Reversing C++

reversing a linked list in c and reversing string in c using recursion
JadenNorton Profile Pic
JadenNorton,United States,Researcher
Published Date:14-07-2017
Your Website URL(Optional)
Comment
IBM Global Services Reversing C++ Paul Vincent Sabanal X-Force R&D Mark Vincent Yason X-Force R&D IBM Internet Security Systems ™ Ahead of the threat. © Copyright IBM Corporation 2007IBM Global Services Reversing C++ Part I. Introduction IBM Internet Security Systems ™ Ahead of the threat. © Copyright IBM Corporation 2007IBM Internet Security Systems Introduction Purpose  Understand C++ concepts as they are represented in disassemblies  Have a big picture idea on what are major pieces (classes) of the C++ target and how these pieces relate together (class relationships) IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Introduction Focus On…  (1) Identifying Classes  (2) Identifying Class Relationships  (3) Identifying Class Members IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Introduction Motivation  Increasing use of C++ code in malware – Difficult to follow virtual function calls in static analysis – Examples: Agobot, Mytob, new malcodes from our honeypot  Most modern applications use C++ – For binary auditing, reversers can expect that the target can be a C++ compiled binary  General lack of publicly available information regarding the subject of C++ reversing – Only good information is from Igor Skochinsky – https://www.openrce.org/articles/full_view/23 IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Global Services Reversing C++ Part II. Manual Approach IBM Internet Security Systems ™ Ahead of the threat. © Copyright IBM Corporation 2007IBM Global Services Reversing C++ Part II. Manual Approach Identifying C++ Binaries & Constructs IBM Internet Security Systems ™ Ahead of the threat. © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Identifying C++ Binaries & Constructs  Heavy use of ecx (this ptr) .text:004019E4 mov ecx, esi .text:004019E6 push 0BBh .text:004019EB call sub_401120  ecx used without being initialized .text:004010D0 sub_4010D0 proc near .text:004010D0 push esi .text:004010D1 mov esi, ecx .text:004010DD mov dword ptr esi, offset off_40C0D0 .text:00401101 mov dword ptr esi+4, 0BBh .text:00401108 call sub_401EB0 .text:0040110D add esp, 18h .text:00401110 pop esi .text:00401111 retn .text:00401111 sub_4010D0 endp IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Identifying C++ Binaries & Constructs  Parameters on the stack, ecx = this ptr .text:00401994 push 0Ch .text:00401996 call ??2YAPAXIZ ; operator new(uint) .text:004019AB mov ecx, eax ::: .text:004019AD call ClassA_ctor  Virtual function calls (indirect calls) .text:00401996 call ??2YAPAXIZ ; operator new(uint) ::: .text:004019B2 mov esi, eax ::: .text:004019FF mov eax, esi ;EAX = vftable .text:00401A01 add esp, 8 .text:00401A04 mov ecx, esi .text:00401A06 push 0CCh .text:00401A0B call dword ptr eax IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Identifying C++ Binaries & Constructs  STL Code and Imported DLLs .text:00401201 mov ecx, eax .text:00401203 call ds:?sputc?basic_streambufDU?char_traitsDstdstdQAEHDZ ; std::basic_streambufchar,std::char_traitschar::sputc(char) IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Class Instance Layout  Class Instance Layout class Ex1 int var1; int var2; char var3; public: int get_var1(); ; class Ex1 size(12): +- 0 var1 4 var2 8 var3 alignment member (size=3) +- IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Class Instance Layout  Class Instance Layout class Ex2 int var1; public: virtual int get_sum(int x, int y); virtual void reset_values(); ; class Ex2 size(8): +- Ex2::vftable: 0 vfptr 0 &Ex2::get_sum 4 var1 4 &Ex2::reset_values +- IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Class Instance Layout  Class Instance Layout class Ex3: public Ex2 int var1; public: void get_values(); ; class Ex3 size(12): +- +- (base class Ex2) 0 vfptr 4 var1 +- 8 var1 +- IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Class Instance Layout  Class Instance Layout class Ex4 class Ex5 size(24): +- int var1; +- (base class Ex2) int var2; 0 vfptr public: 4 var1 virtual void func1(); +- virtual void func2(); +- (base class Ex4) ; 8 vfptr 12 var1 class Ex5: public Ex2, Ex4 16 var2 +- int var1; 20 var1 public: +- void func1(); virtual void v_ex5(); ; IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Global Services Reversing C++ Part II. Manual Approach Identifying Classes IBM Internet Security Systems ™ Ahead of the threat. © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Identifying Classes Constructor/Destructor Identification  Global Objects – Allocated in the data segment – Constructor is called at program startup – Destructor is called at program exit – this pointer points to a global variable – To locate constructor/destructor, examine cross- references IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Identifying Classes Constructor/Destructor Identification  Local Objects – Allocated in the stack – Constructor is called at declaration – this pointer points to an uninitialized local variable – Destructor is called at block exit IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Identifying Classes Constructor/Destructor Identification  Local Objects .text:00401060 sub_401060 proc near .text:00401060 .text:00401060 var_C = dword ptr -0Ch .text:00401060 var_8 = dword ptr -8 .text:00401060 var_4 = dword ptr -4 .text:00401060 …(some code)… .text:004010A4 add esp, 8 .text:004010A7 cmp ebp+var_4, 5 .text:004010AB jle short loc_4010CE .text:004010AB .text:004010AB  block begin .text:004010AD lea ecx, ebp+var_8 ; var_8 is uninitialized .text:004010B0 call sub_401000 ; constructor .text:004010B5 mov edx, ebp+var_8 .text:004010B8 push edx .text:004010B9 push offset str-WithinIfX .text:004010BE call sub_4010E4 .text:004010C3 add esp, 8 .text:004010C6 lea ecx, ebp+var_8 .text:004010C9 call sub_401020 ; destructor .text:004010CE  block end .text:004010CE .text:004010CE loc_4010CE: ; CODE XREF: sub_401060+4Bj .text:004010CE mov ebp+var_C, 0 .text:004010D5 lea ecx, ebp+var_4 .text:004010D8 call sub_401020 IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Identifying Classes Constructor/Destructor Identification  Dynamically Allocated Objects – Allocated in the heap – Created via operator new  Allocates memory in heap  Calls the constructor – Destructor is called via operator delete  Calls destructor  De-allocates object instance IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007IBM Internet Security Systems Manual Approach Identifying Classes Constructor/Destructor Identification  Dynamically Allocated Objects .text:0040103D _main proc near .text:0040103D argc = dword ptr 8 .text:0040103D argv = dword ptr 0Ch .text:0040103D envp = dword ptr 10h .text:0040103D .text:0040103D push esi .text:0040103E push 4 ; size_t .text:00401040 call ??2YAPAXIZ ; operator new(uint) .text:00401045 test eax, eax ; eax = address of allocated memory .text:00401047 pop ecx .text:00401048 jz short loc_401055 .text:0040104A mov ecx, eax .text:0040104C call sub_401000 ; call to constructor .text:00401051 mov esi, eax .text:00401053 jmp short loc_401057 .text:00401055 loc_401055: ; CODE XREF: _main+Bj .text:00401055 xor esi, esi .text:00401057 loc_401057: ; CODE XREF: _main+16j .text:00401057 push 45h .text:00401059 mov ecx, esi .text:0040105B call sub_401027 .text:00401060 test esi, esi .text:00401062 jz short loc_401072 .text:00401064 mov ecx, esi .text:00401066 call sub_40101B ; call to destructor .text:0040106B push esi ; void .text:0040106C call j__free ; call to free thunk function .text:00401071 pop ecx .text:00401072 loc_401072: ; CODE XREF: _main+25j .text:00401072 xor eax, eax .text:00401074 pop esi .text:00401075 retn .text:00401075 _main endp IBM Internet Security Systems X-Force – Reversing C++ © Copyright IBM Corporation 2007