Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
aaaddress1 at The Declaration of Hacker (TDOH)
Reversing 

On

WINDOWS
aaaddress1 at The Declaration of Hacker (TDOH)
Who Am I
aaaddress1 at The Declaration of Hacker (TDOH)
⾺聖豪 (aaaddress1, aka adr)
義守⼤學資訊⼯程三年級
Reverse Engineering, Pwn
C/C++, C#, x...
aaaddress1 at The Declaration of Hacker (TDOH)
MapleHack
CrackShield
Tower Of Savior Hack
Adr’s FB
Isu.30cm.tw
AIDS
Pykemo...
aaaddress1 at The Declaration of Hacker (TDOH)
introduction
aaaddress1 at The Declaration of Hacker (TDOH)
這是⼀一場屬於⼯工具⼈人 C/C++ 的開發⾃自我修養
aaaddress1 at The Declaration of Hacker (TDOH)
今天務必保持清醒!
aaaddress1 at The Declaration of Hacker (TDOH)
此議程內容需要⼤大量量艱深 C/C++ 開發底⼦子
如有任何問題請立即舉⼿手 break; 我!
aaaddress1 at The Declaration of Hacker (TDOH)
Trial
https://goo.gl/ky7SsW
Slide
https://goo.gl/HBLtkm
aaaddress1 at The Declaration of Hacker (TDOH)
Outline
aaaddress1 at The Declaration of Hacker (TDOH)
Requirement
✓IDA (Pro)
✓OllyDbg
✓Cheat Engine
✓Windows7 x86
✓Dev C++
aaaddress1 at The Declaration of Hacker (TDOH)
Windows PE & Process
✓Have fun in PE structure
✓Import Address Table (IAT)
...
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly
✓sizeof( variable )
✓eax, ebx, ecx, edx, etc
✓add, sub, inc, dec
✓...
aaaddress1 at The Declaration of Hacker (TDOH)
Analyzer
✓IDA (Pro)
PE, IAT, EAT
Strings List
Flow Chart
Function & Variabl...
aaaddress1 at The Declaration of Hacker (TDOH)
Bonus
✓IDA Dynamic Analysis
✓Patch
Executable file patch
Dynamic Patch
✓Chea...
aaaddress1 at The Declaration of Hacker (TDOH)
Portable Executable
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Return 0 for what?
aaaddress1 at The Declaration of Hacker (TDOH)
View → Open subviews → Proximity browser
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
The return value of main function is the ‘Exit Status’
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
PE Loader will find ‘_start’ function
from Exports Address Table (EAT)
V...
aaaddress1 at The Declaration of Hacker (TDOH)
Is it true?
Nope, Not at all.
It will take too much time to search.
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki The head of PE file is DOS header,
and that starts with sginature 0x5A4D
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
That’s why it’s also called DOS-MZ
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
And (DOS Header + 0x3C) stores the offset of NT Header
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
This is the real header of PE
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
(NT Header + 0x028) stores the offset of
the first entry function that a...
aaaddress1 at The Declaration of Hacker (TDOH)
Wiki
(NT Header + 0x034) stores the offset
of the PE file loaded at where in ...
aaaddress1 at The Declaration of Hacker (TDOH)
CE
Right click → ‘Go to address’ → Input ‘main.exe’
You will find the main.e...
aaaddress1 at The Declaration of Hacker (TDOH)
CE
0x0000110b + 0x400000 = 0x40110b
That’s the same as the address in IDA
aaaddress1 at The Declaration of Hacker (TDOH)
If you understand the whole PE structure,
you can make a great PE packer :P
aaaddress1 at The Declaration of Hacker (TDOH)
IMPORT ADDRESS TABLE
aaaddress1 at The Declaration of Hacker (TDOH)
View → Open subviews → Imports
IDA
IAT stores all API program calls
aaaddress1 at The Declaration of Hacker (TDOH)
Double Click & Show the API detail at IAT
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
Strings List
aaaddress1 at The Declaration of Hacker (TDOH)
View → Open subviews → Strings
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:

Data
aaaddress1 at The Declaration of Hacker (TDOH)
C Data Type
aaaddress1 at The Declaration of Hacker (TDOH)
Program counter
aaaddress1 at The Declaration of Hacker (TDOH)
Stack Pointer
aaaddress1 at The Declaration of Hacker (TDOH)
Base Pointer
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
EAX = 4Byte = int = long
Register Type
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
AX = 2 Byte = Short
Register Type
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
AH = 1 Byte = Char
Register Type
aaaddress1 at The Declaration of Hacker (TDOH)
ByteByte ByteByte
AL = 1 Byte = Char
Register Type
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:

Opcode
aaaddress1 at The Declaration of Hacker (TDOH)
Nop (0x90)
→ Nothing to do.
aaaddress1 at The Declaration of Hacker (TDOH)
Mov dest,source
→ dest = source
Mov dest, [source]
→ source = value of dest
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Add dest,source
→ dest += source
Add dest, [source]
→ dest += value of sour...
aaaddress1 at The Declaration of Hacker (TDOH)
Sub dest, source
→ dest -= source
Sub dest, [source]
→ dest -= value of sou...
aaaddress1 at The Declaration of Hacker (TDOH)
Inc dest
→ dest ++
Inc [dest]
→ (value of dest)++
aaaddress1 at The Declaration of Hacker (TDOH)
Dec dest
→ dest --
Dec [dest]
→ (value of dest)--
aaaddress1 at The Declaration of Hacker (TDOH)
Cmp [source], value
//Compare *(long*)source with value
Je blockOne
// Jump...
aaaddress1 at The Declaration of Hacker (TDOH)
Cmp [source], value
//Compare *(long*)source with value
Jne blockOne
// Jum...
aaaddress1 at The Declaration of Hacker (TDOH)
Test [source], value
//Compare *(long*)source with value
Jz blockOne
// Jum...
aaaddress1 at The Declaration of Hacker (TDOH)
Test v.s. Cmp
Using Cmp & Jl/Je/Jg If source & dest are signed number
Using...
aaaddress1 at The Declaration of Hacker (TDOH)
Jmp near +0x200
→ EIP = EIP + 0x200
aaaddress1 at The Declaration of Hacker (TDOH)
Jmp long 0x400000
→ EIP = 0x400000
aaaddress1 at The Declaration of Hacker (TDOH)
Ret
→ EIP = [ESP+0] & pop [ESP+0]
aaaddress1 at The Declaration of Hacker (TDOH)
Ret 0x0C
→ pop 0x0C bytes from stack,
i.e. ESP += 0x0C 

→ EIP = [ESP+0] & ...
aaaddress1 at The Declaration of Hacker (TDOH)
Xor dest, source
→ mov dest, ‘A’ //0x41
→ xor dest, 0x20
//dest is ‘a’(0x61...
aaaddress1 at The Declaration of Hacker (TDOH)
Xor dest, source
→ mov dest, ‘a’ //0x61
→ xor dest, 0x20
//dest is ‘A’(0x41...
aaaddress1 at The Declaration of Hacker (TDOH)
0100 0001 ‘A’(0x41)
0x200010 0000
Xor
‘a’(0x61)0110 0001
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:

Function Call
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
void Func()
{
int A = 0;
Int B = 1;
Int C = 2;
}
[EBP - 4] =0
[EBP - 8] =1
...
aaaddress1 at The Declaration of Hacker (TDOH)
void Func() {
nFunc(ARG1,ARG2,ARG3…);
}
push ebb
mov ebp,esp
.
.
push arg3
...
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
[EBP+0 ] = Pointer to old EBP
[EBP+4 ] = Return Address
[EBP+8 ] = Paramete...
aaaddress1 at The Declaration of Hacker (TDOH)
Assembly:

Calling Convention
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
ESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
ESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP + 0
=ESP
Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
______...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
Buffer
EBP - 4 Buffer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP ...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EB...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
Old EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buffer
E...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP + 0
=ESP
Old EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
E...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP + 0
=ESP
Old EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
E...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 8
=ESP
1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EB...
aaaddress1 at The Declaration of Hacker (TDOH)
Stack
EBP - 4
=ESP
Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
EBP ...
aaaddress1 at The Declaration of Hacker (TDOH)
x86 Disassembly

&

Calling Conventions
aaaddress1 at The Declaration of Hacker (TDOH)
It’s time to talk about each register
meanings and their functions used for.
aaaddress1 at The Declaration of Hacker (TDOH)
I collect the simple parts from wiki,
and they’re real useful for reversing...
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
CDECL
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
STDCALL
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
FASTCALL
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
C++ THISCALL
aaaddress1 at The Declaration of Hacker (TDOH)
DEBUGGing
aaaddress1 at The Declaration of Hacker (TDOH)
Debug: 

Ollydbg
aaaddress1 at The Declaration of Hacker (TDOH)
Debug: 

Cheat Engine
aaaddress1 at The Declaration of Hacker (TDOH)
Debug: 

IDA Pro
aaaddress1 at The Declaration of Hacker (TDOH)
Trial:

TDOH Hello World
aaaddress1 at The Declaration of Hacker (TDOH)
Play the game & Find the flag :P
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
IDA
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo

IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
‘Generate Pseudocode(F5)’ of IDA Pro might lose
something important in asse...
aaaddress1 at The Declaration of Hacker (TDOH)
Trial:

Lucky Day
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
TDOH{Debug_is_Fun!}
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo

IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time

清华⽹网络安全技术协会
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo

IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
GAME TIme

AIS3 2016 Final Binary 1
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
Using ‘Strings Window’ to figure out the format string of printf
and double ...
aaaddress1 at The Declaration of Hacker (TDOH)
Click the xref and follow
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Just check every char of the input is lower case
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
RC4 but a little diffrent.
I will take this function into three parts
for y...
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
If the result after RC4 cipher is the same as input,
that will be the reall...
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo

IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
Game TIme

特訓99
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
I prepare the same one but patched.
If you can set bullet count to zero, th...
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo

IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time

CrackMe#1 [UBC] by bRaINbuSY
aaaddress1 at The Declaration of Hacker (TDOH)
Game Time
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
We don’t care those, that don’t
make any effect on the checking
Here is use...
aaaddress1 at The Declaration of Hacker (TDOH)
We can make it simple like this.
aaaddress1 at The Declaration of Hacker (TDOH)
We should figure how to get this value ( you can debug and get
this without ...
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
aaaddress1 at The Declaration of Hacker (TDOH)
Live Demo

IDA, CE, Olly
aaaddress1 at The Declaration of Hacker (TDOH)
Q&A
aaaddress1@gmail.com
Upcoming SlideShare
Loading in …5
×

TDOH 南區 WorkShop 2016 Reversing on Windows

1,052 views

Published on

Reversing about PE (portable-executable) and cracking on Windows for education.

Published in: Education
  • Be the first to comment

TDOH 南區 WorkShop 2016 Reversing on Windows

  1. 1. aaaddress1 at The Declaration of Hacker (TDOH) Reversing On WINDOWS
  2. 2. aaaddress1 at The Declaration of Hacker (TDOH) Who Am I
  3. 3. aaaddress1 at The Declaration of Hacker (TDOH) ⾺聖豪 (aaaddress1, aka adr) 義守⼤學資訊⼯程三年級 Reverse Engineering, Pwn C/C++, C#, x86, Node.js Blog: Adr.Horse, 30cm.tw Speaker ✓ HITCON 2015 ✓ SITCON 2016 ✓ Besides Las Vegas 2016 ✓ TDOHxNTSTU Security Lecture Reversing Windows Pwn
  4. 4. aaaddress1 at The Declaration of Hacker (TDOH) MapleHack CrackShield Tower Of Savior Hack Adr’s FB Isu.30cm.tw AIDS PykemonGo, MadPocket My Little Ransomware
  5. 5. aaaddress1 at The Declaration of Hacker (TDOH) introduction
  6. 6. aaaddress1 at The Declaration of Hacker (TDOH) 這是⼀一場屬於⼯工具⼈人 C/C++ 的開發⾃自我修養
  7. 7. aaaddress1 at The Declaration of Hacker (TDOH) 今天務必保持清醒!
  8. 8. aaaddress1 at The Declaration of Hacker (TDOH) 此議程內容需要⼤大量量艱深 C/C++ 開發底⼦子 如有任何問題請立即舉⼿手 break; 我!
  9. 9. aaaddress1 at The Declaration of Hacker (TDOH) Trial https://goo.gl/ky7SsW Slide https://goo.gl/HBLtkm
  10. 10. aaaddress1 at The Declaration of Hacker (TDOH) Outline
  11. 11. aaaddress1 at The Declaration of Hacker (TDOH) Requirement ✓IDA (Pro) ✓OllyDbg ✓Cheat Engine ✓Windows7 x86 ✓Dev C++
  12. 12. aaaddress1 at The Declaration of Hacker (TDOH) Windows PE & Process ✓Have fun in PE structure ✓Import Address Table (IAT) ✓ImageBase & Find the entry
  13. 13. aaaddress1 at The Declaration of Hacker (TDOH) Assembly ✓sizeof( variable ) ✓eax, ebx, ecx, edx, etc ✓add, sub, inc, dec ✓xor ✓Flag & Branch ✓Loop ✓x86 Calling Convention Function Call esp & ebp
  14. 14. aaaddress1 at The Declaration of Hacker (TDOH) Analyzer ✓IDA (Pro) PE, IAT, EAT Strings List Flow Chart Function & Variable Anti-Trace ✓OllyDbg Create Process & Attach Hook & Trace ✓Cheat Engine Create Process & Attach Memory Scan for data Hook & Trace
  15. 15. aaaddress1 at The Declaration of Hacker (TDOH) Bonus ✓IDA Dynamic Analysis ✓Patch Executable file patch Dynamic Patch ✓Cheat Engine PE View ✓Assembly & Special
  16. 16. aaaddress1 at The Declaration of Hacker (TDOH) Portable Executable
  17. 17. aaaddress1 at The Declaration of Hacker (TDOH)
  18. 18. aaaddress1 at The Declaration of Hacker (TDOH) Return 0 for what?
  19. 19. aaaddress1 at The Declaration of Hacker (TDOH) View → Open subviews → Proximity browser IDA
  20. 20. aaaddress1 at The Declaration of Hacker (TDOH) IDA
  21. 21. aaaddress1 at The Declaration of Hacker (TDOH) IDA
  22. 22. aaaddress1 at The Declaration of Hacker (TDOH) IDA The return value of main function is the ‘Exit Status’
  23. 23. aaaddress1 at The Declaration of Hacker (TDOH) IDA PE Loader will find ‘_start’ function from Exports Address Table (EAT) View → Open subviews → Exports
  24. 24. aaaddress1 at The Declaration of Hacker (TDOH) Is it true? Nope, Not at all. It will take too much time to search.
  25. 25. aaaddress1 at The Declaration of Hacker (TDOH) Wiki
  26. 26. aaaddress1 at The Declaration of Hacker (TDOH) Wiki
  27. 27. aaaddress1 at The Declaration of Hacker (TDOH) Wiki The head of PE file is DOS header, and that starts with sginature 0x5A4D
  28. 28. aaaddress1 at The Declaration of Hacker (TDOH) Wiki That’s why it’s also called DOS-MZ
  29. 29. aaaddress1 at The Declaration of Hacker (TDOH) Wiki And (DOS Header + 0x3C) stores the offset of NT Header
  30. 30. aaaddress1 at The Declaration of Hacker (TDOH) Wiki This is the real header of PE
  31. 31. aaaddress1 at The Declaration of Hacker (TDOH) Wiki (NT Header + 0x028) stores the offset of the first entry function that as known as ‘start’ function.
  32. 32. aaaddress1 at The Declaration of Hacker (TDOH) Wiki (NT Header + 0x034) stores the offset of the PE file loaded at where in memory e.g. 0x400000
  33. 33. aaaddress1 at The Declaration of Hacker (TDOH) CE Right click → ‘Go to address’ → Input ‘main.exe’ You will find the main.exe loaded at 0x400000 MZ
  34. 34. aaaddress1 at The Declaration of Hacker (TDOH) CE 0x0000110b + 0x400000 = 0x40110b That’s the same as the address in IDA
  35. 35. aaaddress1 at The Declaration of Hacker (TDOH) If you understand the whole PE structure, you can make a great PE packer :P
  36. 36. aaaddress1 at The Declaration of Hacker (TDOH) IMPORT ADDRESS TABLE
  37. 37. aaaddress1 at The Declaration of Hacker (TDOH) View → Open subviews → Imports IDA IAT stores all API program calls
  38. 38. aaaddress1 at The Declaration of Hacker (TDOH) Double Click & Show the API detail at IAT IDA
  39. 39. aaaddress1 at The Declaration of Hacker (TDOH) Strings List
  40. 40. aaaddress1 at The Declaration of Hacker (TDOH) View → Open subviews → Strings IDA
  41. 41. aaaddress1 at The Declaration of Hacker (TDOH) IDA
  42. 42. aaaddress1 at The Declaration of Hacker (TDOH) Assembly: Data
  43. 43. aaaddress1 at The Declaration of Hacker (TDOH) C Data Type
  44. 44. aaaddress1 at The Declaration of Hacker (TDOH) Program counter
  45. 45. aaaddress1 at The Declaration of Hacker (TDOH) Stack Pointer
  46. 46. aaaddress1 at The Declaration of Hacker (TDOH) Base Pointer
  47. 47. aaaddress1 at The Declaration of Hacker (TDOH) ByteByte ByteByte EAX = 4Byte = int = long Register Type
  48. 48. aaaddress1 at The Declaration of Hacker (TDOH) ByteByte ByteByte AX = 2 Byte = Short Register Type
  49. 49. aaaddress1 at The Declaration of Hacker (TDOH) ByteByte ByteByte AH = 1 Byte = Char Register Type
  50. 50. aaaddress1 at The Declaration of Hacker (TDOH) ByteByte ByteByte AL = 1 Byte = Char Register Type
  51. 51. aaaddress1 at The Declaration of Hacker (TDOH) Assembly: Opcode
  52. 52. aaaddress1 at The Declaration of Hacker (TDOH) Nop (0x90) → Nothing to do.
  53. 53. aaaddress1 at The Declaration of Hacker (TDOH) Mov dest,source → dest = source Mov dest, [source] → source = value of dest
  54. 54. aaaddress1 at The Declaration of Hacker (TDOH)
  55. 55. aaaddress1 at The Declaration of Hacker (TDOH)
  56. 56. aaaddress1 at The Declaration of Hacker (TDOH) Add dest,source → dest += source Add dest, [source] → dest += value of source
  57. 57. aaaddress1 at The Declaration of Hacker (TDOH) Sub dest, source → dest -= source Sub dest, [source] → dest -= value of source
  58. 58. aaaddress1 at The Declaration of Hacker (TDOH) Inc dest → dest ++ Inc [dest] → (value of dest)++
  59. 59. aaaddress1 at The Declaration of Hacker (TDOH) Dec dest → dest -- Dec [dest] → (value of dest)--
  60. 60. aaaddress1 at The Declaration of Hacker (TDOH) Cmp [source], value //Compare *(long*)source with value Je blockOne // Jump to blockOne if they’re equal Jl blockTwo // Jump to blockTwo if [source] less than value Jg blockThree // Jump to blockThree if [source] greater than value
  61. 61. aaaddress1 at The Declaration of Hacker (TDOH) Cmp [source], value //Compare *(long*)source with value Jne blockOne // Jump to blockOne if they’re not equal Jnl blockTwo // Jump to blockTwo if [source] not less than value Jng blockThree // Jump to blockThree if [source] not greater than value
  62. 62. aaaddress1 at The Declaration of Hacker (TDOH) Test [source], value //Compare *(long*)source with value Jz blockOne // Jump to blockOne if ([source] - value) is zero Ja blockTwo // Jump to blockTwo if ([source] - value) is above zero Jb blockThree // Jump to blockThree if ([source] - value) is below zero
  63. 63. aaaddress1 at The Declaration of Hacker (TDOH) Test v.s. Cmp Using Cmp & Jl/Je/Jg If source & dest are signed number Using Test & Jb/Jz/Ja If source & dest are unsigned
  64. 64. aaaddress1 at The Declaration of Hacker (TDOH) Jmp near +0x200 → EIP = EIP + 0x200
  65. 65. aaaddress1 at The Declaration of Hacker (TDOH) Jmp long 0x400000 → EIP = 0x400000
  66. 66. aaaddress1 at The Declaration of Hacker (TDOH) Ret → EIP = [ESP+0] & pop [ESP+0]
  67. 67. aaaddress1 at The Declaration of Hacker (TDOH) Ret 0x0C → pop 0x0C bytes from stack, i.e. ESP += 0x0C 
 → EIP = [ESP+0] & pop [ESP+0]
  68. 68. aaaddress1 at The Declaration of Hacker (TDOH) Xor dest, source → mov dest, ‘A’ //0x41 → xor dest, 0x20 //dest is ‘a’(0x61) now
  69. 69. aaaddress1 at The Declaration of Hacker (TDOH) Xor dest, source → mov dest, ‘a’ //0x61 → xor dest, 0x20 //dest is ‘A’(0x41) now
  70. 70. aaaddress1 at The Declaration of Hacker (TDOH) 0100 0001 ‘A’(0x41) 0x200010 0000 Xor ‘a’(0x61)0110 0001
  71. 71. aaaddress1 at The Declaration of Hacker (TDOH) Assembly: Function Call
  72. 72. aaaddress1 at The Declaration of Hacker (TDOH)
  73. 73. aaaddress1 at The Declaration of Hacker (TDOH)
  74. 74. aaaddress1 at The Declaration of Hacker (TDOH)
  75. 75. aaaddress1 at The Declaration of Hacker (TDOH)
  76. 76. aaaddress1 at The Declaration of Hacker (TDOH)
  77. 77. aaaddress1 at The Declaration of Hacker (TDOH) void Func() { int A = 0; Int B = 1; Int C = 2; } [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP sub ESP, LEN
  78. 78. aaaddress1 at The Declaration of Hacker (TDOH) void Func() { nFunc(ARG1,ARG2,ARG3…); } push ebb mov ebp,esp . . push arg3 push arg2 push arg1 call nFunc
  79. 79. aaaddress1 at The Declaration of Hacker (TDOH)
  80. 80. aaaddress1 at The Declaration of Hacker (TDOH)
  81. 81. aaaddress1 at The Declaration of Hacker (TDOH)
  82. 82. aaaddress1 at The Declaration of Hacker (TDOH)
  83. 83. aaaddress1 at The Declaration of Hacker (TDOH) [EBP+0 ] = Pointer to old EBP [EBP+4 ] = Return Address [EBP+8 ] = Parameter 1 [EBP+C] = Parameter 2 [EBP+10]= Parameter 3 …etc
  84. 84. aaaddress1 at The Declaration of Hacker (TDOH) Assembly: Calling Convention
  85. 85. aaaddress1 at The Declaration of Hacker (TDOH) Stack ESP + 0 ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14
  86. 86. aaaddress1 at The Declaration of Hacker (TDOH) Stack ESP + 0 Old EBP ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14 _______EIP
  87. 87. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP + 0 =ESP Old EBP EBP + 4 EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP
  88. 88. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP - 8 =ESP Buffer EBP - 4 Buffer EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP
  89. 89. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP - 8 =ESP 1 EBP - 4 Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  90. 90. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  91. 91. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  92. 92. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP - 8 =ESP Old EBP EBP - 4 return Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP
  93. 93. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP + 0 =ESP Old EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  94. 94. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP + 0 =ESP Old EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  95. 95. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  96. 96. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  97. 97. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP - 8 =ESP 1 EBP - 4 Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  98. 98. aaaddress1 at The Declaration of Hacker (TDOH) Stack EBP - 4 =ESP Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C EBP + 10 _______EIP
  99. 99. aaaddress1 at The Declaration of Hacker (TDOH) x86 Disassembly & Calling Conventions
  100. 100. aaaddress1 at The Declaration of Hacker (TDOH) It’s time to talk about each register meanings and their functions used for.
  101. 101. aaaddress1 at The Declaration of Hacker (TDOH) I collect the simple parts from wiki, and they’re real useful for reversing. read more: x86 Disassembly/Calling Conventions
  102. 102. aaaddress1 at The Declaration of Hacker (TDOH)
  103. 103. aaaddress1 at The Declaration of Hacker (TDOH) CDECL
  104. 104. aaaddress1 at The Declaration of Hacker (TDOH)
  105. 105. aaaddress1 at The Declaration of Hacker (TDOH) STDCALL
  106. 106. aaaddress1 at The Declaration of Hacker (TDOH)
  107. 107. aaaddress1 at The Declaration of Hacker (TDOH) FASTCALL
  108. 108. aaaddress1 at The Declaration of Hacker (TDOH)
  109. 109. aaaddress1 at The Declaration of Hacker (TDOH) C++ THISCALL
  110. 110. aaaddress1 at The Declaration of Hacker (TDOH) DEBUGGing
  111. 111. aaaddress1 at The Declaration of Hacker (TDOH) Debug: Ollydbg
  112. 112. aaaddress1 at The Declaration of Hacker (TDOH) Debug: Cheat Engine
  113. 113. aaaddress1 at The Declaration of Hacker (TDOH) Debug: IDA Pro
  114. 114. aaaddress1 at The Declaration of Hacker (TDOH) Trial: TDOH Hello World
  115. 115. aaaddress1 at The Declaration of Hacker (TDOH) Play the game & Find the flag :P
  116. 116. aaaddress1 at The Declaration of Hacker (TDOH) Game Time
  117. 117. aaaddress1 at The Declaration of Hacker (TDOH)
  118. 118. aaaddress1 at The Declaration of Hacker (TDOH) IDA
  119. 119. aaaddress1 at The Declaration of Hacker (TDOH) IDA
  120. 120. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA, CE, Olly
  121. 121. aaaddress1 at The Declaration of Hacker (TDOH) ‘Generate Pseudocode(F5)’ of IDA Pro might lose something important in assembly for accessible reading. It’s important to use debugger and trace opcode of every step. IDA
  122. 122. aaaddress1 at The Declaration of Hacker (TDOH) Trial: Lucky Day
  123. 123. aaaddress1 at The Declaration of Hacker (TDOH) Game Time
  124. 124. aaaddress1 at The Declaration of Hacker (TDOH)
  125. 125. aaaddress1 at The Declaration of Hacker (TDOH)
  126. 126. aaaddress1 at The Declaration of Hacker (TDOH)
  127. 127. aaaddress1 at The Declaration of Hacker (TDOH)
  128. 128. aaaddress1 at The Declaration of Hacker (TDOH) TDOH{Debug_is_Fun!}
  129. 129. aaaddress1 at The Declaration of Hacker (TDOH)
  130. 130. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA, CE, Olly
  131. 131. aaaddress1 at The Declaration of Hacker (TDOH) Game Time 清华⽹网络安全技术协会
  132. 132. aaaddress1 at The Declaration of Hacker (TDOH)
  133. 133. aaaddress1 at The Declaration of Hacker (TDOH) Game Time
  134. 134. aaaddress1 at The Declaration of Hacker (TDOH)
  135. 135. aaaddress1 at The Declaration of Hacker (TDOH)
  136. 136. aaaddress1 at The Declaration of Hacker (TDOH)
  137. 137. aaaddress1 at The Declaration of Hacker (TDOH)
  138. 138. aaaddress1 at The Declaration of Hacker (TDOH)
  139. 139. aaaddress1 at The Declaration of Hacker (TDOH)
  140. 140. aaaddress1 at The Declaration of Hacker (TDOH)
  141. 141. aaaddress1 at The Declaration of Hacker (TDOH)
  142. 142. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA, CE, Olly
  143. 143. aaaddress1 at The Declaration of Hacker (TDOH) GAME TIme AIS3 2016 Final Binary 1
  144. 144. aaaddress1 at The Declaration of Hacker (TDOH) Game Time
  145. 145. aaaddress1 at The Declaration of Hacker (TDOH) Using ‘Strings Window’ to figure out the format string of printf and double click for detail.
  146. 146. aaaddress1 at The Declaration of Hacker (TDOH) Click the xref and follow
  147. 147. aaaddress1 at The Declaration of Hacker (TDOH)
  148. 148. aaaddress1 at The Declaration of Hacker (TDOH) Just check every char of the input is lower case
  149. 149. aaaddress1 at The Declaration of Hacker (TDOH)
  150. 150. aaaddress1 at The Declaration of Hacker (TDOH) RC4 but a little diffrent. I will take this function into three parts for you understanding well.
  151. 151. aaaddress1 at The Declaration of Hacker (TDOH)
  152. 152. aaaddress1 at The Declaration of Hacker (TDOH)
  153. 153. aaaddress1 at The Declaration of Hacker (TDOH)
  154. 154. aaaddress1 at The Declaration of Hacker (TDOH) If the result after RC4 cipher is the same as input, that will be the really key.
  155. 155. aaaddress1 at The Declaration of Hacker (TDOH)
  156. 156. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA, CE, Olly
  157. 157. aaaddress1 at The Declaration of Hacker (TDOH) Game TIme 特訓99
  158. 158. aaaddress1 at The Declaration of Hacker (TDOH)
  159. 159. aaaddress1 at The Declaration of Hacker (TDOH) I prepare the same one but patched. If you can set bullet count to zero, the game will give you flag.
  160. 160. aaaddress1 at The Declaration of Hacker (TDOH) Game Time
  161. 161. aaaddress1 at The Declaration of Hacker (TDOH)
  162. 162. aaaddress1 at The Declaration of Hacker (TDOH)
  163. 163. aaaddress1 at The Declaration of Hacker (TDOH)
  164. 164. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA, CE, Olly
  165. 165. aaaddress1 at The Declaration of Hacker (TDOH) Game Time CrackMe#1 [UBC] by bRaINbuSY
  166. 166. aaaddress1 at The Declaration of Hacker (TDOH) Game Time
  167. 167. aaaddress1 at The Declaration of Hacker (TDOH)
  168. 168. aaaddress1 at The Declaration of Hacker (TDOH) We don’t care those, that don’t make any effect on the checking Here is used for SEH ExceptionList but it’s not the point
  169. 169. aaaddress1 at The Declaration of Hacker (TDOH) We can make it simple like this.
  170. 170. aaaddress1 at The Declaration of Hacker (TDOH) We should figure how to get this value ( you can debug and get this without doubt, but it’s import to know how it works for creating a keygen)
  171. 171. aaaddress1 at The Declaration of Hacker (TDOH)
  172. 172. aaaddress1 at The Declaration of Hacker (TDOH)
  173. 173. aaaddress1 at The Declaration of Hacker (TDOH)
  174. 174. aaaddress1 at The Declaration of Hacker (TDOH)
  175. 175. aaaddress1 at The Declaration of Hacker (TDOH) Live Demo IDA, CE, Olly
  176. 176. aaaddress1 at The Declaration of Hacker (TDOH) Q&A aaaddress1@gmail.com

×