Software Reverse Engineering Project

Reverse Engineering Project Requirements

You are required to reverse engineer a piece of real-world software.
Your reverse engineering work must not violate the End User License Agreement (EULA) for your selected program, or, if your work would violate the EULA, you must obtain permission from the developer in advance.
Your objective is to:
1. Fully understand the security aspects of your selected program.
2. Bypass some aspect of the security by "patching" the code.
3. Describe in detail how the software could be made more resistant to a reverse-engineering attack.
It is your responsibility to find a suitable program for this project---I will not provide a list of potential project topics.
At a minimum, you will need a disassembler, a debugger, and a hex editor. Additional tools may be needed, depending on the topic you select. The following specific tools could prove useful for your work:
- OllyDbg --- disassembler and debugger. According to the OllyDbg website, "OllyDbg is a shareware, but you can download and use it for free".
- IDAPro --- disassembler and debugger. There is a free evaluation version.
- PEBrowse --- free debugger (and disassembler).
- Process Monitor. Free.
- VMware --- "desktop virtualization software". Free version is (or was at one time) available.
- Virtual PC --- "powerful software virtualization solution". There is a 45-day free trial edition.
- If you want more info on the Windows Portable Executable (PE) file format file, see this article.
- Good resources on reverse engineering include is this website and the book Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software, by M. Sikorski and A. Honig.
- To see examples of some types of security techniques you are likely to encounter in software, see the book Crackproof Your Software, by P. Cerven.
- You will probably need a source of information on assembly code. Many good resources are available online.
- See this website for additional information on tools, many useful SRE-related links, etc.
All projects will be graded on the same basis, and all projects will be ranked against all other projects. Outstanding projects may get a 10 point bonus.
Instructor approval of your selected topic, via email, is required. The topics are first come, first served. For your email, use subject line "CS265-01 SRE Topic" or "CS265-02 SRE Topic", as appropriate. You must email your project topic to me at stamp@cs.sjsu.edu by the date given on the greensheet. If I have any issues or concerns regarding your selected topic, I will inform you promptly. If you select a topic and find that it is too difficult, it is possible to change to a different project. However, this will cost you a significant amount of time, so it is to your advantage to spend some effort to initially select a feasible topic.
No written report is required, but you must be prepared to give an oral presentation at any time on or after the due date. During the oral presentation you must demonstrate at least one of your attacks, by reverse engineering the executable in real time.
The due date for the project is given on the greensheet.
It is essential that you start on this project as soon as possible after completing project 1.