Log in

View Full Version : Reverse Engineering at University

Kayaker
September 27th, 2007, 02:48
It's interesting how RE has moved into the mainstream in recent years, it's such a desired skill that it's finally being taught at the academic level. Most of us have had, and continue to, learn whatever we could pick up in the trenches, but it's good that the young'uns have an opportunity to get a structured introduction to it.

Here are a couple of current course outlines I happened upon that have some course material available that might be of some interest:


CS675 Software Reverse Engineering
http://www.cs.drexel.edu/~spiros/teaching/CS675/index.html

This particular paper stood out..

A Survey of Reverse Engineering Tools for the 32-bit Microsoft Windows Environment
http://www.cs.drexel.edu/~spiros/teaching/CS675/asmrceFINAL.pdf


CS 592: Security Practicum: Cheating in On-line Games
http://www.thefengs.com/wuchang/work/courses/cs592_spring2007/


Kayaker
LLXX
September 27th, 2007, 03:26
Quote:
This course is intended primarily for advanced graduate students with considerable programming experience.
It seems like this particular instructor set a rather high entrancy limit...

I also teach some programming courses, mainly Asm and C, and there are a few assignments that could be considered reversing, but I haven't designed and applied for a full course in RE yet. (If/when I do, it'll probably be for 2nd or 3rd-year level.)

Definitely a positive thing, that particular article you linked is a good read; certainly many times better than the "cracking tutorials" we've seen.
blurcode
September 27th, 2007, 04:52
They describe OllyDbg as the Swish Army Knife and their PE information is less than the basic.
I think these classes is a trend to get more ppl.

Cheating in On-line Games course looks good though
blabberer
September 27th, 2007, 09:07
nice to know this discipline is being accepted and being taught at university levels

the pdf should have a few more reviews and research

Quote:

OllyDbg, however, has one major shortcoming: its inability to trace into SYSENTERcalls. This command, introduced by the Intel Pentium II processor, was designedfor making fast system calls. It is often invoked by Windows Structured Excep-tion Handler, and thus employed by many advanced protection schemes. Theseprotection schemes use the exception handler to execute necessary code, check ifa program is being debugged, and clear the debug registers. When OllyDbg hitsa SYSENTER command, however, it is unable to trace into it, and simply executesuntil the next exception. This is a major shortcoming of the debugger, and requiresthe user to break at SYSENTER commands, analyze the registers, and then deter-mine where the target code of the SYSENTER command is, in order to trace intoit.


is sysenter the only culprit was it able to enter int 2e and int 2bs in processors where sysenter didnt exist


simply executes until the next exception ??? which exception?? whats he talking about ??

Code:


Call stack of main thread

Address    Stack      Procedure / arguments                                Called from                   Frame

0012FD2C   77F42DF7   Includes 7FFE0302                                    ntdll.ZwQueryInformationProc  0012FEE0

0012FD30   77E4A011   Maybe ntdll.ZwQueryInformationProcess                kernel32.77E4A00F             0012FEE0

0012FD34   FFFFFFFF     hProcess = FFFFFFFF

0012FD38   00000001     InfoClass = 1

0012FD3C   0012FEB8     Buffer = 0012FEB8

0012FD40   00000020     Bufsize = 20 (32.)

0012FD44   00000000     pReqsize = NULL

0012FEE4   004A320C   ? <JMP.&KERNEL32.GlobalMemoryStatus>                 OLLYDBG.004A3207              0012FEE0

0012FEE8   0012FEEC     pMemStat = 0012FEEC

0012FF0C   004A2AFF   ? OLLYDBG.004A31FC                                   OLLYDBG.004A2AFA

0012FF28   004A3059   OLLYDBG.004A2AD4                                     OLLYDBG.004A3054

0012FF2C   00000001     Arg1 = 00000001

0012FF3C   004A3020   OLLYDBG.004A3024                                     OLLYDBG.004A301B              0012FF38

0012FF48   004A2861   OLLYDBG.004A2FFC                                     OLLYDBG.004A285B              0012FF44

0012FF54   004A27C1   OLLYDBG.004A2FFC                                     OLLYDBG.004A27BB              0012FF50

0012FF60   004ACBDF   OLLYDBG.004A27B4                                     OLLYDBG.004ACBDA              0012FF5C

0012FF64   00000100     Arg1 = 00000100

0012FF6C   004AD151   Includes OLLYDBG.004ACBDF                            OLLYDBG.004AD14E              0012FF90

0012FF94   004AD2F3   OLLYDBG.004AD0C8                                     OLLYDBG.004AD2EE              0012FF90

0012FF98   0050A658     Arg1 = 0050A658

0012FF9C   00000000     Arg2 = 00000000


Code:


0012FD2C   77F42DF7  RETURN to ntdll.ZwQueryInformationProcess+0C



Log data

Address    Message

7FFE0302   Unable to set breakpoint

7FFE0302   Unable to set breakpoint

7FFE0302   Hardware breakpoint 1 at 7FFE0302

7FFE0302   Hardware breakpoint 1 at 7FFE0302

77F42DF7   Hardware breakpoint 2 at ntdll.77F42DF7



77F42DEB >/$ B8 A1000000    MOV EAX,0A1

77F42DF0  |. BA 0003FE7F    MOV EDX,7FFE0300

77F42DF5  |. FFD2           CALL EDX

77F42DF7  \. C2 1400        RETN 14


the user to break at SYSENTER commands, analyze the registers, and then determine where the target code of the SYSENTER command is, in order to trace in to it.

if he knows the register how come he could trace into it with ollydbg does someone have any ideas (user mode only)?

anyway nice to see some momentum
Silver
September 27th, 2007, 13:07
Very interesting. So to open the discussion further, what do you guys think should be on a syllabus for an RE course. Eg:

Semester 1:
- Reversing on Windows
- win32api review
- .....?
_xhp_
September 27th, 2007, 19:15
Quote:
[Originally Posted by Kayaker;68864]
CS 592: Security Practicum: Cheating in On-line Games
http://www.thefengs.com/wuchang/work/courses/cs592_spring2007/


I saw this one a while ago and was quite surprised to see such a class - I wish my university has something like it... I think a professor was a bit of an overachiever - as far as I can see most students had only basic RE skills and most of them were faced with advanced packers and it was no surprise they didn't get far.
naides
September 27th, 2007, 20:38
I could suggest one or two among this board's members to be invited faculty for this class!
LLXX
September 27th, 2007, 22:14
Quote:
[Originally Posted by Silver;68877]Very interesting. So to open the discussion further, what do you guys think should be on a syllabus for an RE course.

- Introduction and Principles of Reverse Engineering
- Review of x86 Architecture
- Models of Execution Flow
- Hex Editing
- Disassemble and Modify simple .COM and .EXE file
- Introduction to 32-bit PE
- Disassemble and Modify simple 32-bit PE

That should be enough for one term.