[Article]-Intro to Reverse Engineering – No Assembly Required

Viewing 13 reply threads
  • Author
    Posts
    • #1562
      Don Donzal
      Keymaster

      My apologies to Craig for the delay in publishing this paper as I was a little busy attending BH/DefCon and the neverending work on ChicagoCon. But this one is definitely worth the wait as many of you expressed interest in the topic of this article.  Well done, Mr. Heffner.

      Permanent Link: [Article]-Intro to Assembly and Reverse Engineering

      Last time we went over the C programming language in an introductory article specifically focusing on getting the security professional on the road to coding (or at least the road to understanding). This time around we extend the series of coding articles for non-programmers with an area of high interest in the infosec community, reverse engineering.

      This paper is intended as an introduction to reverse engineering for someone who has no experience whatsoever on the subject. You should have some basic knowledge of C programming, and access to a Windows or Linux box (preferably both) using the x86 architecture (i.e., your average computer). No knowledge of assembly code, registers, or the like is assumed, although it helps. This introduction section of the paper is intended for the newcomer who has little or no understanding of what reverse engineering is, and may be skipped by those looking for more technical details.

      As always, feedback is encouraged as well as future topic ideas for Craig.

      Don

    • #13661
      crapbot
      Participant

      Great article. Are there any books that you would recommend ? Books targeted at people that know C/ASM and are looking to learn about reverse engineering, specifically, malware reverse engineering.

      Cheers

    • #13662
      blackazarro
      Participant

      Excellent! I really enjoyed this paper.

      Thanks Craig for explaining this topic in a simple and clear visual manner. I think this is the first time I really understood the basic of Assembly and RCE. I know that this is just an introduction but it really helps to grasp the fundamentals for other advance related topics. Looking forward the second part of this article.

      Keep up the good work!!

    • #13663
      Don Donzal
      Keymaster

      Help get Craig the deserved attention on this awesome paper:

      Digg It!!

      http://digg.com/programming/Intro_to_Reverse_Engineering_No_Assembly_Required

      Don

    • #13664
      tarterp
      Participant

      Thanks for your awesome paper. I have been interested in learning more on RCE and have been held up by the fact that no one writes to the true entry level person. Your overview of registers was very well wrote.

      I ran through the Hello World examples and had slight differences. I understand each disassembler will spit something different, I am wondering if you can tell me what is going on though. I m using gdb 6.6-debian.

      Dump of assembler code for function main:
      0x080483a0 :    lea    0x4(%esp),%ecx
      0x080483a4 :    and    $0xfffffff0,%esp
      0x080483a7 :    pushl  0xfffffffc(%ecx)

      0x080483aa :  push  %ebp
      0x080483ab :  mov    %esp,%ebp
      0x080483ad :  push  %ecx
      0x080483ae :  sub    $0x4,%esp
      0x080483b1 :  movl  $0x1,0x80495cc
      0x080483bb :  call  0x8048374
      0x080483c0 :  mov    $0x0,%eax
      0x080483c5 :  add    $0x4,%esp
      0x080483c8 :  pop    %ecx
      0x080483c9 :  pop    %ebp
      0x080483ca :  lea    0xfffffffc(%ecx),%esp
      0x080483cd :  ret   
      End of assembler dump.

      The first three lines are where I am confused. I read about load effective address, but I don’t know what it is loading.

      Also in myprint(), I am using:

      0x0804838b :        call  0x80482bc

      I understand this is the print statement although do you have any input on puts vs print?

      Thanks for the awesome paper, when is part two coming out?

    • #13665
      ddnc
      Participant

      Hey Paul,

      lea 0x4(%esp),%ecx
      pushl 0xfffffffc(%ecx)

      These instructions serve to save the stack pointer on the stack. Notice that at main+42, this value is loaded back into ESP in order to restore the stack pointer before returning.

      and $0xfffffff0,%esp

      This instruction zeros out the last byte in the ESP register. This is done to ensure that the stack pointer is aligned on a 16-byte boundary (the default stack boundary is 16) in order to increase CPU execution time. There’s a short semi-discussion on it at the Kernel Trap forums: http://kerneltrap.org/node/8236 .

      As far as puts() goes, it’s not much different from printf() when just printing out a string. You should see the memory address where the string is located pushed onto the stack just before the call to puts(). It will place a positive number in the EAX register if successful (probably 1), and a -1 in EAX if it fails.

    • #13666
      blackazarro
      Participant

      I found a mistake in this article:

      jnz  jnz 0x08ffff01  Jump if the zero flag is set to 1

      The jnz (jump if not zero) instruction jumps if the zero flag is clear.

      jnz   Jump if the zero flag is set to 0

      For example, if an operation such as CMP turns out to be true, the result will be zero which means that the zero flag will be set to 1. If the next instruction is a jnz, the jump will not be taken. However, if the CMP operation is not true, the result will be a non-zero value meaning that the zero flag is clear or 0. Since the zero flag is clear the next jump (jnz) will be taken.

      I’ve been doing some research on reversing and assembly lately for a crack me challenge and spotted this error when I went back on reading this article.

    • #13667
      shawal
      Participant

      crapbot ,

      try “The Art of Assembly Programming” by Randall Hyde

      blackazarro,

      could you please post the URL for the challange you are trying to crack?

    • #13668
      blackazarro
      Participant

      try “The Art of Assembly Programming” by Randall Hyde

      Thanks for the reference, I’ll check it out.

      could you please post the URL for the challange you are trying to crack?

      I was talking about the crackme02 posted by Don last week:

      http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2277.0/

      I already solved it. I guess you just of to find the password in the right place.

    • #13669
      shawal
      Participant

      blackazarro,

      oh! that i did solve it too, however i did not require the assembly skills for that  😀

    • #13670
      blackazarro
      Participant

      Me either. I went on studying assembly before I attempted the challenge.

    • #13671
      Marshel007
      Participant

      speaking of reverse engineering, what is the best book/tutorial/way to learn assembly ?

    • #13672
      shawal
      Participant

      _Marshel_
      check the following URL:
      http://webster.cs.ucr.edu/AoA
      http://webster.cs.ucr.edu/AoA/Linux/HTML/AoATOC.html
      the site is not very user friendly, however if you manage to navigate you will be able to collect the rewards

      You seem to be hunting for books these days, good luck ;D

    • #13673
      Marshel007
      Participant

      I’m a worm that feeds on reading 🙂

      I’m always hunting for books. 😉

Viewing 13 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?