当前位置:天才代写 > 作业代写 > Reverse Engineering代写 Coursework代写 manual static analysis代写

Reverse Engineering代写 Coursework代写 manual static analysis代写

2020-10-02 17:40 星期五 所属: 作业代写 浏览:5

Reverse Engineering代写

IY3840 (2018-2019) – Coursework #1

Reverse Engineering代写 In this assignment, you will practice reverse engineering as a form of manual static analysis. This assignment0000000000.

Reverse Engineering Botnet Domain Generation Algorithms

Daniele Sgandurra

This assignment is due on Tuesday, March 19th, 2019, 11:59pm (UK Time)

Overview Reverse Engineering代写

In this assignment, you will practice reverse engineering as a form of manual static analysis. This assignment will count 20% towards your final course mark.

Coursework description

Some families of botnets contact their C&C servers with domain names generated using domain generation algo- rithms (DGAs). Sometimes, every new version of a bot binary is embedded with a different set of DGA input parameters (e.g., a seed, known to the cyber attackers only, and the date of the generation – usually, the cur- rent date) as to generate several, different domain names of C&C servers in an attempt to make it hard for law enforcement agencies and cyber-security researchers to shut down botnet operations.Reverse Engineering代写

For this coursework, you will be provided with a binary implementing a DGA, which you have to reverse engineer (using IDA1, on any supported platform) and run (on a Linux system) to understand its inner working. In particular, you are interested in discovering the way future domains are generated. The ELF-64 binary file to be analyzed is available on Moodle, and is called dga2.

Reverse Engineering代写
Reverse Engineering代写

Questions Reverse Engineering代写

NOTE:

Please note that for each answer to each question you need to report the requested values (if any) and justify the answer (e.g., how/why/what) in the submitted answers document. Furthermore, for some questions, some additional fifiles have to be included in the submission (these fifiles do not have to be included in the document as well, e.g. screenshots) – see “Submission” Section below for the submission specififi-cation. Full marks will be given for an answer/solution that is complete and does not have inconsistencies. You should try all questions and submit what you have done,even if you are unable to complete some of the questions. Some marks are given for a correct approach even when the overall solution is incomplete or incorrect.Reverse Engineering代写

If you have trouble understanding something, please ask a question on the Moodle discussion forum. However, if the question gives away solution details, write a private e-mail instead of a public question. Similarly, if answering questions of others (onMoodle or in person), do not give any form of help that you would not expect the course lecturer to give. In the following, studentSeed has to be computed using the SHA256 of your candidate ID, taking the fifirst four characters of the resulting hash and converting them in ASCII code – see the provided example below.

1A free version of IDA can be obtained here:

https://www.hex-rays.com/products/ida/support/download_freeware.shtml.

2Please note that the provided binary is benign.

1.Using IDA,Reverse Engineering代写

find the values in dga of (i) the seed and (ii) the attack date (day, month, year) passed to the DGA function. Then, rename these variables in dgabinary with meaningful names using IDA.

Answers document: provide these values and briefly justify how you have found them. Additional files: pro- vide a screenshot of IDA assembly snippet showing these variables (renamed). The file with the screenshot should be named studentSeed-IY3840-Coursework1-IDA1.png.10 marks

2.Using IDA, try to understand how to get the domain name generated by DGA by running dga without modifications,and then run  Hint: understanding the edi and rsi registers might helpAnswers document: provide the name of the generated domain name and briefly justify how you were able to retrieve it. Additional files: provide a screenshot of the relevant IDA assembly snippet and a screenshot of the generated domain. These files should be named, respectively, studentSeed-IY3840-Coursework1- IDA2.png and studentSeed-IY3840-Coursework1-domain1.png.20 marks

  1. Using IDA, patch dga4to replace the embedded seed and attack date with, respectively, your studentSeed and the date of the submission (19 March 2019). Then, run the patched dga (on a Linux system) to retrieve the new domain as in the previous Reverse Engineering代写
Answers document:

provide the name of the new generated domain. Additional files: provide the patched dga, which should be named studentSeed-IY3840-Coursework1-dga-patched1, and a screenshot of IDA showing the assembly snippet with the patched variables (with their replaced value), which should be named studentSeed-IY3840-Coursework1-IDA3.png, as well as the screenshot of the new generated do- main, which should be named studentSeed-IY3840-Coursework1-domain2.png.10 marks

  1. Using IDA, find a way to patch dga (in two points) so that the seed can be read from command line and passedto the DGA  Hint: find an existing variable that can be user-controlled.

Answers documentbriefly describe your approach. Additional files: provide the patched dga, which should be named studentSeed-IY3840-Coursework1-dga-patched2.30 marks

5.Generate 10 domains by running the patched dga with 10 seeds

(as in the previous step), from (your stu- dentSeed+ 1) to (your studentSeed + 10). For each domain, compute its “frequency value”5 using the Freq tool6, and similarly compute the “frequency value” on the top 10 sites7. Create a chart graph with these val- ues composed of two lines with different colours (one for the 10 DGA domains, one for the top 10 Alexa).Reverse Engineering代写

Answers documentbriefly explain the results. Additional files: provide the screenshot of the generated do- mains, which should be named studentSeed-IY3840-Coursework1-domain3.png,  as well  as the graph of  the frequency values, which should be named studentSeed-IY3840-Coursework1-frequency.png.20 marks

  1. Answersdocumentbriefly explain the flow/logic of the main function in dga binary (you don’t need to de- scribe the inner working of the DGA function).5 marks
  2. Answers document: brieflyexplain a possible way to disarm the botnet operations once you have retrieved the domain name of a future C&C server from the dgabinary.5 marks Reverse Engineering代写

3 See X86 Calling conventions on Linux: https://en.wikipedia.org/wiki/X86_calling_conventions#System_V_AMD64_ABI.

4 See here: https://www.hex-rays.com/products/ida/support/idadoc/526.shtml.

5 See https://isc.sans.edu/forums/diary/Detecting+Random+Finding+Algorithmically+chosen+DNS+names+DGA/19893/.

6Available at: https://github.com/markbaggett/freq

7According to Alexa: https://www.alexa.com/topsites

Submission Reverse Engineering代写

You have to submit your work electronically via the Moodle submission link at the course page. You must submit a single zip file named studentSeed-IY3840-Coursework1.zip containing a folder called studentSeed-IY3840- Coursework1 including the following files (and nothing else):

  • Answers document: a 1-page PDF document including the answers using a 11pt font and 0.5in margins (both like this document’s formatting). The PDF should report at the top, IY3840, Coursework#1, and your studentSeed. The PDF should be named studentSeed-IY3840-Coursework1-answers.pdf.
  • Additionalfiles: screenshots and patched binaries as specified in theThe files you submit cannot be uploaded/updated/read by anyone else. You can, however, update your sub- mission as often as you like by resubmitting, though only the last version submitted will be kept. Please note that all your submissions will be graded anonymously. Hence, do not include any form of identification in the submission (e.g., student ID, candidate ID, name, surname, etc.). Regardless of anything else, a submission might be given 0 mark in the following cases:
  • Nothing is submitted or the submission cannot beopened/read
  • Submitted after thedeadline
  • A submission that does not follow the given specifications (e.g., providing a PDF longer than 1 page, not submitting a zip file, etc.) Reverse Engineering代写
  • Plagiarism or similarbehaviours

NOTE: All the work you submit should be solely your own work. Coursework sub

missions are routinely

An example of a submission is shown in the following.

Submission example Reverse Engineering代写

Student with candidate ID 18001234 wants to submit their coursework. To get the studentSeed, the student computes the SHA2568 of 18001234: in this example, the first four characters of the computed SHA256 string are 3147. When encoding 3147 in ASCII9, the student gets 51495255, which is their studentSeed. This student submits a single zip file, called 51495255-IY3840-Coursework1.zip. This zip file contains a folder, called 51495255- IY3840-Coursework1, which includes the following files:

51495255-IY3840-Coursework1-answers.pdf 51495255-IY3840-Coursework1-dga-patched1 51495255-IY3840-Coursework1-dga-patched2 51495255-IY3840-Coursework1-domain1.png 51495255-IY3840-Coursework1-domain2.png 51495255-IY3840-Coursework1-domain3.png 51495255-IY3840-Coursework1-frequency.png 51495255-IY3840-Coursework1-IDA1.png 51495255-IY3840-Coursework1-IDA2.png 51495255-IY3840-Coursework1-IDA3.png

An example of the answers document submitted by this student (file named 51495255-IY3840-Coursework1- answers.pdf) is shown in the next page.Reverse Engineering代写

8You can use this online tool: https://passwordsgenerator.net/sha256-hash-generator/

9You can use this online tool: https://onlinestringtools.com/convert-string-to-ascii

IY3840, Coursework#1, 51495255

1.Loremipsum dolor sit amet, consectetur adipiscing  Quisque in volutpat mauris. Pellentesque pulvinar dapibus feugiat. Morbi vitae auctor nulla. In hac habitasse platea dictumst. Sed nec diam in purus condi- mentum consectetur. Praesent rhoncus, nisl non congue placerat, justo libero tincidunt diam, vel laoreet enim lectus sit amet justo. Aenean porttitor nec diam sit amet vestibulum. Vestibulum ac tempus mi, vitae pulvinar metus. Nunc scelerisque magna nec tellus auctor finibus. Praesent semper nisi a gravida mollis. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Mauris conva- llis porttitor elit, at scelerisque ligula condimentum vitae. Sed vehicula, augue sit amet ornare varius, nulla quam pulvinar nibh, quis faucibus felis odio id odio. Phasellus congue vestibulum auctor.Reverse Engineering代写

2.Donec gravida elementum arcu,

vitae bibendum mi tempus eu. Etiam scelerisque mi lacus, sit amet tin- cidunt neque venenatis sit amet. Aliquam facilisis quam a justo condimentum laoreet. Maecenas eleifend scelerisque magna et consequat. Aliquam venenatis venenatis justo, in consectetur mi dictum et. Aliquam exlacus, auctor quis dignissim id, faucibus sit amet  Phasellus id ante nec felis luctus porta. Donec laoreet purus velit, sit amet ultricies eros rutrum et. Quisque accumsan ipsum non aliquam volutpat. Aenean eu urna maximus diam iaculis rhoncus id ac turpis. Nullam placerat, lacus consectetur fringilla vulputate, metus sapien faucibus mi, eu blandit lacus felis pellentesque neque.Reverse Engineering代写

3.Duis dapibus bibendum libero. Etiam ullamcorper finibus metus. Aliquam dignissim diam massa, id congue nisi gravida eget. Cras feugiat ornare feugiat. Morbi tincidunt risus id ex interdum, ut bibendum mi porttitor. Aliquam erat volutpat. Nullam quis nulla imperdiet, congue risus in, fermentum mauris. Sus- pendisse potenti. Fusce maximus tristique varius. Donec tincidunt est in vulputate ornare. Integer eget vulputateerat, sed ullamcorper  Nam eleifend lorem in mi vehicula, id consectetur tortor lacinia. Duis fringilla commodo vulputate. Proin imperdiet a nisi sit amet molestie. Sed tortor eros, tincidunt sed lorem ac, aliquam vestibulum magna.

4.Donecposuere eget augue nec  Maecenas ac venenatis ante.Reverse Engineering代写

Nulla placerat quam sed ante malesuada imperdiet. Phasellus euismod tortor ut urna finibus maximus. Nam fermentum iaculis interdum. Donec non sollicitudin lorem. Donec aliquam mollis cursus. Vestibulum ante ipsum primis in faucibus orci luc- tus et ultrices posuere cubilia Curae; Quisque euismod mattis augue, ac sodales augue vulputate sit amet. Morbi scelerisque placerat neque sit amet iaculis. Donec non ornare magna, a posuere neque. Morbi dictum vulputate diam id vehicula. In iaculis nisl euismod augue finibus tempus. Sed porta ornare scelerisque.Reverse Engineering代写

5.Maurisac diam  Donec commodo hendrerit justo sed condimentum. Aliquam malesuada viverra ipsum et volutpat. Nam ut ullamcorper mauris. In vitae nulla et neque egestas iaculis. Etiam quis enim congue, dictum metus a, posuere mauris. Suspendisse ac vulputate odio, a gravida enim. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Suspendisse potenti. Cras nec urna non risus commodo ullamcorper in mollis magna. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Lorem ipsum dolor sit amet, consectetur adipiscing elit.

6.Quisque malesuada libero libero,

et egestas neque cursus a. Cras blandit nec magna id Maecenas quis est nec diam sollicitudin ullamcorper quis nec enim. Integer sed luctus risus, nec vestibulum quam. Vestibulumin volutpat leo. Nullam pulvinar eu leo eget tristique. Duis dignissim nunc nisl, sit amet aliquet orci pulvinar in. Quisque enim nibh, lobortis eu diam vitae, hendrerit convallis dolor. Integer nisl metus, vestibulum in mauris vel, malesuada dapibus odio. Morbi rutrum tincidunt erat eu laoreet. Donec purus dui, aliquet sit amet purus in, lacinia tempor tellus.Reverse Engineering代写

7.Nam eget libero commodo, semper justo congue, faucibus dui. Curabitur tempor felis ornare, porttitor eros non, auctor mauris. Nulla in augue in nibh ultrices lobortis hendrerit nec orci. Etiam posuere, justoac varius tempus, ipsum odio volutpat libero, sed finibus dui nunc a  Phasellus vitae convallis purus, quis condimentum arcu. Quisque accumsan turpis ex, suscipit rhoncus libero ultricies eget. Curabitur semper, nisi ac consequat tempor, tortor nisl ultricies lectus, eget convallis neque ipsum tincidunt nisi. Suspendisse eu lacus quis odio consectetur cursus. Praesent tristique justo arcu, non tempor elit vulputate non. Sed vulputate risus eu odio cursus scelerisque.

Reverse Engineering代写
Reverse Engineering代写

更多其他:计算机代写 lab代写 python代写 作业代写 code代写  homework代写 加拿大代写 C++代写 金融代写 matlab代写 算法代写 物理代写 数学代写 考试助攻

合作平台:天才代写 幽灵代写 写手招聘 Essay代写

 


天才代写-代写联系方式