HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 67 guests online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Columnsarrow Heffnerarrow [Article]-Intro to Reverse Engineering - Part 2
EH-Net
February 09, 2012, 06:38:40 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: [Article]-Intro to Reverse Engineering - Part 2  (Read 39223 times)
0 Members and 1 Guest are viewing this topic.
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 3845


Editor-In-Chief


View Profile WWW
« on: October 26, 2007, 04:49:48 PM »
This one is intense, but I'm sure you won't mind.  Cool

Permanent Link: [Article]-Intro to Reverse Engineering - Part 2

Quote

In Part 1, Intro to Reverse Engineering - No Assembly Required, we extended the series of coding articles for non-programmers with an area of high interest in the infosec community. We're proud to be able to bring you the highly anticipated follow-up complete with screen shots, sample code and applications. This one is long and detailed, so strap yourselves in for some great educational content.

This paper is designed to outline some essential reverse engineering concepts, tools and techniques - primarily, debuggers and using the debugging process to reverse engineer application functions and algorithms. It is assumed you have knowledge of basic assembly and C programming. An understanding of Win32 programming and API calls is also helpful. This tutorial does not necessarily have to be read in order (although it is strongly advised), as some sections do not contain information that directly relates to subsequent sections. However, if you begin skipping around and find that you have trouble understanding a concept, or feel like you missed an explanation, it would be best to go back to previous sections of the tutorial and read them first.

Let us know what you think,
Don
Logged
CISSP, MCSE, CSTA, Security+ SME
yohan900
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #1 on: November 06, 2007, 09:10:28 PM »
Great articles.  I am kind of confused about this part in your tutorial.

Press F8 until you arrive at the instruction 'MOV EAX, DWORD PTR DS:[403000]'. This instruction is moving the contents located at the memory address of 00403000 into the EAX register. The very next instruction moves the contents of EAX into a local variable on the stack starting 28 bytes below EBP.

Why is it 28 bytes below the base pointer?  Is that the amount the string "\nThis is a test application!\n" adds up to being?

So if the EBP is 0022FF78h  you are subtracting 28 bytes for the string storage on the stack?

I get confused with the assembly memory address and register math.

Thanks Tongue
Logged
yohan900
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #2 on: November 06, 2007, 09:14:55 PM »
I like your reverse engineering articles.

 Intro to Reverse Engineering - Part 1 and 2

Please write more articles using ollydbg it is a nice program and I am trying to learn as much as I can with it..  I was having a hard time understanding assembly from the books I was reading, but your articles are clear.  Also here are some good reverse engineering videos I have been watching if you are interested..

http://www.tuts4you.com/download.php?list.17
They are Lena151's tutorials and are wonderful for learning.


Thanks, keep up the good work.
Logged
yohan900
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #3 on: November 08, 2007, 06:55:08 PM »
Here is a great Reverse Engineering forum with great tutorials and video on Reverse Engineering.



http://community.reverse-engineering.net/
Logged
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #4 on: February 21, 2008, 05:29:54 AM »
Intro to reverse engineering is an excellent article. But unfortunately for me,
I was not able to download the files needed to follow the tutorial.
Please send me a copy of the same.
Thank you.
jackf_all@yahoo.com
Logged
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 3845


Editor-In-Chief


View Profile WWW
« Reply #5 on: February 21, 2008, 07:17:10 AM »
I just tried and was able to get them. Is it the 7-zip format that is causing issues? It is a free, open source compression program, so it would be a good addition to anyone's toolbox. Just in case: http://www.7-zip.org

Let us know,
Don
Logged
CISSP, MCSE, CSTA, Security+ SME
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #6 on: February 22, 2008, 04:43:10 AM »
At the beginning of  “Intro to Reverse Engineering - Part 2” there is this paragraph:

“There are two directories inside the tutorial's zip  file : apps, and source. The apps folder contains the pre-compiled programs we will be working with, and the source folder contains the applicable source code for all programs which I have written for this tutorial. "

It is this tutorial zip  file i tried to unload but found it contains just one file instead of two directories as mentioned.

Thank you Don but i am not sure if your suggestion of  7-zip is related to my query. Anyway i installed  7-zip and tried to download and open tutorial zip file once again, still it yielded no result.

Where am i going wrong?
Am i trying to download the correct file?
Please let me know.
Thank you.
« Last Edit: February 22, 2008, 05:02:35 AM by jackall » Logged
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 3845


Editor-In-Chief


View Profile WWW
« Reply #7 on: February 22, 2008, 12:22:41 PM »
I hate to say it, but I just downloaded it again, opened it with the 7-zip app, and I see the folders. Is it possible that you extracted it without retaining the folder structure?

Just grasping at straws,
Don
Logged
CISSP, MCSE, CSTA, Security+ SME
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #8 on: February 23, 2008, 01:08:45 AM »
dear Don !
Thanks for all those patient tips.
i made a mistake in opening the 7-zip; instead of 'extract here' i choose 'open' and i got a lot undecipherable garbage. 
Well ! today i learned  how to un7-zip and i hope to learn more of ' reversing' from those files.
Regards.
« Last Edit: February 24, 2008, 10:07:55 PM by jackall » Logged
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #9 on: February 24, 2008, 01:37:34 AM »
After loading ‘test.exe’, i stepped over the code and stepped in at the address where the program begins to run. Then scrolled down to ExitProcess ; set a break point above ‘msvcrt._cexit ‘; ran the program; Stepped in again; located the commented line by Olly; selected dump and entered the number in 'Expression to follow in dump’; and noted the string. Well the article ' Intro to Reverse Engineering ' described every move very clearly for newbie’s like me to follow easily.
It is great going for me so far and I intent to continue with it .Meanwhile can I ask for a little clarification or rather a few lines on  ‘ msvcrt._cexit  ‘ to facilitate better understanding of the process.
Thank you.
« Last Edit: February 24, 2008, 01:53:19 AM by jackall » Logged
jackall
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #10 on: March 10, 2008, 01:09:13 AM »
Undoubtedly the best tutorial ‘on reversing’ for a newbie available on net.  One needs to have at least the basics of Assembly to follow the tutorial meaningfully .More such tutorials are welcome.

Requesting…..
Logged
eatchocolate
Newbie
*
Offline Offline

Posts: 1


View Profile
« Reply #11 on: August 25, 2011, 01:05:49 PM »
 ;DThis is an amazing tutorial! I took the liberty to further simplify the second function in the Keygen section. the pseudo-code simplifies to:

Code:
//salt = 2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T
//key = user-entered key 5segment e.g. 12345
x=0
for (keyIndex=0 ; <5: ++){
  for (saltIndex=0; <36 ; ++){
    if (salt[saltIndex]== key[keyIndex]){
      x = saltIndex+ 36*x
    }
  }
}
mod = x%divisor;  // if 0 then GOOD! else goto BadCode
And if you do some math you'll see that You can reverse the algorithm for calculating x down to this mathematical expression:

// Let matches[] be an array containing the values of saltIndex where there is a match (in order). Then matches[0] is the first match and matches[n] is the nth (and last) match. Looking at the code, we see:

fn(1)=  Match1
fn(2) = 36*fn(1)+ Match2
fn(3) = 36*fn(2)+ Match3
fn(4) = 36*fn(3) + Match4

Simplifying we can get x:

x = matches[n]*360+matches[n-1]*361+ ... + matches[0]*36n

 Cheesy
and then you just check the mod!
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.111 seconds with 24 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge Training: Build Security Skills to Protect and Defend

offsec_130x200-2_jan-feb2012.png
Offensive Security
AWE Live in the Caribbean!
March 5 - 9, 2012

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: Refer_EHN
Including SANS Phoenix 2012, SANS 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.