply

RE: [#2] Introduction To Reverse Engineering With OllyDBG #6
(07-29-2019, 04:15 AM)mothered Wrote: Along with Import Rec, PEiD, W32DASM and a few others, I haven't used OllyDBG In years. I still have almost every plugin.

That aside, an excellent tutorial Indeed.
Jesus, that's been a longtime ago. Certainly brings back many memories from 2002.


Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.

Reply

RE: [#2] Introduction To Reverse Engineering With OllyDBG #7
(07-29-2019, 09:06 AM)Tracefl0w Wrote:
(07-29-2019, 04:15 AM)mothered Wrote: Along with Import Rec, PEiD, W32DASM and a few others, I haven't used OllyDBG In years. I still have almost every plugin.

That aside, an excellent tutorial Indeed.
Jesus, that's been a longtime ago. Certainly brings back many memories from 2002.

It certainly dates back quite a while. In fact, probably around the same time you've mentioned.

Once my computing tasks are under control, I'm planning to get back Into the scene.
[Image: AD83g1A.png]

[+] 1 user Likes mothered's post
Reply






Users browsing this thread: 1 Guest(s)