# [Article]-Intro to Reverse Engineering – Part 2

• Author
Posts
• #1757
Don Donzal
Keymaster

This one is intense, but I’m sure you won’t mind.  8)

Permanent Link: [Article]-Intro to Reverse Engineering – Part 2

[align=center:jhospm09][/align:jhospm09]

In Part 1, Intro to Reverse Engineering – No Assembly Required, we extended the series of coding articles for non-programmers with an area of high interest in the infosec community. We’re proud to be able to bring you the highly anticipated follow-up complete with screen shots, sample code and applications. This one is long and detailed, so strap yourselves in for some great educational content.

This paper is designed to outline some essential reverse engineering concepts, tools and techniques – primarily, debuggers and using the debugging process to reverse engineer application functions and algorithms. It is assumed you have knowledge of basic assembly and C programming. An understanding of Win32 programming and API calls is also helpful. This tutorial does not necessarily have to be read in order (although it is strongly advised), as some sections do not contain information that directly relates to subsequent sections. However, if you begin skipping around and find that you have trouble understanding a concept, or feel like you missed an explanation, it would be best to go back to previous sections of the tutorial and read them first.

Let us know what you think,
Don

• #14446
yohan900
Participant

Press F8 until you arrive at the instruction ‘MOV EAX, DWORD PTR DS:[403000]’. This instruction is moving the contents located at the memory address of 00403000 into the EAX register. The very next instruction moves the contents of EAX into a local variable on the stack starting 28 bytes below EBP.

Why is it 28 bytes below the base pointer?  Is that the amount the string “nThis is a test application!n” adds up to being?

So if the EBP is 0022FF78h  you are subtracting 28 bytes for the string storage on the stack?

I get confused with the assembly memory address and register math.

Thanks 😛

• #14447
yohan900
Participant

I like your reverse engineering articles.

Intro to Reverse Engineering – Part 1 and 2

Please write more articles using ollydbg it is a nice program and I am trying to learn as much as I can with it..  I was having a hard time understanding assembly from the books I was reading, but your articles are clear.  Also here are some good reverse engineering videos I have been watching if you are interested..

They are Lena151’s tutorials and are wonderful for learning.

Thanks, keep up the good work.

• #14448
yohan900
Participant

Here is a great Reverse Engineering forum with great tutorials and video on Reverse Engineering.

http://community.reverse-engineering.net/

• #14449
jackall
Participant

Intro to reverse engineering is an excellent article. But unfortunately for me,
Please send me a copy of the same.
Thank you.
jackf_all@yahoo.com

• #14450
Don Donzal
Keymaster

I just tried and was able to get them. Is it the 7-zip format that is causing issues? It is a free, open source compression program, so it would be a good addition to anyone’s toolbox. Just in case: http://www.7-zip.org

Let us know,
Don

• #14451
jackall
Participant

At the beginning of  “Intro to Reverse Engineering – Part 2” there is this paragraph:

“There are two directories inside the tutorial‘s zip  file : apps, and source. The apps folder contains the pre-compiled programs we will be working with, and the source folder contains the applicable source code for all programs which I have written for this tutorial. “

It is this tutorial zip  file i tried to unload but found it contains just one file instead of two directories as mentioned.

Thank you Don but i am not sure if your suggestion of  7-zip is related to my query. Anyway i installed  7-zip and tried to download and open tutorial zip file once again, still it yielded no result.

Where am i going wrong?
Thank you.

• #14452
Don Donzal
Keymaster

I hate to say it, but I just downloaded it again, opened it with the 7-zip app, and I see the folders. Is it possible that you extracted it without retaining the folder structure?

Just grasping at straws,
Don

• #14453
jackall
Participant

[font=Verdana:1puir10w]dear Don !
Thanks for all those patient tips.
i made a mistake in opening the 7-zip; instead of 'extract here' i choose 'open' and i got a lot undecipherable garbage.
Well ! today i learned  how to un7-zip and i hope to learn more of ' reversing' from those files.
Regards.[/font:1puir10w]

• #14454
jackall
Participant

After loading ‘test.exe’, i stepped over the code and stepped in at the address where the program begins to run. Then scrolled down to ExitProcess ; set a break point above ‘msvcrt._cexit ‘; ran the program; Stepped in again; located the commented line by Olly; selected dump and entered the number in ‘Expression to follow in dump’; and noted the string. Well the article ‘ Intro to Reverse Engineering ‘ described every move very clearly for newbie’s like me to follow easily.
It is great going for me so far and I intent to continue with it .Meanwhile can I ask for a little clarification or rather a few lines on  ‘ msvcrt._cexit  ‘ to facilitate better understanding of the process.
Thank you.
[align=center:3cszhrbh][/align:3cszhrbh][font=Verdana:3cszhrbh][/font:3cszhrbh]

• #14455
jackall
Participant

Undoubtedly the best tutorial ‘on reversing’ for a newbie available on net.  One needs to have at least the basics of Assembly to follow the tutorial meaningfully .More such tutorials are welcome.

Requesting…..

• #14456
eatchocolate
Participant

;DThis is an amazing tutorial! I took the liberty to further simplify the second function in the Keygen section. the pseudo-code simplifies to:

``````
//salt = 2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T
//key = user-entered key 5segment e.g. 12345
x=0
for (keyIndex=0 ; <5: ++){
for (saltIndex=0; <36 ; ++){
if (salt[saltIndex]== key[keyIndex]){
x = saltIndex+ 36*x
}
}
}
mod = x%divisor;  // if 0 then GOOD! else goto BadCode
``````

And if you do some math you’ll see that You can reverse the algorithm for calculating x down to this mathematical expression:

// Let matches[] be an array containing the values of saltIndex where there is a match (in order). Then matches[0] is the first match and matches[n] is the nth (and last) match. Looking at the code, we see:

fn(1)=  Match1
fn(2) = 36*fn(1)+ Match2
fn(3) = 36*fn(2)+ Match3
fn(4) = 36*fn(3) + Match4

Simplifying we can get x:

x = matches[n]*36[sup:3w1znneg]0[/sup:3w1znneg]+matches[n-1]*36[sup:3w1znneg]1[/sup:3w1znneg]+ + matches[0]*36[sup:3w1znneg]n[/sup:3w1znneg]

😀
and then you just check the mod!

• #14457
reverse_eng00
Participant

/*this next instruction is just some math to make it easier to reference the unknown_string and the entered_serial…the unknown string is at the memory address stored in EAX, and the entered_serial is at EAX+ECX. Also, since EAX actually points to the second byte of unknown_string, EAC+ECX actually points to the second byte in entered_serial as well. */

Can someone explain me why EAX+ECX is the entered serial address.
Why it isn’t only ECX ?
Thanks

• #14458
DragonGorge
Participant

@reverse_eng00 wrote:

Can someone explain me why EAX+ECX is the entered serial address.
Why it isn’t only ECX ?

My Assembly isn’t the best but I’ll take a stab…ECX points to the serial address and it’s a DWORD. The routine is comparing BYTE. So ECX is the base address of of the serial addy and adding EAX allows you to step through it byte by byte.

One thing that helped me in learning how to read assembly is stepping through it in a debugger. It makes loads more sense when you can see the registers being modified.

Now for some coffee…