.

## [Article]-Intro to Reverse Engineering - Part 2

Posts: 4270

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Fri Oct 26, 2007 4:49 pm

### [Article]-Intro to Reverse Engineering - Part 2

This one is intense, but I'm sure you won't mind.

Permanent Link: [Article]-Intro to Reverse Engineering - Part 2

In Part 1, Intro to Reverse Engineering - No Assembly Required, we extended the series of coding articles for non-programmers with an area of high interest in the infosec community. We're proud to be able to bring you the highly anticipated follow-up complete with screen shots, sample code and applications. This one is long and detailed, so strap yourselves in for some great educational content.

This paper is designed to outline some essential reverse engineering concepts, tools and techniques - primarily, debuggers and using the debugging process to reverse engineer application functions and algorithms. It is assumed you have knowledge of basic assembly and C programming. An understanding of Win32 programming and API calls is also helpful. This tutorial does not necessarily have to be read in order (although it is strongly advised), as some sections do not contain information that directly relates to subsequent sections. However, if you begin skipping around and find that you have trouble understanding a concept, or feel like you missed an explanation, it would be best to go back to previous sections of the tutorial and read them first.

Let us know what you think,
Don
CISSP, MCSE, CSTA, Security+ SME

Newbie

Posts: 5

Joined: Tue Nov 06, 2007 9:52 pm

Tue Nov 06, 2007 10:10 pm

### Re: [Article]-Intro to Reverse Engineering - Part 2

Press F8 until you arrive at the instruction 'MOV EAX, DWORD PTR DS:[403000]'. This instruction is moving the contents located at the memory address of 00403000 into the EAX register. The very next instruction moves the contents of EAX into a local variable on the stack starting 28 bytes below EBP.

Why is it 28 bytes below the base pointer?  Is that the amount the string "\nThis is a test application!\n" adds up to being?

So if the EBP is 0022FF78h  you are subtracting 28 bytes for the string storage on the stack?

I get confused with the assembly memory address and register math.

Thanks

Newbie

Posts: 5

Joined: Tue Nov 06, 2007 9:52 pm

Tue Nov 06, 2007 10:14 pm

### Re: [Article]-Intro to Reverse Engineering - Part 2

I like your reverse engineering articles.

Intro to Reverse Engineering - Part 1 and 2

Please write more articles using ollydbg it is a nice program and I am trying to learn as much as I can with it..  I was having a hard time understanding assembly from the books I was reading, but your articles are clear.  Also here are some good reverse engineering videos I have been watching if you are interested..

They are Lena151's tutorials and are wonderful for learning.

Thanks, keep up the good work.

Newbie

Posts: 5

Joined: Tue Nov 06, 2007 9:52 pm

Thu Nov 08, 2007 7:55 pm

### Re: [Article]-Intro to Reverse Engineering - Part 2

Here is a great Reverse Engineering forum with great tutorials and video on Reverse Engineering.

http://community.reverse-engineering.net/

Newbie

Posts: 5

Joined: Thu Feb 21, 2008 6:06 am

Thu Feb 21, 2008 6:29 am

### Re: [Article]-Intro to Reverse Engineering - Part 2

Intro to reverse engineering is an excellent article. But unfortunately for me,
Please send me a copy of the same.
Thank you.
jackf_all@yahoo.com

Posts: 4270

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Thu Feb 21, 2008 8:17 am

### Re: [Article]-Intro to Reverse Engineering - Part 2

I just tried and was able to get them. Is it the 7-zip format that is causing issues? It is a free, open source compression program, so it would be a good addition to anyone's toolbox. Just in case: http://www.7-zip.org

Let us know,
Don
CISSP, MCSE, CSTA, Security+ SME

Newbie

Posts: 5

Joined: Thu Feb 21, 2008 6:06 am

Fri Feb 22, 2008 5:43 am

### Re: [Article]-Intro to Reverse Engineering - Part 2

At the beginning of  “Intro to Reverse Engineering - Part 2” there is this paragraph:

“There are two directories inside the tutorial's zip  file : apps, and source. The apps folder contains the pre-compiled programs we will be working with, and the source folder contains the applicable source code for all programs which I have written for this tutorial. "

It is this tutorial zip  file i tried to unload but found it contains just one file instead of two directories as mentioned.

Thank you Don but i am not sure if your suggestion of  7-zip is related to my query. Anyway i installed  7-zip and tried to download and open tutorial zip file once again, still it yielded no result.

Where am i going wrong?
Thank you.
Last edited by jackall on Fri Feb 22, 2008 6:02 am, edited 1 time in total.

Posts: 4270

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Fri Feb 22, 2008 1:22 pm

### Re: [Article]-Intro to Reverse Engineering - Part 2

I hate to say it, but I just downloaded it again, opened it with the 7-zip app, and I see the folders. Is it possible that you extracted it without retaining the folder structure?

Just grasping at straws,
Don
CISSP, MCSE, CSTA, Security+ SME

Newbie

Posts: 5

Joined: Thu Feb 21, 2008 6:06 am

Sat Feb 23, 2008 2:08 am

### Re: [Article]-Intro to Reverse Engineering - Part 2

dear Don !
Thanks for all those patient tips.
i made a mistake in opening the 7-zip; instead of 'extract here' i choose 'open' and i got a lot undecipherable garbage.
Well ! today i learned  how to un7-zip and i hope to learn more of ' reversing' from those files.
Regards.
Last edited by jackall on Sun Feb 24, 2008 11:07 pm, edited 1 time in total.

Newbie

Posts: 5

Joined: Thu Feb 21, 2008 6:06 am

Sun Feb 24, 2008 2:37 am

### Re: [Article]-Intro to Reverse Engineering - Part 2

After loading ‘test.exe’, i stepped over the code and stepped in at the address where the program begins to run. Then scrolled down to ExitProcess ; set a break point above ‘msvcrt._cexit ‘; ran the program; Stepped in again; located the commented line by Olly; selected dump and entered the number in 'Expression to follow in dump’; and noted the string. Well the article ' Intro to Reverse Engineering ' described every move very clearly for newbie’s like me to follow easily.
It is great going for me so far and I intent to continue with it .Meanwhile can I ask for a little clarification or rather a few lines on  ‘ msvcrt._cexit  ‘ to facilitate better understanding of the process.
Thank you.
Last edited by jackall on Sun Feb 24, 2008 2:53 am, edited 1 time in total.

Newbie

Posts: 5

Joined: Thu Feb 21, 2008 6:06 am

Mon Mar 10, 2008 1:09 am

### Re: [Article]-Intro to Reverse Engineering - Part 2

Undoubtedly the best tutorial ‘on reversing’ for a newbie available on net.  One needs to have at least the basics of Assembly to follow the tutorial meaningfully .More such tutorials are welcome.

Requesting…..

Newbie

Posts: 1

Joined: Thu Aug 25, 2011 12:22 pm

Thu Aug 25, 2011 1:05 pm

### Re: [Article]-Intro to Reverse Engineering - Part 2

This is an amazing tutorial! I took the liberty to further simplify the second function in the Keygen section. the pseudo-code simplifies to:

Code:
`//salt = 2YOPB3AQCVUXMNRS97WE0IZD4KLFGHJ8165T//key = user-entered key 5segment e.g. 12345x=0for (keyIndex=0 ; <5: ++){  for (saltIndex=0; <36 ; ++){    if (salt[saltIndex]== key[keyIndex]){      x = saltIndex+ 36*x    }  }}mod = x%divisor;  // if 0 then GOOD! else goto BadCode`

And if you do some math you'll see that You can reverse the algorithm for calculating x down to this mathematical expression:

// Let matches[] be an array containing the values of saltIndex where there is a match (in order). Then matches[0] is the first match and matches[n] is the nth (and last) match. Looking at the code, we see:

fn(1)=  Match1
fn(2) = 36*fn(1)+ Match2
fn(3) = 36*fn(2)+ Match3
fn(4) = 36*fn(3) + Match4

Simplifying we can get x:

x = matches[n]*360+matches[n-1]*361+ ... + matches[0]*36n

and then you just check the mod!

Newbie

Posts: 1

Joined: Fri Apr 12, 2013 3:27 pm

Fri Apr 12, 2013 3:49 pm

### Re: [Article]-Intro to Reverse Engineering - Part 2

/*this next instruction is just some math to make it easier to reference the unknown_string and the entered_serial...the unknown string is at the memory address stored in EAX, and the entered_serial is at EAX+ECX. Also, since EAX actually points to the second byte of unknown_string, EAC+ECX actually points to the second byte in entered_serial as well. */

Can someone explain me why EAX+ECX is the entered serial address.
Why it isn't only ECX ?
Thanks

Jr. Member

Posts: 89

Joined: Wed Feb 08, 2012 6:30 pm

Sun Apr 14, 2013 9:48 am

### Re: [Article]-Intro to Reverse Engineering - Part 2

reverse_eng00 wrote:Can someone explain me why EAX+ECX is the entered serial address.
Why it isn't only ECX ?

My Assembly isn't the best but I'll take a stab...ECX points to the serial address and it's a DWORD. The routine is comparing BYTE. So ECX is the base address of of the serial addy and adding EAX allows you to step through it byte by byte.

One thing that helped me in learning how to read assembly is stepping through it in a debugger. It makes loads more sense when you can see the registers being modified.

Now for some coffee...