Hint for the final project is now available: [hint]
Course Syllabus is now available: [download]
Course Overview
- The legal aspects of reverse engineering.
- Assembly language for IA-32 compatible processors and how to read compiler-generated assembly language code.
- The general principles behind malicious software and how reverse engineering is applied to study such program.
Expected Background
- Basic programming concepts (e.g. complete Java I, II)
- Knowledge with the C programming language, including pointers, arrays, loops, function calls, etc.
- Familiar with Unix/Linux including the command-line shell and gdb
- Familiar with Intel x86 assembly language and architecture
- Familiar with web programming concepts (HTML, HTTP, TCP, network communications)
Textbook
No Textbook
Reference book:
- Randal E. Bryant, Davie Richard O'Hallaron, Computer Systems: A Programmer's Perspective, 3rd Edition, ISBN 978-0134092669
- Kris Kaspersky, Hacker Disassembling Uncovered, 2nd Edition, ISBN 978-1931769648
- Eldad Eilam, Reversing: Secrets of Reverse Engineering, 1st Edition, ISBN 978-0764574818
Course Content
| # | Date | Topic | Slides | Supporting Materials |
|---|---|---|---|---|
| Class 1 | Aug 26, 2019 | Introduction | ch01.pptx | |
| Class 2 | Aug 28, 2019 | IA-32 Register, Byte Ordering, x86 ASM | ch02.pptx | abexcm1-voiees.exe LittleEndian.exe LittleEndian.cpp HelloWorld.exe |
| Class 3 | Sep 3, 2019 | x86 ASM, Stack | ch03.pptx | Stack.exe stack.py |
| Lab 0 (6 points) |
Sep 3, 2019 | Lab: Hello World
Due on: 09/10/2019 (CSC 497) 09/16/2019 (CSC 583) |
Change the text in pop-up window from "Hello World!" to "Hello Reversing", take a screenshot and upload the image to D2L.
Lab0 Walkthrough is now available: [Link]
|
HelloWorld.exe Windows XP Environment Disclaimer |
| Class 4 | Sep 5, 2019 | Stack Frame | ch04.pptx | StackFrame.exe StackFrame.cpp |
| Class 5 | Sep 10, 2019 | Calling Convention, System Call, Introduction to PEDA and Pwntools | ch05.pptx | cdecl.c stdcall.c cdecl.exe stdcall.exe helloworld.asm shell.asm code.zip 1_sample.c 2_interactive.c 3_reversing.c |
| Lab 1 (6 points) |
Sep 10, 2019 | Lab: Stack and Stack Frame in Linux
Due on: 09/17/2019 23:59:59 (CSC 497)
09/25/2019 23:59:59 (CSC 583) |
lab1.pdf |
|
| Class 6 | Sep 12, 2019 | Stack Overflow (1) | ch06.pptx | buffer.c buffer2.c overflow.c |
| Class 7 | Sep 17, 2019 | Stack Overflow (2) | ch07.pptx | hello.asm test.c Shellcode overflow2.c |
| Class 8 | Sep 23, 2019 | Stack Overflow Review: Classic Exploitation Technique (with PEDA, Pwntools) & Linux Binary Protections (ASLR, DEP, Stack Canaries) | ch08.pptx | overflow2.c overflow3.c template.py exploit.py exploit2.py exploit3.py |
| Lab 2 (6 points) |
Sep 23, 2019 | Lab: Stack Overflow
Due on: 10/01/2019 (CSC 497) 09/30/2019 (CSC 583) |
lab2.pdf |
|
| Class 9 | Sep 25, 2019 | Return-oriented programming (ROP) | ch09.pptx | rop.c exploitROP.py exploitROP_template.py |
| Class 10 | Sep 30, 2019 | Return-oriented programming (ROP) (2) | ch10.pptx | rop.c exploitROP.py rop2.c exploit_ROP2.py |
| Class 11 | Oct 2, 2019 | Return-oriented programming (ROP) (3) & Dynamic Linking & Return-to-libc Attack & ASLR | ch11.pptx | reveal_address.c ret2lib.c ret2lib_Exploit.py niklasb/libc-database |
| Class 12 | Oct 8, 2019 | Web Security (1) | ch12.pptx | |
| Class 13 | Oct 10, 2019 | Web Security (2) | ch13.pptx | |
| Lab 3 (6 points) |
Oct 10, 2019 | Lab3: Return-oriented programming (ROP)
Due on: 10/22/2019 (CSC 497) 10/23/2019 (CSC 583) |
lab3.pdf [Hint] |
Username: csc495 Password: csc495
|
| Class 14 | Oct 15, 2019 | PLT, GOT & Return-to-plt Attack (Bypassing ASLR/NX) | ch14.pptx | ret2plt.c ret2plt_Exp.py |
| Class 15 | Oct 17, 2019 | GOT Overwrite Attack (1) | ch15.pptx | bypassGOT.c exp_GOT.py |
| Reading 1 (10 points) |
Oct 17, 2019 | Reading Question 1: Hacking Blind
Due on: 10/29/2019 (CSC 497) 10/30/2019 (CSC 583) |
ReadingQuestion.pdf | Hacking Blind paper Project Website |
| Class 16 | Oct 22, 2019 | Multi-Stage Exploits | ch16.pptx | multi_stage.c exp_multi_stage.py |
| Class 17 | Oct 24, 2019 | Stack Guard & Format String Bug | ch17.pptx | easy_canary_32.c easy_canary_exp_32.py easy_canary_64.c easy_canary_exp_64.py fmt_write.c fmt_wrong.c fmtstr.c fmtstr_exp.py |
| Lab 4 (6 points) |
Oct 28, 2019 | Lab: Multi-Stage Exploits
Due on: 11/14/2019 Your submission should include: A detailed project report in PDF format to describe what you have done, including screenshots and code snippets and content inside flag.txt. |
Target IP: 35.184.67.227 Target Port: 8888 Vulnerable program: lab4 (lab4.c) Target File (flag): flag.txt ASLR/NX is on, StackGuard and PIE is off Hint Libc version: libc6-i386_2.27-3ubuntu1_amd64 [Link] |
Username: csc495 Password: csc495
|
| Class 18 | Oct 29, 2019 | Format String Bug (2) & Heap | ch18.pptx | fmt_write2.c fmt_test.c dump_bin.py fmt_test2.c fmt_test2_exp.py fmt_offset.py heap1.c |
| Class 19 | Oct 31, 2019 | Heap Exploitation (1) | ch19.pptx | use_heap.c heap0.c exploit_heap0.py Pwndbg + GEF + Peda — One for all, and all for one |
| Reading 2 (10 points) |
Oct 31, 2019 | Reading Question 2: BlueBorne
Due on: 11/14/2019
|
Reading Question2.pdf | blueborne technical paper Video (smartwatch takeover) |
| Class 20 | Nov 6, 2019 | Heap Exploitation (2): Unlink Attack | ch20.pptx | babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c exp_babyfirst.py |
| Class 21 | Nov 6, 2019 | Heap Exploitation (3): Unlink Attack, glibc | ch21.pptx | babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c exp_babyfirst.py |
| Class 22 | Nov 13, 2019 | Heap Exploitation (4): glibc, House of force | ch22.pptx | hof.c bamboobox bamboobox_exp.py bamboobox.c |
| Class 23 | Nov 18, 2019 | Heap Exploitation (5): Use After Free, Double Free & Kernel Exploitation | ch23.pptx | uaf.c doublefree.c babydriver.tar |
| Final Project (30 points) |
Nov 18, 2019 | Final: House of Force & ROP
Due on: 12/13/2019 Your submission should include: A detailed project report in PDF format to describe what you have done, including screenshots and code snippets and content inside flag.txt. |
Target IP: 35.223.19.224 Target Port: 8888 Vulnerable program: final (final.c) Target File (flag): flag.txt 64 bit (not 32), ASLR/NX, StackGuard is on and PIE is off Hint Libc version: libc6_2.23-0ubuntu11_amd64 [Link] Hint ROP gadgets infomation [Link] [Hint] |
Username: csc497 Password: csc497
|
| Class 24 | Dec 2, 2019 | Kernel Exploitation | ch24.pptx | uaf.c babydriver.tar |
| Reading 3 (10 points) |
Dec 2, 2019 | Reading Question 3: Kernel Exploit and the future of Software Security
Due on: 12/13/2019
|
ReadingQuestion3.pdf | OVER-THE-AIR: HOW WE REMOTELY COMPROMISED THE GATEWAY, BCM, AND AUTOPILOT ECUS OF TESLA CARS |
Tutorials and Supporting Materials
- Download OllyDbg for Windows
- Download VirtualBox
- Windows XP Environment Disclaimer
- Overview of IA-32 assembly
- x86 Assembly Language Reference Manual
- A Guide to Programming Intel IA32 PC Architecture programming
- Manjaro (Arch Linux) 64 Environment Username:csc495 password:csc495
- Get Manjaro (Arch Linux) ISO
- Manjaro User Guide
- RMS's gdb Tutorial
- pwntools - CTF toolkit
- Pwntools Tutorials
- GEF - GDB Enhanced Features
- Pwndbg + GEF + Peda — One for all, and all for one new
- The Malloc Maleficarum (2004) new