HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 45 guests and 2 members online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Columnsarrow Heffnerarrow [Article]-Intro to Reverse Engineering - Part 2
EH-Net
May 23, 2013, 04:18:34 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: [Article]-Intro to Reverse Engineering - Part 2  (Read 161704 times)
0 Members and 1 Guest are viewing this topic.
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 4167


Editor-In-Chief


View Profile WWW
« on: October 26, 2007, 04:49:48 PM »
This one is intense, but I'm sure you won't mind.  Cool

Permanent Link: [Article]-Intro to Reverse Engineering - Part 2

Quote

In Part 1, Intro to Reverse Engineering - No Assembly Required, we extended the series of coding articles for non-programmers with an area of high interest in the infosec community. We're proud to be able to bring you the highly anticipated follow-up complete with screen shots, sample code and applications. This one is long and detailed, so strap yourselves in for some great educational content.

This paper is designed to outline some essential reverse engineering concepts, tools and techniques - primarily, debuggers and using the debugging process to reverse engineer application functions and algorithms. It is assumed you have knowledge of basic assembly and C programming. An understanding of Win32 programming and API calls is also helpful. This tutorial does not necessarily have to be read in order (although it is strongly advised), as some sections do not contain information that directly relates to subsequent sections. However, if you begin skipping around and find that you have trouble understanding a concept, or feel like you missed an explanation, it would be best to go back to previous sections of the tutorial and read them first.

Let us know what you think,
Don
Logged
CISSP, MCSE, CSTA, Security+ SME
yohan900
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #1 on: November 06, 2007, 09:10:28 PM »
Great articles.  I am kind of confused about this part in your tutorial.

Press F8 until you arrive at the instruction 'MOV EAX, DWORD PTR DS:[403000]'. This instruction is moving the contents located at the memory address of 00403000 into the EAX register. The very next instruction moves the contents of EAX into a local variable on the stack starting 28 bytes below EBP.

Why is it 28 bytes below the base pointer?  Is that the amount the string "\nThis is a test application!\n" adds up to being?

So if the EBP is 0022FF78h  you are subtracting 28 bytes for the string storage on the stack?

I get confused with the assembly memory address and register math.

Thanks Tongue
Logged
yohan900
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #2 on: November 06, 2007, 09:14:55 PM »
I like your reverse engineering articles.

 Intro to Reverse Engineering - Part 1 and 2

Please write more articles using ollydbg it is a nice program and I am trying to learn as much as I can with it..  I was having a hard time understanding assembly from the books I was reading, but your articles are clear.  Also here are some good reverse engineering videos I have been watching if you are interested..

http://www.tuts4you.com/download.php?list.17
They are Lena151's tutorials and are wonderful for learning.


Thanks, keep up the good work.
Logged
yohan900
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #3 on: November 08, 2007, 06:55:08 PM »
Here is a great Reverse Engineering forum with great tutorials and video on Reverse Engineering.



http://community.reverse-engineering.net/
Logged
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #4 on: February 21, 2008, 05:29:54 AM »
Intro to reverse engineering is an excellent article. But unfortunately for me,
I was not able to download the files needed to follow the tutorial.
Please send me a copy of the same.
Thank you.
jackf_all@yahoo.com
Logged
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 4167


Editor-In-Chief


View Profile WWW
« Reply #5 on: February 21, 2008, 07:17:10 AM »
I just tried and was able to get them. Is it the 7-zip format that is causing issues? It is a free, open source compression program, so it would be a good addition to anyone's toolbox. Just in case: http://www.7-zip.org

Let us know,
Don
Logged
CISSP, MCSE, CSTA, Security+ SME
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #6 on: February 22, 2008, 04:43:10 AM »
At the beginning of  “Intro to Reverse Engineering - Part 2” there is this paragraph:

“There are two directories inside the tutorial's zip  file : apps, and source. The apps folder contains the pre-compiled programs we will be working with, and the source folder contains the applicable source code for all programs which I have written for this tutorial. "

It is this tutorial zip  file i tried to unload but found it contains just one file instead of two directories as mentioned.

Thank you Don but i am not sure if your suggestion of  7-zip is related to my query. Anyway i installed  7-zip and tried to download and open tutorial zip file once again, still it yielded no result.

Where am i going wrong?
Am i trying to download the correct file?
Please let me know.
Thank you.
« Last Edit: February 22, 2008, 05:02:35 AM by jackall » Logged
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 4167


Editor-In-Chief


View Profile WWW
« Reply #7 on: February 22, 2008, 12:22:41 PM »
I hate to say it, but I just downloaded it again, opened it with the 7-zip app, and I see the folders. Is it possible that you extracted it without retaining the folder structure?

Just grasping at straws,
Don
Logged
CISSP, MCSE, CSTA, Security+ SME
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #8 on: February 23, 2008, 01:08:45 AM »
dear Don !
Thanks for all those patient tips.
i made a mistake in opening the 7-zip; instead of 'extract here' i choose 'open' and i got a lot undecipherable garbage. 
Well ! today i learned  how to un7-zip and i hope to learn more of ' reversing' from those files.
Regards.
« Last Edit: February 24, 2008, 10:07:55 PM by jackall » Logged
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #9 on: February 24, 2008, 01:37:34 AM »
After loading ‘test.exe’, i stepped over the code and stepped in at the address where the program begins to run. Then scrolled down to ExitProcess ; set a break point above ‘msvcrt._cexit ‘; ran the program; Stepped in again; located the commented line by Olly; selected dump and entered the number in 'Expression to follow in dump’; and noted the string. Well the article ' Intro to Reverse Engineering ' described every move very clearly for newbie’s like me to follow easily.
It is great going for me so far and I intent to continue with it .Meanwhile can I ask for a little clarification or rather a few lines on  ‘ msvcrt._cexit  ‘ to facilitate better understanding of the process.
Thank you.
« Last Edit: February 24, 2008, 01:53:19 AM by jackall » Logged
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #10 on: March 10, 2008, 01:09:13 AM »
Undoubtedly the best tutorial ‘on reversing’ for a newbie available on net.  One needs to have at least the basics of Assembly to follow the tutorial meaningfully .More such tutorials are welcome.

Requesting…..
Logged
eatchocolate
Newbie
*
Offline Offline

Posts: 1


View Profile
« Reply #11 on: August 25, 2011, 01:05:49 PM »
 ;DThis is an amazing tutorial! I took the liberty to further simplify the second function in the Keygen section. the pseudo-code simplifies to:

Code:
//salt = 2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T
//key = user-entered key 5segment e.g. 12345
x=0
for (keyIndex=0 ; <5: ++){
  for (saltIndex=0; <36 ; ++){
    if (salt[saltIndex]== key[keyIndex]){
      x = saltIndex+ 36*x
    }
  }
}
mod = x%divisor;  // if 0 then GOOD! else goto BadCode
And if you do some math you'll see that You can reverse the algorithm for calculating x down to this mathematical expression:

// Let matches[] be an array containing the values of saltIndex where there is a match (in order). Then matches[0] is the first match and matches[n] is the nth (and last) match. Looking at the code, we see:

fn(1)=  Match1
fn(2) = 36*fn(1)+ Match2
fn(3) = 36*fn(2)+ Match3
fn(4) = 36*fn(3) + Match4

Simplifying we can get x:

x = matches[n]*360+matches[n-1]*361+ ... + matches[0]*36n

 Cheesy
and then you just check the mod!
Logged
reverse_eng00
Newbie
*
Offline Offline

Posts: 1


View Profile
« Reply #12 on: April 12, 2013, 03:49:36 PM »
Quote
/*this next instruction is just some math to make it easier to reference the unknown_string and the entered_serial...the unknown string is at the memory address stored in EAX, and the entered_serial is at EAX+ECX. Also, since EAX actually points to the second byte of unknown_string, EAC+ECX actually points to the second byte in entered_serial as well. */

Can someone explain me why EAX+ECX is the entered serial address.
Why it isn't only ECX ?
Thanks
Logged
DragonGorge
Jr. Member
**
Offline Offline

Posts: 83



View Profile
« Reply #13 on: April 14, 2013, 09:48:33 AM »
Quote from: reverse_eng00 on April 12, 2013, 03:49:36 PM
Can someone explain me why EAX+ECX is the entered serial address.
Why it isn't only ECX ?
My Assembly isn't the best but I'll take a stab...ECX points to the serial address and it's a DWORD. The routine is comparing BYTE. So ECX is the base address of of the serial addy and adding EAX allows you to step through it byte by byte.

One thing that helped me in learning how to read assembly is stepping through it in a debugger. It makes loads more sense when you can see the registers being modified.

Now for some coffee...
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.073 seconds with 24 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.