Content uploaded by Vimukthi Wanigathunga
Author content
All content in this area was uploaded by Vimukthi Wanigathunga on Mar 25, 2021
Content may be subject to copyright.
Sri Lanka Institute of Information Technology
Reverse Engineering in Cyber Security
Individual Assignment
IE2022 - Introduction to Cyber Security
Submitted by:
Student Registration Number Student Name
IT19300788 C.V Wanigathunga
06/05/2020
Table of Contents
Abstract................................................................................................................................3
1. Introduction..................................................................................................................4
2. Evolution of the topic...................................................................................................6
3. Future developments in the area.................................................................................13
4. Conclusion..................................................................................................................15
5. References..................................................................................................................17
Page 2 of 19
Abstract
In the field of cyber security, reverse engineering uses knowledge from a security
vulnerability to determine how the hacker has accessed the network and what steps have
been taken to access the system. The reverse engineering method was previously used for
hardware, but now also applies to applications, database systems etc. Reverse engineering
helps to accomplish tasks like finding vulnerabilities, researching malware, analyzing the
complexity of restoring core software algorithms and many more. There are many reverse
engineering tools for this purpose like Disassemblers, debuggers, hex editors etc. These
allows programmers to covert data into useful types. For example, Disassemblers are
used to convert binary codes to assembly codes, debuggers analyze binaries same as
disassemblers, Hex editors help to edit binaries of software. The Seltzer Security Corp
says about reverse engineering as a, “repeatable forensics steps should assist members of
the defense community in developing a structured approach to understanding inner-
workings of malicious software opens in new window.” Reverse engineering is superior
to other security approaches in that it not only detects or eliminates the malware, it is also
a risk management. The malware that has undergone the process of reverse engineering
can be used to see how it operated etc. Today however reverse engineering is under
observation as a result due to laws on copyrights and patents. So, there is a legal issue
when it comes to reverse engineering.
Page 3 of 19
1. Introduction
Reverse engineering is the mechanism of extracting the information or design constructs
from everything man-made. The reverse engineering procedure using for hardware only,
but now applied to software, database systems and human DNA as well. In the cyber
security field, the reverse engineering use to identify the information of a security hole
that how the hacker got entryway to the system, and what measures were taken to enter
the system. Cyber criminals use broad range of computer manipulation methods to hack
corporate networks.
Hackers have common target and are experienced, inspired, coordinated and well-funded.
In this way, reverse engineering helps us to recognize their strategies to avoid them in
future. The common reasons for reverse engineering a bit of software is to replicate the
program, to construct something equivalent to it, to exploit its vulnerabilities or enhance
its protections. Reverse engineering has been used by scientists and engineers to evaluate
the structure of product in order to producing complementary or compatible products.
Reverse engineering is also an essential training tool used by researchers and learners in
many variations, who reverse engineer technology to explore, and gain from, its structure.
Reverse engineering applies to the replication of another manufacture’s product
following a thorough analysis of its design or structure. It includes taking apart the to
understand how it works to enhance or duplicate such a product. It’s possible to
determine the simplest operating theory and function of the structures under study. Via
reverse engineering, a student may collect the technical information required for the
documentation of the performance of a technology or component of a system. When
reverse engineering software, researchers are may analyze the intensity of systems and
detect their vulnerabilities in terms of efficiency, protection, and compatibility. Individual
producers can compete in a competitive environment that rewards the evaluations made
on dominant products, security audits, which enable users of software to good protection
for their systems and networks by exposing security flaws. The invention of better
products and the compatibility of current products often start with reverse engineering.
Security analysts could use reverse engineering to determine how difficult it is to hack
such software. If it comes out to be a process, specialists will provide guidance on
directions a possible hacker might complicate things. This strategy can be particularly
helpful for designers of security software who deal in a wide variety of data formats and
standards, perform a lot of research on user problems, and guarantee consistency of code
with third party applications.
Some malicious programmers use reverse engineering to identify software vulnerabilities
which they can exploit to the system, and many cyber attackers use reverse engineering
to find vulnerabilities with the purpose of improving the defenses there. In order to figure
out when and how changes can be made to their own products, tech firms with
competitive products reverse engineer their competitor programs. Some businesses use
reverse engineering to build products of their own because they don't have same products
Page 4 of 19
yet, to make their unique products. Many people who wish to build their own product
based on a current one often favor reverse engineering over inventing from scratch thus
once the parts and the specifications are recognized, the procedure of reconstructing
methods to be much easier.
Page 5 of 19
2. Evolution of the topic
In the area of reverse engineering a huge of work has been accomplished throughout the
last 20 years. The preliminary findings were distributed at sites such as the Working
Conference on Reverse Engineering (WCRE), the International Conference on Software
Maintenance (ICSM), the International Conference on Program Comprehension (ICPC),
the International Workshop on Source Code Analysis and Manipulation (SCAM), ICSM
and ICSE workshops, and other major conferences on software engineering.
!"
!!#"
$$!%
&'!(
!$!'
!!$)!!"!
*!"
*'"$+
'!$,
'$"+
!*!'!!"
%'-*
*!$..,
!!#
#!!!
,
/!!
0(!!1
*!'1
"*!$2
!!1"!
!"
!!!!
"!
*!""
!$
3'!!
!"!'!
4!
',
+!!!",
!$!!"
Page 6 of 19
!!%
4*,
$5!$
6!"4
In 1990, (IEEE) identified reverse engineering as "the method of evaluating a subject
system to recognize elements of the system and related interactions, and to construct
system models in another type or at a high level of analysis," where the "subject system"
would be the end result of software design. Reverse engineering is just an inspection
process: the software framework being considered is not altered (which would allow it
reverse engineering or reorganizing). Reverse engineering could be accomplished from
either product of the manufacturing process, not compulsory from the operational last
result There are two features have in reverse engineering: re-documentation and develop
recovery. RE-documentation is the product of new expression of the programming code
so it's possible to recognize. furthermore, develop recuperation is use of subtraction or
justification from common method or personal observations of the method in order to
totally recognize the product features could be like "moving backwards via development
process". In this method, the performance of the development process (throughout the
type of source code) is reversed back to the process of study, in an approximation of the
conventional (waterfall structure). Another word for this strategy is understanding of the
program. The Functioning Convention on Reverse Engineering (CREW) was held
annually to surf and extend reverse engineering techniques. (CASE) and in the area of
reverse engineering, autonomous code generating has taken a part greatly. To prevent
both reverse engineering & re-development of exclusive software & software-powered
machines, software anti-tamper mechanism such as obfuscation is used. There are two
major forms of reverse engineering emerging in practice. For the very first example,
source code for the software is already accessible but higher-level elements of the
program are found, maybe poorly recorded or recorded but no more accurate. In the 2nd
example, the program does not have source code available, so any attempt to find one
potential source code for the program is called reverse engineering. This second use of
the word is the one common to most people. Technology reverse engineering could use
the strategy of clean room design to prevent infringements of copyright.
Protocols in Reverse Engineering
Protocols are principles that define the modes of messages & how they are distributed.
Properly, the reverse engineering issue of protocol could be subdivided into dual sub
issues, message layout and reverse engineering of state machine. Message layouts have
usually been reverse engineered through a repetitive manual method involving studying
how protocol implementation handles messages, but current researches have suggested a
variety of automated solutions. Generally, any group of automated methods detected
messages in collections using specific clustering techniques or emulated protocol
implementation tracking the message.
Cyber Security
Page 7 of 19
The relation between protection and reversing may not be instantly obvious for few
people. Reversing is linked to the various computer safety implications. Reversing is also
widely used on certain ends of the spectrum in connection to malicious software. it is
used by both malicious programmers and antidote developers.subsequently, reversing is
common to crackers, and they use it to examine & subsequently eliminate different copy
protection systems.
Reverse engineering malware are standard procedure among businesses that develop
protection software. Through identifying and analyzing a piece of malware, a
cybersecurity company could be developed methods to mitigate the strategies used by
hackers, instead of reactively designing protections among specific malicious programs.
Reverse engineering is often used to detect security vulnerabilities in software. Although
some businesses use this to establish protections against these security bugs, hackers
developing malicious software may use this method to identify security vulnerabilities
that they can exploit.
Reverse Engineering is widely used at each end points of the malicious chain of software.
Malware programmers frequently use reverse engineering to find bugs within operating
systems & other applications. These weaknesses could be used to penetrate the security
structures of the system and allow exploitation, typically via the Web. In addition to
infection, offenders often use reversing mechanism to find bugs in software that enable a
malware program to access confidential information, or perhaps even take control of the
device.
And other point, of the chain, anti-malware programmers inspect and analyze any
malicious code which falls into their hands. They use reverse engineering strategies to
track every footprint the software takes & determine the harm it could do, the estimated
disease rate, how it can be eliminated from damaged systems, and whether exposure can
be completely avoided.
Most of companies and individuals are already moving information from internal storage
to cloud-based storage, offering multiple protection and operational benefits but not
invulnerable. The most secured cloud storage systems, such as iCloud, can't totally secure
your details, & reverse engineering attackers can exploit the safest mechanisms that
guard cloud-based services. This issue is intensified as more content is transferred to
cloud storage by users, which in effect heads to many more cloud interfaces to enhance
consumer experience. That of these improvements opens another possible weakness, &
the possibility of misuse of user information improves. So these are major modern
problems of reverse engineering in cyber security.
Reversing Tools
System Monitoring Tools: System reversing includes a range of tools that inspect,
track, explore, and sometimes even reveal the reversed code. Many of those
methods show information about the program and its background obtained by the
operating system. Since almost all interactions between a system & the outside
Page 8 of 19
community go through the operating system, to obtain these data, the operating
system could be utilized by user allies. System-monitoring tools can track
networking operations, access to data, access to system files, like that. Some tools
show the use of OS artifacts like mutexes, streams, events, etc. by a program.
7disassemblers are algorithms it accepts a program’s working
binary as input and compile text files it includes the assembly language program
for the whole code or some of them. This is an easy procedure realizing this
assembly code is basically the textual mapping. Disassembly is a CPU-specific
mechanism; thus, many disassemblers accept various CPU structures. A highly
level disassembler is a major part in a RE toolkit, yet reverse engineers would like
to use the well accomplished disassemblers they are embedded in relevant for
preliminary debuggers.
Debug Tools: If you have ever tried even the basic creation of software, you
would probably have used a debugger. Under the core concept under debugger is
not really possible for grammars to imagine all that their software can do.
Typically, algorithms are too complicated for a person to accurately predict any
possible outcome. A debugger is a system which allows programmers of software
to monitor their script while it runs. A debugger's two most simple functions are
the way to knock points, and the ability to follow the code. There's plenty of
debuggers on the industry. You all know how to debug a application, initially we
put the necessary statement to a set point and afterwards we start it up. The
software finishes when this command is close to executing and show values! This
aspect relates directly to cracking. Computer developers usually uses the
Windows API feature to get the serial code, or to build a nag screen or dialog box.
Decompilers : The next mechanism up through disassemblers is the decompiles.
A decompile accepts a binary executable file & tries to generate a high level,
understandable environment code from it. The aim is to try to reverse engineering,
the process of compiling, to get the primary source file or like close to it. The
actual recovery of the source code is not feasible on most platform types. In
certain high-level languages, there are major components that are always removed
during the conversion procedure and cannot be recovered. Even, decompiles are
efficient devices that can recreate a highly legible source code from a binary
program in certain circumstances and conditions.
Hex editors: Hex editors can modify the memory address value when they are in
running status. Now this isn't helpful or a successful cracking if we need to adjust
the value every time, we run the script. But we use hex editors. A hex editor lets
us improve any files include data in hex layout. The file details are shown in hex
format. At memory address we will clearly have to adjust the value that we
consider using softice. But HIEW is the most common amongst these. Which
stands for "Hacker's perspective." This little software provides a lot of functions
Page 9 of 19
such as scripting in hex or ASCII format, scanning for any sequence in hex or
ASCII style. Another nice feature that makes it unique from everyone else is that
you can rewrite the assembly code and automatically change it to similar hex
format.
Unpackers: Often programmers have used file compressor tools like UPX,
ASPACK to reduce program capacity. This is called a packer of files. Then what
a packer does is use some algorithm that limits the capacity of the file & adds
code to the executable file, and at runtime, the unpacker's script is performed first
and then the program is decompressed or unpacked into storage. Although the
program we need to breach is unpacked in the memory, only a hacker can
disassemble the program and repair it. Only User can fix runtime. Hence, we use
disassembled to effectively unpack the exe format. That unpack the executable
file and we can save it on the drive. If a program uses a packer, then it must adjust
its exe header.
File Analyzer Tools: Utilizes this kind of tools to recognize which packer is used
to pack file cracker. Through using this a cracker will know what compilation or
packer to secure the shareware is being used. This program works easily byte
identity. Using this you will find out what compiler the software has published or
language. There are other programs of this kind available including file inspector.
'!"!!",
!!
)!!!!!
-"
28*"
8$8*"
28*"
*")!!"'$!"
$""
!!!!
!"!2*"
'""!+
!9$"
""%!"!
$2*,:""
$
8$8*"
Page 10 of 19
8$#*",(!)!
!$"$'$
)!!"
'!"!
"+#"%'
"!"
!!"!#!"!
!
&*7Is a very useful method for testing different malware samples
with a range of backgrounds. It also has a nice add-on called HEX Rays
Decompiles, and that is a tool that can make assembly language easier to read
pseudocodes. It may assist you more quickly realize the code's usability than
looking at assembly. When opening a preview in IDA Pro you see the malware's
access point. This also has a chart view, and that you can shift between the chart
perspective and the hex code. It'll also send you a short description of the
implementation flow mapping. If you want to build plug-ins and customize and
obtain some of the helpful details, it has an SDK you might use. Even IDA Pro
has a Python API which you can use if you prefer Python. The platform has
debugging capabilities as well, but IDA Pro is primarily used for the structured
reverse malware engineering.
Pied: Other resources we use are sequences, folders, and tools. They help us find
the study framework in the first place. When you look at any of these tools'
screenshots, they will tell you where the material's entry point is, what segment
and whether the samples is filled. Even, they can recognize more than a dozen
packers and even recognize decriptors and programming languages.
Immunity Debugger: If you launch an experiment in Immunity Debugger, you
will be given a warning saying the test is packed and you will be requested if you
would like to continue with the review. If you start the study, you can see a
starting point because that is where the registers are moved to mount. This
debugger can be used to go through the analysis implementation to see the
unopened sample in memory. You will continue to review the samples and use the
debuggers in the tool to identify the actions of the malware and its impact on the
device. We use Wireshark, or TCP Dump, to catch network traffic. Here is a good
cheat sheet on TCP Dump.
Sandboxes: Sandboxes are mostly an essential phase in reverse engineering virus,
as malware does not demonstrate features frequently unless it runs in a pleasant
Page 11 of 19
environment. Malware, one sandbox is from the people who created Cuckoo
Sandbox. You apply a prototype with malware and run it within a VM. Then you
can run multiple dynamic analytics tools and dynamic analytics tools mentioned
above and transform this into a nice report that is accessible.
A further modern Platform is Hybrid-Analysis. It's made by Payload Protection,
and it works very close to malware, but they have operating some of their own
special sandboxes that may or may not be Cuckoo related.
Page 12 of 19
3. Future developments in the area
3!!!!$
"7""
'"!%
*!"!
!!
"!"$;
!"7
"<:
!!"&!$!
""!#!"
2!!"
!"#!!"
!"!/
"!!!
*"
!"
:""!!$
$!"""
'7
-"
:!)!"##
'%!
Reverse engineer: The simplest solution is to make a part of malware fully reverse
engineered. Clearly this takes a lot of time, so other solutions are more realistic.
Methods for exploitation: Another method you might take is to concentrate on the
methods of leveraging a malware. Regularly you can see a malware that uses a
different strategy of manipulation or exploits a weakness that is zero-day. For this
case you can only be involved in the basic technique of hacking and you can have
your research time box and then look at the methods of exploitation.
Prevarication: malware sometimes turns itself upside down and makes it
impossible to examine. You could come through malware you've seen yet without
being brazen. In that case you might just want to concentrate on reverse
engineering the new components.
Page 13 of 19
Encryption methods: Ransomware is a growing kind of viruses now days.
Effectively, Ransomware encodes files of the user and blocks them up so that they
cannot be opened or read. Ransomware writers sometimes err when implementing
the authentication protocols. And if you concentrate your work on the methods of
encoding, you might find flaws in their execution and/or you could find hard-
coded codes or weak implementations.
Feedback from C&C: This is something that’s done very often when you look at
threats. Experts also try to find out what the contact framework is among a
security vulnerability on the side of the user, and the operational side of the
server. The contact protocol will send you a lot of clues about the strengths of the
virus.
Attribution: It typically involves a many of conjecture, knowledge of hacking
teams and more than one piece of viruses being looked at.
Categorization and grouping: In a wider context, you can reverse engineering
viruses. This includes looking at malware in bulk and carrying out a wide-ranging
review on various threats, instead of a deep research.
Page 14 of 19
4. Conclusion
Reverse Engineering is a profession that is very flexible and being innovative. Using
ingenuity and imagination, engineers design innovations that are never seen and that
support their communities. We play a key role in extending regional economy and
fostering interactions between businesses. Reverse engineering serves an enormous role
in fostering creative and successful minds generating essentials in all industries. The
process of reverse engineering involves separating worn down products to analyze how
single competence.
Exploring current prototypes and techniques: We will see what really happens in reverse
engineering. This involves any pieces, systems, or processes that otherwise would
support communities. Investigating existing goods, all due to reverse engineering, leads
to creativity and exploration.
Reconstruction of an old product: The perception of the product itself is a vital aspect of
redesigning an obsolete product. In an older system, reverse engineering offers the
imagination to work out 1iof date kinks. Efficiency is the process's most essential feature.
Explore any model weaknesses: Like the before phase, reverse engineering assists in
identifying product faults. This is to guarantee the health and security of consumers of the
drug. In the testing process, it is safer for an issue to occur, rather than the delivery
process.
Getting less costly and more effective goods to the market: The key objective of reverse
engineering is to lead engineers on a road to creativity and performance. Quality means
reducing the costs of production and increasing the performance of the product as much
as feasible.
Exploring any product vulnerabilities: like the previous stage, reverse engineering
supports identifying product faults. This is to guarantee the health and security of
consumers of the drug. In the testing process, it is safer for an issue to occur, instead of
the delivery process.
Create a trustworthy CAD model for future reference: For future references, many
reverse engineering procedures have a full-working CAD file. A CAD file is generated
which allows the part to be automatically checked if future problems occur. This type of
technology has increased efficiency in engineering and the communication of goods.
Encouraging new minds with outdated ideas: Reverse engineering eventually gives way
to revolutionary architecture. During the method, an engineer may discover a device that
could be valuable for a specific project altogether. This illustrates how engineering ties
programs to prior information.
1
Page 15 of 19
Using dynamic analysis; It is the method of examining malware or binaries without
making them probably run. It can be as simple as seeing information from a file. It can
range from disassembling or decompiling malware code to conceptual operation, which is
something like running a binary digitally without really performing it in a real world.
The method of detecting a malicious program when you execute it in a live background is
dynamic evaluation. In this scenario, you also look at the malware's actions and the
symptoms of what it is doing. You run software such as process monitor and to see what
sorts of objects a malicious program would create after loading. Automatically generated
scanning. Many times, when you're looking at malware you just want to automate stuff to
boost up the time-saving process. Take care, however, because things are often
overlooked with automatic research when you are usually trying to do something.
If a malicious software includes stuff like protocols for anti-debugging, or structures for
anti-analysis, you might want to do a manual review. You must choose the right
resources for the work.
Page 16 of 19
5. References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
References
[1] I. Shakeel, "Reverse Engineering Tools," INFOSEC, 2020. [Online]. Available:
https://resources.infosecinstitute.com/top-8-reverse-engineering-tools-cyber-
security-professionals/#gref.
[2] e-spincorp, "SOLUTION," e-spincorp, 2019. [Online]. Available: https://www.e-
spincorp.com/top-reverse-engineering-tools-for-cyber-security-professionals/.
[3] softwareguild, "blog," softwareguild, 2020. [Online]. Available:
https://www.thesoftwareguild.com/blog/what-is-reverse-engineering/.
[4] wikipedia, "Reverse Engineering," wikipedia, 2014. [Online]. Available:
https://en.wikipedia.org/wiki/Reverse_engineering.
[5] Bengaluru-based cyber security professional and ethical hacker, "opinion,"
deccanherald, 2020. [Online]. Available: https://www.deccanherald.com/opinion/in-
perspective/reporting-on-a-pandemic-or-branding-social-identities-831205.html.
[6] Srinivas, "security bloggers network," securityboulevard, 2020. [Online]. Available:
https://securityboulevard.com/2019/08/malware-analysis-and-reverse-engineering/.
[7] M. Rose, "testing tools and techniques," techtarget, 2020. [Online]. Available:
https://searchsoftwarequality.techtarget.com/definition/reverse-engineering.
[8] d. turpitka, "articles," securitytoday.com, 2019. [Online]. Available:
https://securitytoday.com/articles/2019/02/26/reverse-engineering-is-one-of-your-
best-weapons-in-the-fight-against-cyberattacks.aspx.
[9] K. Brew, "blogs," cybersecurity.att.com, 2019. [Online]. Available:
https://cybersecurity.att.com/blogs/labs-research/reverse-engineering-malware.
Page 17 of 19
[10] M. Schwartz, "articles," computerworld.com, 2019. [Online]. Available:
https://www.computerworld.com/article/2585652/reverse-engineering.html.
Page 18 of 19