.

[Article]-Intro to Reverse Engineering - No Assembly Required

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Aug 07, 2007 3:16 am

[Article]-Intro to Reverse Engineering - No Assembly Required

My apologies to Craig for the delay in publishing this paper as I was a little busy attending BH/DefCon and the neverending work on ChicagoCon. But this one is definitely worth the wait as many of you expressed interest in the topic of this article.  Well done, Mr. Heffner.

Permanent Link: [Article]-Intro to Assembly and Reverse Engineering

Last time we went over the C programming language in an introductory article specifically focusing on getting the security professional on the road to coding (or at least the road to understanding). This time around we extend the series of coding articles for non-programmers with an area of high interest in the infosec community, reverse engineering.

This paper is intended as an introduction to reverse engineering for someone who has no experience whatsoever on the subject. You should have some basic knowledge of C programming, and access to a Windows or Linux box (preferably both) using the x86 architecture (i.e., your average computer). No knowledge of assembly code, registers, or the like is assumed, although it helps. This introduction section of the paper is intended for the newcomer who has little or no understanding of what reverse engineering is, and may be skipped by those looking for more technical details.


As always, feedback is encouraged as well as future topic ideas for Craig.

Don
Last edited by don on Thu Aug 09, 2007 11:58 am, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME
<<

crapbot

Newbie
Newbie

Posts: 1

Joined: Tue Aug 07, 2007 7:41 am

Post Tue Aug 07, 2007 7:52 am

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

Great article. Are there any books that you would recommend ? Books targeted at people that know C/ASM and are looking to learn about reverse engineering, specifically, malware reverse engineering.

Cheers
Last edited by crapbot on Thu Aug 09, 2007 11:58 am, edited 1 time in total.
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Aug 08, 2007 5:01 am

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

Excellent! I really enjoyed this paper.

Thanks Craig for explaining this topic in a simple and clear visual manner. I think this is the first time I really understood the basic of Assembly and RCE. I know that this is just an introduction but it really helps to grasp the fundamentals for other advance related topics. Looking forward the second part of this article.

Keep up the good work!!
Last edited by blackazarro on Thu Aug 09, 2007 11:58 am, edited 1 time in total.
Security+, OSCP, CEH
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Aug 09, 2007 12:20 pm

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

Help get Craig the deserved attention on this awesome paper:

Digg It!!

http://digg.com/programming/Intro_to_Re ... y_Required

Don
CISSP, MCSE, CSTA, Security+ SME
<<

tarterp

Newbie
Newbie

Posts: 7

Joined: Sat Aug 11, 2007 1:58 am

Post Sun Aug 12, 2007 5:15 pm

Great Paper!!

Thanks for your awesome paper. I have been interested in learning more on RCE and have been held up by the fact that no one writes to the true entry level person. Your overview of registers was very well wrote.

I ran through the Hello World examples and had slight differences. I understand each disassembler will spit something different, I am wondering if you can tell me what is going on though. I m using gdb 6.6-debian.

Dump of assembler code for function main:
0x080483a0 <main+0>:    lea    0x4(%esp),%ecx
0x080483a4 <main+4>:    and    $0xfffffff0,%esp
0x080483a7 <main+7>:    pushl  0xfffffffc(%ecx)

0x080483aa <main+10>:  push  %ebp
0x080483ab <main+11>:  mov    %esp,%ebp
0x080483ad <main+13>:  push  %ecx
0x080483ae <main+14>:  sub    $0x4,%esp
0x080483b1 <main+17>:  movl  $0x1,0x80495cc
0x080483bb <main+27>:  call  0x8048374 <myprint>
0x080483c0 <main+32>:  mov    $0x0,%eax
0x080483c5 <main+37>:  add    $0x4,%esp
0x080483c8 <main+40>:  pop    %ecx
0x080483c9 <main+41>:  pop    %ebp
0x080483ca <main+42>:  lea    0xfffffffc(%ecx),%esp
0x080483cd <main+45>:  ret   
End of assembler dump.

The first three lines are where I am confused. I read about load effective address, but I don't know what it is loading.

Also in myprint(), I am using:

0x0804838b <myprint+23>:        call  0x80482bc <puts@plt>

I understand this is the print statement although do you have any input on puts vs print?

Thanks for the awesome paper, when is part two coming out?
<<

ddnc

Newbie
Newbie

Posts: 1

Joined: Mon Aug 13, 2007 8:02 am

Post Mon Aug 13, 2007 8:12 am

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

Hey Paul,

  Code:
lea 0x4(%esp),%ecx
pushl 0xfffffffc(%ecx)


These instructions serve to save the stack pointer on the stack. Notice that at main+42, this value is loaded back into ESP in order to restore the stack pointer before returning.

  Code:
and $0xfffffff0,%esp


This instruction zeros out the last byte in the ESP register. This is done to ensure that the stack pointer is aligned on a 16-byte boundary (the default stack boundary is 16) in order to increase CPU execution time. There's a short semi-discussion on it at the Kernel Trap forums: http://kerneltrap.org/node/8236 .

As far as puts() goes, it's not much different from printf() when just printing out a string. You should see the memory address where the string is located pushed onto the stack just before the call to puts(). It will place a positive number in the EAX register if successful (probably 1), and a -1 in EAX if it fails.
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Sun Mar 30, 2008 6:30 pm

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

I found a mistake in this article:

jnz  jnz 0x08ffff01  Jump if the zero flag is set to 1


The jnz (jump if not zero) instruction jumps if the zero flag is clear.

  Code:
jnz   Jump if the zero flag is set to 0


For example, if an operation such as CMP turns out to be true, the result will be zero which means that the zero flag will be set to 1. If the next instruction is a jnz, the jump will not be taken. However, if the CMP operation is not true, the result will be a non-zero value meaning that the zero flag is clear or 0. Since the zero flag is clear the next jump (jnz) will be taken.

I've been doing some research on reversing and assembly lately for a crack me challenge and spotted this error when I went back on reading this article.
Security+, OSCP, CEH
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Sun Mar 30, 2008 10:46 pm

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

crapbot ,

try "The Art of Assembly Programming" by Randall Hyde

blackazarro,

could you please post the URL for the challange you are trying to crack?
RHCE, GIAC GCIH.
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Sun Mar 30, 2008 11:33 pm

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

try "The Art of Assembly Programming" by Randall Hyde


Thanks for the reference, I'll check it out.

could you please post the URL for the challange you are trying to crack?


I was talking about the crackme02 posted by Don last week:

http://www.ethicalhacker.net/component/ ... ic,2277.0/

I already solved it. I guess you just of to find the password in the right place.
Security+, OSCP, CEH
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Mon Mar 31, 2008 12:36 am

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

blackazarro,

oh! that i did solve it too, however i did not require the assembly skills for that  :D
RHCE, GIAC GCIH.
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Mon Mar 31, 2008 12:46 am

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

Me either. I went on studying assembly before I attempted the challenge.
Security+, OSCP, CEH
<<

Marshel007

Jr. Member
Jr. Member

Posts: 61

Joined: Mon Oct 15, 2007 9:20 pm

Location: Kingdom of Saudi Arabia

Post Mon Mar 31, 2008 4:16 am

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

speaking of reverse engineering, what is the best book/tutorial/way to learn assembly ?
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Mon Mar 31, 2008 8:33 am

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

_Marshel_
check the following URL:
http://webster.cs.ucr.edu/AoA
http://webster.cs.ucr.edu/AoA/Linux/HTML/AoATOC.html
the site is not very user friendly, however if you manage to navigate you will be able to collect the rewards

You seem to be hunting for books these days, good luck ;D
RHCE, GIAC GCIH.
<<

Marshel007

Jr. Member
Jr. Member

Posts: 61

Joined: Mon Oct 15, 2007 9:20 pm

Location: Kingdom of Saudi Arabia

Post Mon Mar 31, 2008 8:58 am

Re: [Article]-Intro to Reverse Engineering - No Assembly Required

I'm a worm that feeds on reading :)

I'm always hunting for books. ;)

Return to Heffner

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software