The Ethical Hacker Network - [Article]-Intro to Reverse Engineering

don

Editor-In-Chief
Administrator
Hero Member

Offline

Posts: 4169

Editor-In-Chief

[Article]-Intro to Reverse Engineering - Part 2

« on: October 26, 2007, 04:49:48 PM »

This one is intense, but I'm sure you won't mind. Cool

Permanent Link: [Article]-Intro to Reverse Engineering - Part 2

Quote

In Part 1, Intro to Reverse Engineering - No Assembly Required, we extended the series of coding articles for non-programmers with an area of high interest in the infosec community. We're proud to be able to bring you the highly anticipated follow-up complete with screen shots, sample code and applications. This one is long and detailed, so strap yourselves in for some great educational content.

This paper is designed to outline some essential reverse engineering concepts, tools and techniques - primarily, debuggers and using the debugging process to reverse engineer application functions and algorithms. It is assumed you have knowledge of basic assembly and C programming. An understanding of Win32 programming and API calls is also helpful. This tutorial does not necessarily have to be read in order (although it is strongly advised), as some sections do not contain information that directly relates to subsequent sections. However, if you begin skipping around and find that you have trouble understanding a concept, or feel like you missed an explanation, it would be best to go back to previous sections of the tutorial and read them first.

Let us know what you think,
Don


	Logged

CISSP, MCSE, CSTA, Security+ SME

yohan900

Newbie

Offline

Posts: 5

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #1 on: November 06, 2007, 09:10:28 PM »

Great articles. I am kind of confused about this part in your tutorial.

Press F8 until you arrive at the instruction 'MOV EAX, DWORD PTR DS:[403000]'. This instruction is moving the contents located at the memory address of 00403000 into the EAX register. The very next instruction moves the contents of EAX into a local variable on the stack starting 28 bytes below EBP.

Why is it 28 bytes below the base pointer? Is that the amount the string "\nThis is a test application!\n" adds up to being?

So if the EBP is 0022FF78h you are subtracting 28 bytes for the string storage on the stack?

I get confused with the assembly memory address and register math.

Thanks Tongue


	Logged

yohan900

Newbie

Offline

Posts: 5

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #2 on: November 06, 2007, 09:14:55 PM »

I like your reverse engineering articles.

Intro to Reverse Engineering - Part 1 and 2

Please write more articles using ollydbg it is a nice program and I am trying to learn as much as I can with it.. I was having a hard time understanding assembly from the books I was reading, but your articles are clear. Also here are some good reverse engineering videos I have been watching if you are interested..

http://www.tuts4you.com/download.php?list.17
They are Lena151's tutorials and are wonderful for learning.

Thanks, keep up the good work.


	Logged

yohan900

Newbie

Offline

Posts: 5

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #3 on: November 08, 2007, 06:55:08 PM »

Here is a great Reverse Engineering forum with great tutorials and video on Reverse Engineering.

http://community.reverse-engineering.net/


	Logged

jackall

Newbie

Offline

Posts: 5

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #4 on: February 21, 2008, 05:29:54 AM »

Intro to reverse engineering is an excellent article. But unfortunately for me,
I was not able to download the files needed to follow the tutorial.
Please send me a copy of the same.
Thank you.
jackf_all@yahoo.com


	Logged

don

Editor-In-Chief
Administrator
Hero Member

Offline

Posts: 4169

Editor-In-Chief

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #5 on: February 21, 2008, 07:17:10 AM »

I just tried and was able to get them. Is it the 7-zip format that is causing issues? It is a free, open source compression program, so it would be a good addition to anyone's toolbox. Just in case: http://www.7-zip.org

Let us know,
Don


	Logged

CISSP, MCSE, CSTA, Security+ SME

jackall

Newbie

Offline

Posts: 5

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #6 on: February 22, 2008, 04:43:10 AM »

At the beginning of “Intro to Reverse Engineering - Part 2” there is this paragraph:

“There are two directories inside the tutorial's zip file : apps, and source. The apps folder contains the pre-compiled programs we will be working with, and the source folder contains the applicable source code for all programs which I have written for this tutorial. "

It is this tutorial zip file i tried to unload but found it contains just one file instead of two directories as mentioned.

Thank you Don but i am not sure if your suggestion of 7-zip is related to my query. Anyway i installed 7-zip and tried to download and open tutorial zip file once again, still it yielded no result.

Where am i going wrong?
Am i trying to download the correct file?
Please let me know.
Thank you.


« Last Edit: February 22, 2008, 05:02:35 AM by jackall »	Logged

don

Editor-In-Chief
Administrator
Hero Member

Offline

Posts: 4169

Editor-In-Chief

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #7 on: February 22, 2008, 12:22:41 PM »

I hate to say it, but I just downloaded it again, opened it with the 7-zip app, and I see the folders. Is it possible that you extracted it without retaining the folder structure?

Just grasping at straws,
Don


	Logged

CISSP, MCSE, CSTA, Security+ SME

jackall

Newbie

Offline

Posts: 5

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #8 on: February 23, 2008, 01:08:45 AM »

dear Don !
Thanks for all those patient tips.
i made a mistake in opening the 7-zip; instead of 'extract here' i choose 'open' and i got a lot undecipherable garbage.
Well ! today i learned how to un7-zip and i hope to learn more of ' reversing' from those files.
Regards.


« Last Edit: February 24, 2008, 10:07:55 PM by jackall »	Logged

jackall

Newbie

Offline

Posts: 5

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #9 on: February 24, 2008, 01:37:34 AM »

After loading ‘test.exe’, i stepped over the code and stepped in at the address where the program begins to run. Then scrolled down to ExitProcess ; set a break point above ‘msvcrt._cexit ‘; ran the program; Stepped in again; located the commented line by Olly; selected dump and entered the number in 'Expression to follow in dump’; and noted the string. Well the article ' Intro to Reverse Engineering ' described every move very clearly for newbie’s like me to follow easily.
It is great going for me so far and I intent to continue with it .Meanwhile can I ask for a little clarification or rather a few lines on ‘ msvcrt._cexit ‘ to facilitate better understanding of the process.
Thank you.


« Last Edit: February 24, 2008, 01:53:19 AM by jackall »	Logged

jackall

Newbie

Offline

Posts: 5

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #10 on: March 10, 2008, 01:09:13 AM »

Undoubtedly the best tutorial ‘on reversing’ for a newbie available on net. One needs to have at least the basics of Assembly to follow the tutorial meaningfully .More such tutorials are welcome.

Requesting…..


	Logged

eatchocolate

Newbie

Offline

Posts: 1

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #11 on: August 25, 2011, 01:05:49 PM »

;DThis is an amazing tutorial! I took the liberty to further simplify the second function in the Keygen section. the pseudo-code simplifies to:

Code:

//salt = 2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T
//key = user-entered key 5segment e.g. 12345
x=0
for (keyIndex=0 ; <5: ++){
for (saltIndex=0; <36 ; ++){
if (salt[saltIndex]== key[keyIndex]){
x = saltIndex+ 36*x
}
}
}
mod = x%divisor; // if 0 then GOOD! else goto BadCode

And if you do some math you'll see that You can reverse the algorithm for calculating x down to this mathematical expression:

// Let matches[] be an array containing the values of saltIndex where there is a match (in order). Then matches[0] is the first match and matches[n] is the nth (and last) match. Looking at the code, we see:

fn(1)= Match1
fn(2) = 36*fn(1)+ Match2
fn(3) = 36*fn(2)+ Match3
fn(4) = 36*fn(3) + Match4

Simplifying we can get x:

x = matches[n]*36⁰+matches[n-1]*36¹+ ... + matches[0]*36ⁿ

Cheesy

and then you just check the mod!


	Logged

reverse_eng00

Newbie

Offline

Posts: 1

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #12 on: April 12, 2013, 03:49:36 PM »

Quote

/*this next instruction is just some math to make it easier to reference the unknown_string and the entered_serial...the unknown string is at the memory address stored in EAX, and the entered_serial is at EAX+ECX. Also, since EAX actually points to the second byte of unknown_string, EAC+ECX actually points to the second byte in entered_serial as well. */

Can someone explain me why EAX+ECX is the entered serial address.
Why it isn't only ECX ?
Thanks


	Logged

DragonGorge

Jr. Member

Offline

Posts: 83

Re: [Article]-Intro to Reverse Engineering - Part 2

« Reply #13 on: April 14, 2013, 09:48:33 AM »

Quote from: reverse_eng00 on April 12, 2013, 03:49:36 PM

Can someone explain me why EAX+ECX is the entered serial address.
Why it isn't only ECX ?

My Assembly isn't the best but I'll take a stab...ECX points to the serial address and it's a DWORD. The routine is comparing BYTE. So ECX is the base address of of the serial addy and adding EAX allows you to step through it byte by byte.

One thing that helped me in learning how to read assembly is stepping through it in a debugger. It makes loads more sense when you can see the registers being modified.

Now for some coffee...


	Logged

Pages: [1] Go Up

« previous next »