Revers engineering

AbdusSalam ALJBRI
AbdusSalam ALJBRITeacher Assistant at Dhamar University
Concept and Programing Understanding Dhamar University© 2012 Abdulsalam Aljbri
What’s Revers Engineering? Reverse engineering is the process of extracting the knowledge or design blueprints from anything manmade. [1]  Reverse engineering in the realm of software is the process of taking a functioning, fully-developed piece of software and, based on the functionality it demonstrates, re-discovering the original source code either through a manual but more often through an automated process. Decompression and disassembly are also synonyms for reverse engineering. [2] 
Reverse Engineering and Forward Engineering Chikofsky and Cross (1990) define reverse engineering and forward engineering:  Reverse engineering: “the process of analyzing a subject system to (i) identify the system’s components and their interrelationships and (ii) create representations of the system in another form or at a higher level of abstraction”  Forward engineering: “the traditional process of moving from high-level abstractions and logical, implementation-independent designs to the physical implementation of a system”
What are Disassembler and Decompilers ? In essence, a disassembler is the exact opposite of an assembler. Where an assembler converts code written in an assembly language into binary machine code, a disassembler reverses the process and attempts to recreate the assembly code from the binary machine code.  Since most assembly languages have a one-to-one correspondence with underlying machine instructions, the process of disassembly is relatively straight-forward, and a basic disassembler can often be implemented simply by reading in bytes, and performing a table lookup.  Akin to Disassembly, Decompilers take the process a step further and actually try to reproduce the code in a high level language. Frequently, this high level language is C, because C is simple and primitive enough to facilitate the decompilation process. 
Why Reverse Engineering? standard practice for replicate or repair a worn component when original data or specifications are unavailable.  The original product design documentation has been lost or never existed.  Creating data to refurbish or manufacture a part for which there are no CAD data, or for which the data have become obsolete or lost.  Analyzing the good and bad features of competitors’ products. 
Where Reverse Engineering? Medical.  Chemistry.  Industrial Development.  Military Applications.  Computer Science.  Many others fields. 
When Reverse Engineering?         Developing the old or legacy products. Remodeling the original structure of the Products. Tracking the errors especial the Runtime Errors. Analysis and Enhancing Network Protocols. Extracting or discovering an Algorithms which was written in the Close Program. Edit the original code for another purpose without having the source code. Cracking the Programs or reproduce the Key generator. Finding malicious code: using reverse engineering to understand how abhorrent code is structured and functions.
Files Format Most file formats begin with header, a few bytes that describe the file type and version. The bytes which describe the file type called “Magic Number” or “File Signature”. This signature always becomes on the beginning of the file. The size of those magic numbers depends on the file itself. Those magic numbers one of the most important thing in the recovering data from the hard disk when it deleted from the desk.
Revers engineering
Example of the Formats PDF file format 25 50 44 46 %PDF PNG file format 89 50 4E 47 .PNG RAR file format 52 61 72 21 1A 07 00 Rar!...
Reverse engineering and related process Requirements Reverse engineering Design Recovery Design Reverse engineering Design Recovery Implementation Forward engineering Restructuring Forward engineering Redocumentation Restructuring
Execution Files MS-DOS COM Files  MS-DOS EXE Files  PE Files  * Relative Virtual Addressing (RVA) 
MS-DOS COM Files COM files are loaded into RAM exactly as they appear; no change is made at all from the hard disk image to RAM. This is possible due to the 20-bit memory model of the early x86 line. Two 16-bit registers would have to be set, one dividing the 1MB+64K memory space into 65536 'segments' and one specifying an offset from that. The segment register would be set by DOS and the COM file would be expected to respect this setting and not ever change the segment registers. The offset registers, however, were free game and served (for COM files) the same purpose as a modern 32-bit register. The downside was that the offset registers were only 16-bit and, therefore, since COM files could not change the segment registers, COM files were limited to using 64K of RAM.
MS-DOS COM Files The good thing about this approach, however, was that no extra work was needed by DOS to load and run a COM file: just load the file, set the segment register, and jmp to it. (The programs could perform 'near' jumps by just giving an offset to jump too.) COM files are loaded into RAM at offset $100. The space before that would be used for passing data to and from DOS (for example, the contents of the command line used to invoke the program). Note that COM files, by definition, cannot be 32-bit. Windows provides support for COM files via a special CPU mode.
MS-DOS EXE Files One way MS-DOS compilers got around the 64k memory limitation was with the introduction of memory models. The basic concept is to cleverly set different segment registers in the x86 CPU (CS, DS, ES, SS) to point to the same or different segments, thus allowing varying degrees of access to memory. Typical memory models were:  Tiny All memory access are 16-bit (never reload any segment register). Produces a .COM file instead of an .EXE file.  Small All memory access are 16-bit (never reload any segment register).  Compact accesses to the code segment reload the CS register, allowing 32-bit of code. Data accesses don't reload the DS, ES, SS registers, allowing 16-bit of data.
MS-DOS EXE Files  Medium accesses to the data segment reload the DS, ES, SS register, allowing 32-bit of data. Code accesses don't reload the CS register, allowing 16-bit of code.  Large both code and data accesses use the segment registers (CS for code, DS, ES, SS for data), allowing 32-bit of code and 32-bit of data.  Huge same as the large model, with additional arithmetic being generated by the compiler to allow access to arrays larger than 64k. When looking at a COM file, one has to decide which memory model was used to build that file.
PE Files A Portable Executable (PE) file is the standard binary file format for an Executable or DLL under Windows NT, Windows 95, and Win32. The Win32 SDK contains a file, winnt.h, which declares various structs and variables used in the PE files. Some functions for manipulating PE files are also included in imagehlp.dll. PE files are broken down into various sections which can be examined.
Relative Virtual Addressing (RVA) In a Windows environment, executable modules can be loaded at any point in memory, and are expected to run without problem. To allow multiple programs to be loaded at seemingly random locations in memory, PE files have adopted a tool called RVA: Relative Virtual Addresses. RVA's assume that the "base address" of where a module is loaded into memory is not known at compile time. So, PE files describe the location of data in memory as an offset from the base address, wherever that may be in memory. Some processor instructions require the code itself to directly identify where in memory some data is. This is not possible when the location of the module in memory is not known at compile time. The solution to this problem is described in the section on "Relocations". It is important to remember that the addresses obtained from a disassembly of a module will not always match up to the addresses seen in a debugger as the program is running.
File Format The PE portable executable file format includes a number of informational headers, and is arranged in the following format: DOS header PE Header COFF Header Optional Header Section Table Mappable Section
DOS header The first 2 letters are always the letters "MZ“ which call Magic Number, File ID, or File Signature. After the File ID, the hex editor will show several bytes of either random-looking symbols, or whitespace, before the human-readable string "This program cannot be run in DOS mode". What is this? Microsoft has engineered a series of DOS instructions into the head of each PE file. When a 32-bit Windows file is run in a 16-bit DOS environment, the program will terminate immediately with the error message: "This program cannot be run in DOS mode".
DOS header The DOS header is also known by some as the EXE header. Here is the DOS header presented as a C data structure -> Immediately following the DOS Header will be the classic error message "This program cannot be run in DOS mode". struct DOS_Header { char signature[2] = "MZ"; short lastsize; short nblocks; short nreloc; short hdrsize; short minalloc; short maxalloc; void *ss; void *sp; short checksum; void *ip; void *cs; short relocpos; short noverlay; short reserved1[4]; short oem_id; short oem_info; short reserved2[10]; long e_lfanew; }
PE Header At offset 60 from the beginning of the DOS header is a pointer to the Portable Executable (PE) File header. DOS will print the error message and terminate, but Windows will follow this pointer to the next batch of information. The PE header consists only of a File ID signature, with the value "PE00" where each '0' character is an ASCII NUL character. This signature shows that a) this file is a legitimate PE file, and b) the byte order of the file. Byte order will not be considered in this chapter, and all PE files are assumed to be in "little endian" format. The first big chunk of information lies in the COFF header, directly after the PE signature.
COFF Header The COFF header is present in both COFF object files (before they are linked) and in PE files where it is known as the "File header". The COFF header has some information that is useful to an executable, and some information that is more useful to an object file.      Machine Thisstruct COFFHeader { machine the file was compiled for. A field determines what hex value of 0x14Cshort Machine; is the code for an Intel 80386. (332 in decimal) NumberOfSections The number of sections that are described at the end short NumberOfSections; of the PE headers. long TimeDateStamp; long time at which this header TimeDateStamp 32 bit PointerToSymbolTable; was generated: is used in long NumberOfSymbols; the process of "Binding", see below. short this field shows how SizeOfOptionalHeader SizeOfOptionalHeader; long the "PE Optional short Characteristics; Header" is that follows the COFF header. } Characteristics This is a field of bit flags, that show some characteristics of the file.0x02 = Executable file, 0x200 = file is non-relocatable (addresses are absolute, not RVA), 0x2000 = File is a DLL Library, not an EXE.
Code Sections The PE Header defines the number of sections in the executable file. Each section definition is 40 bytes in length. The structure of the section descriptor is as follows: Offset Length Purpose 0x00 8 bytes Section Name (e.g .text .data .bss ) 0x08 4 bytes Size of the section once it is loaded to memory 0x0C 4 bytes RVA (location) of section once it is loaded to memory 0x10 4 bytes Physical size of section on disk 0x14 4 bytes Physical location of section on disk (from start of disk image) 0x18 12 bytes Reserved (usually zero) (used in object formats) 0x24 4 bytes Section flags
Windows DLL Files Windows DLL files are a brand of PE file with a few key differences:  A .DLL file extension  A DLLMain() entry point, instead of a WinMain() or main().  The DLL flag set in the PE header. DLLs may be loaded in one of two ways, a) at load-time, or b) by calling the LoadModule() Win32 API function.
Function Exports Functions are exported from a DLL file by using the following syntax: __declspec(dllexport) void MyFunction() ... The "__declspec" keyword here is not a C language standard, but is implemented by many compilers to set extendable, compiler-specific options for functions and variables. Microsoft C Compiler and GCC versions that run on windows allow for the __declspec keyword, and the dllexport property. Functions may also be exported from regular .exe files, and .exe files with exported functions may be called dynamically in a similar manner to .dll files. This is a rare occurrence, however.
Identifying DLL Exports There are several ways to determine which functions are exported by a DLL. The method that this book will use (often implicitly) is to use dumpbin in the following manner: dumpbin /EXPORTS <dll file> This will post a list of the function exports, along with their ordinal and RVA to the console.
Function Imports In a similar manner to function exports, a program may import a function from an external DLL file. The dll file will load into the process memory when the program is started, and the function will be used like a local function. DLL imports need to be prototyped in the following manner, for the compiler and linker to recognize that the function is coming from an external library: __declspec(dllimport) void MyFunction();
Identifying DLL Imports If is often useful to determine which functions are imported from external libraries when examining a program. To list import files to the console, use dumpbin in the following manner __declspec(dllimport) void MyFunction(); You can also use depends.exe to list imported and exported functions. Depends is a GUI tool and comes with Microsoft Platform SDK.
Analysis Tools Debuggers  Hex Editors  Resource Monitors  API Monitors  PE File Header dumpers 
Debuggers Debuggers are programs that allow the user to execute a compiled program one step at a time. You can see what instructions are executed in which order, and which sections of the program are treated as code and which are treated as data. Debuggers allow you to analyze the program while it is running, to help you get a better picture of what it is doing.  Advanced debuggers often contain at least a rudimentary disassembler, often times hex editing and reassembly features. Debuggers often allow the user to set breakpoints on instructions, function calls, and even memory locations.  A breakpoint is an instruction to the debugger that allows program execution to be halted when a certain condition is met. For instance, when a program accesses a certain variable, or calls a certain API function, the debugger can pause program execution. 
Windows Debuggers SoftICE A de facto standard for Windows debugging. SoftICE can be used for local kernel debugging, which is a feature that is very rare, and very valuable. SoftICE was taken off the market in April 2006. WinDbg WinDbg is a free piece of software from Microsoft that can be used for local user-mode debugging, or even remote kernel-mode debugging. WinDbg is not the same as the better-known Visual Studio Debugger, but comes with a nifty GUI nonetheless. Available in 32 and 64-bit versions.
Windows Debuggers IDA Pro The multi-processor, multi-OS, interactive disassembler by DataRescue. OllyDbg OllyDbg is a free and powerful Windows debugger with a built-in disassembly and assembly engine. Very useful for patching, disassembling, and debugging. Immunity Debugger Immunity Debugger is a branch of OllyDbg v1.10, with built-in support for Python scripting and much more.
Hex Editors Hex editors are able to directly view and edit the binary of a source file, and are very useful for investigating the structure of proprietary closed-format data files. There are many hex editors in existence. This section will attempt to list some of the best, some of the most popular, or some of the most powerful.
Windows Hex Editors wxHexEditor (Free & Open Source): A fast hex editor specially for HUGE files and disk devices, allows up to Exabyte, allow size changes (inject and deletes) without creating temp file, could view files with multiple panes, has built-in disassembler, supports tags for (reverse) engineering big binaries or file systems, could view files thru XOR encryption. http:/ / wxhexeditor. sourceforge. net/ HxD (Freeware) A fast and powerful free hex, disk and RAM editor http:/ / mh-nexus. de/ hxd/
Assemble There are three reasons for using assembly language: speed, speed, and more speed. As the middle language between the High-level and low-level (Machine Language) Programing Language which almost of the HLL most pass throw to be an execution file. Furthermore, it’s the bridge to get the original design of the binary files. Assembly language has several benefits:  Speed. Assembly language programs are generally the fastest programs around.  Space. Assembly language programs are often the smallest.  Capability. You can do things in assembly which are difficult or impossible in HLLs.  Knowledge. Your knowledge of assembly language will help you write better programs, even when using HLLs.
Registers The IA-32 platform processors have multiple groups of registers of different sizes. Different processors within the IA-32 platform include specialized registers. The core groups of registers available to all processors in the IA-32 family. General purpose: Eight 32-bit registers used for storing working data  Segment: Six 16-bit registers used for handling memory access  Instruction pointer: A single 32-bit register pointing to the next instruction code to execute 
General-purpose registers EAX Accumulator for operands and results data EBX Pointer to data in the data memory segment ECX Counter for string and loop operations EDX I/O pointer EDI Data pointer for destination of string operations ESI Data pointer for source of string operations ESP Stack pointer EBP Stack data pointer
Segment registers CS Code segment DS Data segment SS Stack segment ES Extra segment pointer FS Extra segment pointer GS Extra segment pointer
Flags CF 0 Code segment PF 2 Data segment AF 4 Stack segment ZF 6 Extra segment pointer SF 7 Extra segment pointer OF 11 Extra segment pointer
Logical Operators Operator Syntax Description SHR expr SHR expr Shift right SHL expr SHL expr Shift left NOT NOT expr Logical (bit by bit) NOT AND expr AND expr Logical AND OR expr OR expr Logical OR expr XOR expr Logical XOR Syntax Description expr SHR expr Shift right XOR Operator SHR
Relational Operators Operator Syntax Description EQ expr EQ expr True (0FFh) if equal, false (0) otherwise NE expr NE expr True (0FFh) if not equal, false (0) otherwise LT expr LT expr True (0FFh) if less, false (0) otherwise LE expr LE expr True (0FFh) if less or equal, false (0) otherwise GT expr GT expr True (0FFh) if greater, false (0) otherwise GE expr GE expr True (0FFh) if greater or equal, false (0) otherwise Operator Syntax EQ Description expr EQ expr True (0FFh) if equal, false (0) otherwise
Jump Instructions Jcc Instructions That Test Flags Instruction Condition Aliases Opposite Jump if carry Carry = 1 JB, JNAE JNC Jump if no carry Carry = 0 JNB, JAE JC Jump if zero Zero = 1 JE JNZ Jump if not zero Zero = 0 JNE JZ Jump if sign Sign = 1 - JNS JNS Jump if no sign Sign = 0 - JS JO Jump if overflow Ovrflw=1 - JNO JNO Jump if no Ovrflw Ovrflw=0 - JO Jump if parity Parity = 1 JPE JNP JPE Jump if parity even Parity = 1 JP JPO JNP Jump if no parity Parity = 0 JPO JP JPO Jump if parity odd Parity = 0 JNP JPE JC JNC JZ JNZ JS JP Description
Jump Instructions Jcc Instructions for Unsigned Comparisons Instruction JA JNBE Description Jump if above (>) Condition Carry=0, Zero=0 Jump if not below or equal (not <=) Carry=0, Zero=0 Aliases Opposite JNBE JNA JA JBE JAE Jump if above or equal (>=) Carry = 0 JNC, JNB JNAE JNB Jump if not below (not <) Carry = 0 JNC, JAE JB Jump if below (<) Carry = 1 JC, JNAE JNB JC, JB JAE JB JNAE Jump if not above or equal (not >=) Carry = 1 JBE Jump if below or equal (<=) Carry = 1 or Zero = 1 JNA JNBE JNA Jump if not above (not >) Carry = 1 or Zero = 1 JBE JA Jump if equal (=) Zero = 1 JZ JNE Jump if not equal () Zero = 0 JNZ JE Jump if above (>) Carry=0, Zero=0 JNBE JNA JA JBE JE JNE JA JNBE Jump if not below or equal (not <=) Carry=0, Zero=0
Jump Instructions Jcc Instructions for Signed Comparisons Instruction JG Description Condition Jump if greater (>) Sign = Ovrflw or Zero=0 JNLE Jump if not less than or equal (not <=) JGE JNL Aliases Opposite JNLE JNG Sign = Ovrflw or Zero=0 JG JLE Jump if greater than or equal (>=) Sign = Ovrflw JNL JGE Jump if not less than (not <) Sign = Ovrflw JGE JL Jump if less than (<) Sign Ovrflw JNGE JNL Jump if not greater or equal (not >=) Sign Ovrflw JL JGE JLE Jump if less than or equal (<=) Sign Ovrflw or Zero = 1 JNG JNLE JNG Jump if not greater than (not >) Sign Ovrflw or Zero = 1 JLE JG Jump if equal (=) Zero = 1 JZ JNE JNE Jump if not equal () Zero = 0 JNZ JE JG Jump if greater (>) Sign = Ovrflw or Zero=0 JNLE JNG Jump if not less than or equal (not <=) Sign = Ovrflw or Zero=0 JG JLE JL JNGE JE JNLE
OllyDbg Control Bar Registers Window Disassembler Window Dump Memory Window Stack Window
OllyDbg - Disassembler Window CommentsCommand Assemble Hex Dump Address section Information Section
OllyDbg - Stack Window registers Instruction Pointer Register Segment registers Flags Additional registers
Recourse for the RE tools http://www.openrce.org/  http://www.at4re.com/  http://www.ollydbg.de/  http://www.tuts4you.com/  http://www.peid.info/ 
Eilam, Eldad. "Reversing: Secrets of Reverse Engineering." 2005. Wiley Publishing Inc. ISBN 0764574817  Raja, Vinesh II. Fernandes, Kiran J. "Reverse Engineering An Industrial Perspective" 2008. Springer Series in Advanced Manufacturing .ISBN 978-1-84628-855-5  Hyde, Randall. "The Art of Assembly Language," No Starch, 2003 ISBN 1886411972  Blum, Richard. “Professional Assembly Language”, 2005. Wiley Publishing, Inc. ISBN: 0-7645-7901-0 
Revers engineering
1 of 51

Revers engineering

Download to read offline
EducationTechnology

Reverse engineering is the process of extracting the knowledge or design blueprints from anything man-made. and this is explanation of the Concept and Programming Understanding

AbdusSalam ALJBRI
AbdusSalam ALJBRITeacher Assistant at Dhamar University

Recommended

Reverse code engineering by
Reverse code engineeringReverse code engineering
Reverse code engineeringKrishs Patil
464 views34 slides
Reverse engineering by
Reverse engineeringReverse engineering
Reverse engineeringSaswat Padhi
6.2K views20 slides
resume_v36 by
resume_v36resume_v36
resume_v36Zhiqiang Liu
132 views3 slides
Making reverse engineering fun by
Making reverse engineering funMaking reverse engineering fun
Making reverse engineering funn|u - The Open Security Community
75 views10 slides
Fel Flyer F11 by
Fel Flyer F11Fel Flyer F11
Fel Flyer F11chitlesh
502 views10 slides
Embedded C - Lecture 1 by
Embedded C - Lecture 1Embedded C - Lecture 1
Embedded C - Lecture 1Mohamed Abdallah
10.8K views44 slides

More Related Content

What's hot

FEL Flyer F12 by
FEL Flyer F12FEL Flyer F12
FEL Flyer F12chitlesh
604 views12 slides
C programming session 14 by
C programming session 14C programming session 14
C programming session 14AjayBahoriya
393 views22 slides
WhitePaperTemplate by
WhitePaperTemplateWhitePaperTemplate
WhitePaperTemplateJo Marques
167 views13 slides
ctchou-resume by
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
211 views3 slides
ctchou-resume by
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
282 views3 slides
ctchou-resume by
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
273 views3 slides

What's hot(20)

FEL Flyer F12 by chitlesh
FEL Flyer F12FEL Flyer F12
FEL Flyer F12
chitlesh604 views
C programming session 14 by AjayBahoriya
C programming session 14C programming session 14
C programming session 14
AjayBahoriya393 views
WhitePaperTemplate by Jo Marques
WhitePaperTemplateWhitePaperTemplate
WhitePaperTemplate
Jo Marques167 views
ctchou-resume by Ching-Tsun Chou
ctchou-resumectchou-resume
ctchou-resume
Ching-Tsun Chou211 views
ctchou-resume by Ching-Tsun Chou
ctchou-resumectchou-resume
ctchou-resume
Ching-Tsun Chou282 views
ctchou-resume by Ching-Tsun Chou
ctchou-resumectchou-resume
ctchou-resume
Ching-Tsun Chou273 views
Interview Question of Aspdotnet by MohitKumar1985
Interview Question of AspdotnetInterview Question of Aspdotnet
Interview Question of Aspdotnet
MohitKumar1985852 views
Shravani_Nerella by Shravani Nerella
Shravani_NerellaShravani_Nerella
Shravani_Nerella
Shravani Nerella426 views
Reversing and Patching Machine Code by Teodoro Cipresso
Reversing and Patching Machine CodeReversing and Patching Machine Code
Reversing and Patching Machine Code
Teodoro Cipresso670 views
Denis Nagorny - Pumping Python Performance by Sergey Arkhipov
Denis Nagorny - Pumping Python PerformanceDenis Nagorny - Pumping Python Performance
Denis Nagorny - Pumping Python Performance
Sergey Arkhipov626 views
Advanced IDE functionality in modern language workbenches by Vaclav Pech
Advanced IDE functionality in modern language workbenchesAdvanced IDE functionality in modern language workbenches
Advanced IDE functionality in modern language workbenches
Vaclav Pech795 views
Safe and Reliable Embedded Linux Programming: How to Get There by AdaCore
Safe and Reliable Embedded Linux Programming: How to Get ThereSafe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get There
AdaCore4.7K views
verification resume by vishwanath swamy
verification resumeverification resume
verification resume
vishwanath swamy258 views
TULIKA KESHRI (1) by Tulika Keshri
TULIKA KESHRI (1)TULIKA KESHRI (1)
TULIKA KESHRI (1)
Tulika Keshri130 views
Vasiliy Litvinov - Python Profiling by Sergey Arkhipov
Vasiliy Litvinov - Python ProfilingVasiliy Litvinov - Python Profiling
Vasiliy Litvinov - Python Profiling
Sergey Arkhipov538 views
ctchou-resume by Ching-Tsun Chou
ctchou-resumectchou-resume
ctchou-resume
Ching-Tsun Chou129 views
International Journal of Computational Engineering Research(IJCER) by ijceronline
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
ijceronline248 views
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi... by Pradeep Singh
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...
Pradeep Singh1.2K views
Build Programming Language Runtime with LLVM by National Cheng Kung University
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
National Cheng Kung University4.4K views
Reverse Engineering 101 by ysurer
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
ysurer1.6K views

Viewers also liked

Reverse engineering power point! by
Reverse engineering power point!Reverse engineering power point!
Reverse engineering power point!foy8447
2.9K views10 slides
Transistor2015 by
Transistor2015Transistor2015
Transistor2015KMohamed92
484 views22 slides
Page layout by
Page layoutPage layout
Page layoutEllie Marsh
116 views5 slides
Reverse engineering by
Reverse engineeringReverse engineering
Reverse engineeringHicube Infosec
3.9K views30 slides
Analyse technique du service par Guillaume BREVET by
Analyse technique du service par Guillaume BREVETAnalyse technique du service par Guillaume BREVET
Analyse technique du service par Guillaume BREVETjc WECKERLE
5.3K views10 slides
Reengineering including reverse & forward Engineering by
Reengineering including reverse & forward EngineeringReengineering including reverse & forward Engineering
Reengineering including reverse & forward EngineeringMuhammad Chaudhry
15.5K views29 slides

Viewers also liked(13)

Reverse engineering power point! by foy8447
Reverse engineering power point!Reverse engineering power point!
Reverse engineering power point!
foy84472.9K views
Transistor2015 by KMohamed92
Transistor2015Transistor2015
Transistor2015
KMohamed92484 views
Page layout by Ellie Marsh
Page layoutPage layout
Page layout
Ellie Marsh116 views
Reverse engineering by Hicube Infosec
Reverse engineeringReverse engineering
Reverse engineering
Hicube Infosec3.9K views
Analyse technique du service par Guillaume BREVET by jc WECKERLE
Analyse technique du service par Guillaume BREVETAnalyse technique du service par Guillaume BREVET
Analyse technique du service par Guillaume BREVET
jc WECKERLE5.3K views
Reengineering including reverse & forward Engineering by Muhammad Chaudhry
Reengineering including reverse & forward EngineeringReengineering including reverse & forward Engineering
Reengineering including reverse & forward Engineering
Muhammad Chaudhry15.5K views
Introduction to Reverse Engineering by Dobromir Enchev
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
Dobromir Enchev4.6K views
Reverse engineering by Syed Zillay Ali
Reverse engineeringReverse engineering
Reverse engineering
Syed Zillay Ali6.1K views
Software re engineering by deshpandeamrut
Software re engineeringSoftware re engineering
Software re engineering
deshpandeamrut77.5K views
Reverse engineering by Yuffie Valen
Reverse engineeringReverse engineering
Reverse engineering
Yuffie Valen7.7K views
Reverse engineering by ananya0122
Reverse engineeringReverse engineering
Reverse engineering
ananya012236K views
Reverse Engineering by dswanson
Reverse EngineeringReverse Engineering
Reverse Engineering
dswanson13.2K views
Reverse engineering & its application by mapqrs
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
mapqrs37.1K views

Similar to Revers engineering

Source vs object code by
Source vs object codeSource vs object code
Source vs object codeSana Ullah
416 views7 slides
Arm based controller - basic bootcamp by
Arm based controller - basic bootcampArm based controller - basic bootcamp
Arm based controller - basic bootcampRoy Messinger
806 views57 slides
Linking in MS-Dos System by
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos SystemSatyamevjayte Haxor
9K views16 slides
Ghel os by
Ghel osGhel os
Ghel osghel albanio
2 views8 slides
Ghel os by
Ghel osGhel os
Ghel osghel albanio
430 views8 slides
Purdue CS354 Operating Systems 2008 by
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008guestd9065
5K views585 slides

Similar to Revers engineering(20)

Source vs object code by Sana Ullah
Source vs object codeSource vs object code
Source vs object code
Sana Ullah416 views
Arm based controller - basic bootcamp by Roy Messinger
Arm based controller - basic bootcampArm based controller - basic bootcamp
Arm based controller - basic bootcamp
Roy Messinger806 views
Linking in MS-Dos System by Satyamevjayte Haxor
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos System
Satyamevjayte Haxor9K views
Ghel os by ghel albanio
Ghel osGhel os
Ghel os
ghel albanio2 views
Ghel os by ghel albanio
Ghel osGhel os
Ghel os
ghel albanio430 views
Purdue CS354 Operating Systems 2008 by guestd9065
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008
guestd90655K views
Itroduction about java by srmohan06
Itroduction about javaItroduction about java
Itroduction about java
srmohan0686 views
A by theiluminados
AA
A
theiluminados317 views
Mp &mc programs by Haritha Hary
Mp &mc programsMp &mc programs
Mp &mc programs
Haritha Hary4.8K views
Creating user-mode debuggers for Windows by Mithun Shanbhag
Creating user-mode debuggers for WindowsCreating user-mode debuggers for Windows
Creating user-mode debuggers for Windows
Mithun Shanbhag417 views
Ms dos by Mercy Lou Yecla
Ms dosMs dos
Ms dos
Mercy Lou Yecla9.7K views
Ms dos commands for Multimedia Students and Facultyes by SEO SKills
Ms dos commands for Multimedia Students and FacultyesMs dos commands for Multimedia Students and Facultyes
Ms dos commands for Multimedia Students and Facultyes
SEO SKills184 views
Codescape Debugger 8 by Damien Ruscoe
Codescape Debugger 8Codescape Debugger 8
Codescape Debugger 8
Damien Ruscoe639 views
Assignment#1 lograbo, s.f. (cs3112-os) by myanddy
Assignment#1 lograbo, s.f. (cs3112-os)Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)
myanddy3 views
Assignment#1 lograbo, s.f. (cs3112-os) by myanddy
Assignment#1 lograbo, s.f. (cs3112-os)Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)
myanddy408 views
IDAPRO by Matt Vieyra
IDAPROIDAPRO
IDAPRO
Matt Vieyra272 views
Assignment#1 Mapacpac, F M P (Cs3112 Os) by dyandmy
Assignment#1 Mapacpac, F M P (Cs3112 Os)Assignment#1 Mapacpac, F M P (Cs3112 Os)
Assignment#1 Mapacpac, F M P (Cs3112 Os)
dyandmy273 views
Cartilla en ingles by anderson
Cartilla en inglesCartilla en ingles
Cartilla en ingles
anderson942 views
Cao 2012 by Raja Basharat
Cao 2012Cao 2012
Cao 2012
Raja Basharat498 views
CDI debugger for embedded C/C+ by Teodor Madan
CDI debugger for embedded C/C+CDI debugger for embedded C/C+
CDI debugger for embedded C/C+
Teodor Madan698 views

Recently uploaded

Drama KS5 Breakdown by
Drama KS5 BreakdownDrama KS5 Breakdown
Drama KS5 BreakdownWestHatch
79 views2 slides
When Sex Gets Complicated: Porn, Affairs, & Cybersex by
When Sex Gets Complicated: Porn, Affairs, & CybersexWhen Sex Gets Complicated: Porn, Affairs, & Cybersex
When Sex Gets Complicated: Porn, Affairs, & CybersexMarlene Maheu
67 views73 slides
11.30.23 Poverty and Inequality in America.pptx by
11.30.23 Poverty and Inequality in America.pptx11.30.23 Poverty and Inequality in America.pptx
11.30.23 Poverty and Inequality in America.pptxmary850239
160 views33 slides
The Accursed House by Émile Gaboriau by
The Accursed House by Émile GaboriauThe Accursed House by Émile Gaboriau
The Accursed House by Émile GaboriauDivyaSheta
201 views15 slides
Scope of Biochemistry.pptx by
Scope of Biochemistry.pptxScope of Biochemistry.pptx
Scope of Biochemistry.pptxshoba shoba
133 views55 slides
The Open Access Community Framework (OACF) 2023 (1).pptx by
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
110 views7 slides

Recently uploaded(20)

Drama KS5 Breakdown by WestHatch
Drama KS5 BreakdownDrama KS5 Breakdown
Drama KS5 Breakdown
WestHatch79 views
When Sex Gets Complicated: Porn, Affairs, & Cybersex by Marlene Maheu
When Sex Gets Complicated: Porn, Affairs, & CybersexWhen Sex Gets Complicated: Porn, Affairs, & Cybersex
When Sex Gets Complicated: Porn, Affairs, & Cybersex
Marlene Maheu67 views
11.30.23 Poverty and Inequality in America.pptx by mary850239
11.30.23 Poverty and Inequality in America.pptx11.30.23 Poverty and Inequality in America.pptx
11.30.23 Poverty and Inequality in America.pptx
mary850239160 views
The Accursed House by Émile Gaboriau by DivyaSheta
The Accursed House by Émile GaboriauThe Accursed House by Émile Gaboriau
The Accursed House by Émile Gaboriau
DivyaSheta201 views
Scope of Biochemistry.pptx by shoba shoba
Scope of Biochemistry.pptxScope of Biochemistry.pptx
Scope of Biochemistry.pptx
shoba shoba133 views
The Open Access Community Framework (OACF) 2023 (1).pptx by Jisc
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
Jisc110 views
Ch. 7 Political Participation and Elections.pptx by Rommel Regala
Ch. 7 Political Participation and Elections.pptxCh. 7 Political Participation and Elections.pptx
Ch. 7 Political Participation and Elections.pptx
Rommel Regala97 views
Collective Bargaining and Understanding a Teacher Contract(16793704.1).pptx by Center for Integrated Training & Education
Collective Bargaining and Understanding a Teacher Contract(16793704.1).pptxCollective Bargaining and Understanding a Teacher Contract(16793704.1).pptx
Collective Bargaining and Understanding a Teacher Contract(16793704.1).pptx
Center for Integrated Training & Education93 views
231112 (WR) v1 ChatGPT OEB 2023.pdf by WilfredRubens.com
231112 (WR) v1 ChatGPT OEB 2023.pdf231112 (WR) v1 ChatGPT OEB 2023.pdf
231112 (WR) v1 ChatGPT OEB 2023.pdf
WilfredRubens.com157 views
MercerJesse2.1Doc.pdf by jessemercerail
MercerJesse2.1Doc.pdfMercerJesse2.1Doc.pdf
MercerJesse2.1Doc.pdf
jessemercerail169 views
Google solution challenge..pptx by ChitreshGyanani1
Google solution challenge..pptxGoogle solution challenge..pptx
Google solution challenge..pptx
ChitreshGyanani1131 views
Use of Probiotics in Aquaculture.pptx by AKSHAY MANDAL
Use of Probiotics in Aquaculture.pptxUse of Probiotics in Aquaculture.pptx
Use of Probiotics in Aquaculture.pptx
AKSHAY MANDAL100 views
Narration lesson plan.docx by TARIQ KHAN
Narration lesson plan.docxNarration lesson plan.docx
Narration lesson plan.docx
TARIQ KHAN112 views
PLASMA PROTEIN (2).pptx by MEGHANA C
PLASMA PROTEIN (2).pptxPLASMA PROTEIN (2).pptx
PLASMA PROTEIN (2).pptx
MEGHANA C68 views
Dance KS5 Breakdown by WestHatch
Dance KS5 BreakdownDance KS5 Breakdown
Dance KS5 Breakdown
WestHatch79 views
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively by PECB
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB 585 views
GSoC 2024 by DeveloperStudentClub10
GSoC 2024GSoC 2024
GSoC 2024
DeveloperStudentClub1079 views
Java Simplified: Understanding Programming Basics by Akshaj Vadakkath Joshy
Java Simplified: Understanding Programming BasicsJava Simplified: Understanding Programming Basics
Java Simplified: Understanding Programming Basics
Akshaj Vadakkath Joshy295 views
ANATOMY AND PHYSIOLOGY UNIT 1 { PART-1} by DR .PALLAVI PATHANIA
ANATOMY AND PHYSIOLOGY UNIT 1 { PART-1}ANATOMY AND PHYSIOLOGY UNIT 1 { PART-1}
ANATOMY AND PHYSIOLOGY UNIT 1 { PART-1}
DR .PALLAVI PATHANIA249 views
Solar System and Galaxies.pptx by DrHafizKosar
Solar System and Galaxies.pptxSolar System and Galaxies.pptx
Solar System and Galaxies.pptx
DrHafizKosar91 views

Revers engineering

  • 1. Concept and Programing Understanding Dhamar University© 2012 Abdulsalam Aljbri
  • 2. What’s Revers Engineering? Reverse engineering is the process of extracting the knowledge or design blueprints from anything manmade. [1]  Reverse engineering in the realm of software is the process of taking a functioning, fully-developed piece of software and, based on the functionality it demonstrates, re-discovering the original source code either through a manual but more often through an automated process. Decompression and disassembly are also synonyms for reverse engineering. [2] 
  • 3. Reverse Engineering and Forward Engineering Chikofsky and Cross (1990) define reverse engineering and forward engineering:  Reverse engineering: “the process of analyzing a subject system to (i) identify the system’s components and their interrelationships and (ii) create representations of the system in another form or at a higher level of abstraction”  Forward engineering: “the traditional process of moving from high-level abstractions and logical, implementation-independent designs to the physical implementation of a system”
  • 4. What are Disassembler and Decompilers ? In essence, a disassembler is the exact opposite of an assembler. Where an assembler converts code written in an assembly language into binary machine code, a disassembler reverses the process and attempts to recreate the assembly code from the binary machine code.  Since most assembly languages have a one-to-one correspondence with underlying machine instructions, the process of disassembly is relatively straight-forward, and a basic disassembler can often be implemented simply by reading in bytes, and performing a table lookup.  Akin to Disassembly, Decompilers take the process a step further and actually try to reproduce the code in a high level language. Frequently, this high level language is C, because C is simple and primitive enough to facilitate the decompilation process. 
  • 5. Why Reverse Engineering? standard practice for replicate or repair a worn component when original data or specifications are unavailable.  The original product design documentation has been lost or never existed.  Creating data to refurbish or manufacture a part for which there are no CAD data, or for which the data have become obsolete or lost.  Analyzing the good and bad features of competitors’ products. 
  • 6. Where Reverse Engineering? Medical.  Chemistry.  Industrial Development.  Military Applications.  Computer Science.  Many others fields. 
  • 7. When Reverse Engineering?         Developing the old or legacy products. Remodeling the original structure of the Products. Tracking the errors especial the Runtime Errors. Analysis and Enhancing Network Protocols. Extracting or discovering an Algorithms which was written in the Close Program. Edit the original code for another purpose without having the source code. Cracking the Programs or reproduce the Key generator. Finding malicious code: using reverse engineering to understand how abhorrent code is structured and functions.
  • 8. Files Format Most file formats begin with header, a few bytes that describe the file type and version. The bytes which describe the file type called “Magic Number” or “File Signature”. This signature always becomes on the beginning of the file. The size of those magic numbers depends on the file itself. Those magic numbers one of the most important thing in the recovering data from the hard disk when it deleted from the desk.
  • 10. Example of the Formats PDF file format 25 50 44 46 %PDF PNG file format 89 50 4E 47 .PNG RAR file format 52 61 72 21 1A 07 00 Rar!...
  • 11. Reverse engineering and related process Requirements Reverse engineering Design Recovery Design Reverse engineering Design Recovery Implementation Forward engineering Restructuring Forward engineering Redocumentation Restructuring
  • 12. Execution Files MS-DOS COM Files  MS-DOS EXE Files  PE Files  * Relative Virtual Addressing (RVA) 
  • 13. MS-DOS COM Files COM files are loaded into RAM exactly as they appear; no change is made at all from the hard disk image to RAM. This is possible due to the 20-bit memory model of the early x86 line. Two 16-bit registers would have to be set, one dividing the 1MB+64K memory space into 65536 'segments' and one specifying an offset from that. The segment register would be set by DOS and the COM file would be expected to respect this setting and not ever change the segment registers. The offset registers, however, were free game and served (for COM files) the same purpose as a modern 32-bit register. The downside was that the offset registers were only 16-bit and, therefore, since COM files could not change the segment registers, COM files were limited to using 64K of RAM.
  • 14. MS-DOS COM Files The good thing about this approach, however, was that no extra work was needed by DOS to load and run a COM file: just load the file, set the segment register, and jmp to it. (The programs could perform 'near' jumps by just giving an offset to jump too.) COM files are loaded into RAM at offset $100. The space before that would be used for passing data to and from DOS (for example, the contents of the command line used to invoke the program). Note that COM files, by definition, cannot be 32-bit. Windows provides support for COM files via a special CPU mode.
  • 15. MS-DOS EXE Files One way MS-DOS compilers got around the 64k memory limitation was with the introduction of memory models. The basic concept is to cleverly set different segment registers in the x86 CPU (CS, DS, ES, SS) to point to the same or different segments, thus allowing varying degrees of access to memory. Typical memory models were:  Tiny All memory access are 16-bit (never reload any segment register). Produces a .COM file instead of an .EXE file.  Small All memory access are 16-bit (never reload any segment register).  Compact accesses to the code segment reload the CS register, allowing 32-bit of code. Data accesses don't reload the DS, ES, SS registers, allowing 16-bit of data.
  • 16. MS-DOS EXE Files  Medium accesses to the data segment reload the DS, ES, SS register, allowing 32-bit of data. Code accesses don't reload the CS register, allowing 16-bit of code.  Large both code and data accesses use the segment registers (CS for code, DS, ES, SS for data), allowing 32-bit of code and 32-bit of data.  Huge same as the large model, with additional arithmetic being generated by the compiler to allow access to arrays larger than 64k. When looking at a COM file, one has to decide which memory model was used to build that file.
  • 17. PE Files A Portable Executable (PE) file is the standard binary file format for an Executable or DLL under Windows NT, Windows 95, and Win32. The Win32 SDK contains a file, winnt.h, which declares various structs and variables used in the PE files. Some functions for manipulating PE files are also included in imagehlp.dll. PE files are broken down into various sections which can be examined.
  • 18. Relative Virtual Addressing (RVA) In a Windows environment, executable modules can be loaded at any point in memory, and are expected to run without problem. To allow multiple programs to be loaded at seemingly random locations in memory, PE files have adopted a tool called RVA: Relative Virtual Addresses. RVA's assume that the "base address" of where a module is loaded into memory is not known at compile time. So, PE files describe the location of data in memory as an offset from the base address, wherever that may be in memory. Some processor instructions require the code itself to directly identify where in memory some data is. This is not possible when the location of the module in memory is not known at compile time. The solution to this problem is described in the section on "Relocations". It is important to remember that the addresses obtained from a disassembly of a module will not always match up to the addresses seen in a debugger as the program is running.
  • 19. File Format The PE portable executable file format includes a number of informational headers, and is arranged in the following format: DOS header PE Header COFF Header Optional Header Section Table Mappable Section
  • 20. DOS header The first 2 letters are always the letters "MZ“ which call Magic Number, File ID, or File Signature. After the File ID, the hex editor will show several bytes of either random-looking symbols, or whitespace, before the human-readable string "This program cannot be run in DOS mode". What is this? Microsoft has engineered a series of DOS instructions into the head of each PE file. When a 32-bit Windows file is run in a 16-bit DOS environment, the program will terminate immediately with the error message: "This program cannot be run in DOS mode".
  • 21. DOS header The DOS header is also known by some as the EXE header. Here is the DOS header presented as a C data structure -> Immediately following the DOS Header will be the classic error message "This program cannot be run in DOS mode". struct DOS_Header { char signature[2] = "MZ"; short lastsize; short nblocks; short nreloc; short hdrsize; short minalloc; short maxalloc; void *ss; void *sp; short checksum; void *ip; void *cs; short relocpos; short noverlay; short reserved1[4]; short oem_id; short oem_info; short reserved2[10]; long e_lfanew; }
  • 22. PE Header At offset 60 from the beginning of the DOS header is a pointer to the Portable Executable (PE) File header. DOS will print the error message and terminate, but Windows will follow this pointer to the next batch of information. The PE header consists only of a File ID signature, with the value "PE00" where each '0' character is an ASCII NUL character. This signature shows that a) this file is a legitimate PE file, and b) the byte order of the file. Byte order will not be considered in this chapter, and all PE files are assumed to be in "little endian" format. The first big chunk of information lies in the COFF header, directly after the PE signature.
  • 23. COFF Header The COFF header is present in both COFF object files (before they are linked) and in PE files where it is known as the "File header". The COFF header has some information that is useful to an executable, and some information that is more useful to an object file.      Machine Thisstruct COFFHeader { machine the file was compiled for. A field determines what hex value of 0x14Cshort Machine; is the code for an Intel 80386. (332 in decimal) NumberOfSections The number of sections that are described at the end short NumberOfSections; of the PE headers. long TimeDateStamp; long time at which this header TimeDateStamp 32 bit PointerToSymbolTable; was generated: is used in long NumberOfSymbols; the process of "Binding", see below. short this field shows how SizeOfOptionalHeader SizeOfOptionalHeader; long the "PE Optional short Characteristics; Header" is that follows the COFF header. } Characteristics This is a field of bit flags, that show some characteristics of the file.0x02 = Executable file, 0x200 = file is non-relocatable (addresses are absolute, not RVA), 0x2000 = File is a DLL Library, not an EXE.
  • 24. Code Sections The PE Header defines the number of sections in the executable file. Each section definition is 40 bytes in length. The structure of the section descriptor is as follows: Offset Length Purpose 0x00 8 bytes Section Name (e.g .text .data .bss ) 0x08 4 bytes Size of the section once it is loaded to memory 0x0C 4 bytes RVA (location) of section once it is loaded to memory 0x10 4 bytes Physical size of section on disk 0x14 4 bytes Physical location of section on disk (from start of disk image) 0x18 12 bytes Reserved (usually zero) (used in object formats) 0x24 4 bytes Section flags
  • 25. Windows DLL Files Windows DLL files are a brand of PE file with a few key differences:  A .DLL file extension  A DLLMain() entry point, instead of a WinMain() or main().  The DLL flag set in the PE header. DLLs may be loaded in one of two ways, a) at load-time, or b) by calling the LoadModule() Win32 API function.
  • 26. Function Exports Functions are exported from a DLL file by using the following syntax: __declspec(dllexport) void MyFunction() ... The "__declspec" keyword here is not a C language standard, but is implemented by many compilers to set extendable, compiler-specific options for functions and variables. Microsoft C Compiler and GCC versions that run on windows allow for the __declspec keyword, and the dllexport property. Functions may also be exported from regular .exe files, and .exe files with exported functions may be called dynamically in a similar manner to .dll files. This is a rare occurrence, however.
  • 27. Identifying DLL Exports There are several ways to determine which functions are exported by a DLL. The method that this book will use (often implicitly) is to use dumpbin in the following manner: dumpbin /EXPORTS <dll file> This will post a list of the function exports, along with their ordinal and RVA to the console.
  • 28. Function Imports In a similar manner to function exports, a program may import a function from an external DLL file. The dll file will load into the process memory when the program is started, and the function will be used like a local function. DLL imports need to be prototyped in the following manner, for the compiler and linker to recognize that the function is coming from an external library: __declspec(dllimport) void MyFunction();
  • 29. Identifying DLL Imports If is often useful to determine which functions are imported from external libraries when examining a program. To list import files to the console, use dumpbin in the following manner __declspec(dllimport) void MyFunction(); You can also use depends.exe to list imported and exported functions. Depends is a GUI tool and comes with Microsoft Platform SDK.
  • 30. Analysis Tools Debuggers  Hex Editors  Resource Monitors  API Monitors  PE File Header dumpers 
  • 31. Debuggers Debuggers are programs that allow the user to execute a compiled program one step at a time. You can see what instructions are executed in which order, and which sections of the program are treated as code and which are treated as data. Debuggers allow you to analyze the program while it is running, to help you get a better picture of what it is doing.  Advanced debuggers often contain at least a rudimentary disassembler, often times hex editing and reassembly features. Debuggers often allow the user to set breakpoints on instructions, function calls, and even memory locations.  A breakpoint is an instruction to the debugger that allows program execution to be halted when a certain condition is met. For instance, when a program accesses a certain variable, or calls a certain API function, the debugger can pause program execution. 
  • 32. Windows Debuggers SoftICE A de facto standard for Windows debugging. SoftICE can be used for local kernel debugging, which is a feature that is very rare, and very valuable. SoftICE was taken off the market in April 2006. WinDbg WinDbg is a free piece of software from Microsoft that can be used for local user-mode debugging, or even remote kernel-mode debugging. WinDbg is not the same as the better-known Visual Studio Debugger, but comes with a nifty GUI nonetheless. Available in 32 and 64-bit versions.
  • 33. Windows Debuggers IDA Pro The multi-processor, multi-OS, interactive disassembler by DataRescue. OllyDbg OllyDbg is a free and powerful Windows debugger with a built-in disassembly and assembly engine. Very useful for patching, disassembling, and debugging. Immunity Debugger Immunity Debugger is a branch of OllyDbg v1.10, with built-in support for Python scripting and much more.
  • 34. Hex Editors Hex editors are able to directly view and edit the binary of a source file, and are very useful for investigating the structure of proprietary closed-format data files. There are many hex editors in existence. This section will attempt to list some of the best, some of the most popular, or some of the most powerful.
  • 35. Windows Hex Editors wxHexEditor (Free & Open Source): A fast hex editor specially for HUGE files and disk devices, allows up to Exabyte, allow size changes (inject and deletes) without creating temp file, could view files with multiple panes, has built-in disassembler, supports tags for (reverse) engineering big binaries or file systems, could view files thru XOR encryption. http:/ / wxhexeditor. sourceforge. net/ HxD (Freeware) A fast and powerful free hex, disk and RAM editor http:/ / mh-nexus. de/ hxd/
  • 36. Assemble There are three reasons for using assembly language: speed, speed, and more speed. As the middle language between the High-level and low-level (Machine Language) Programing Language which almost of the HLL most pass throw to be an execution file. Furthermore, it’s the bridge to get the original design of the binary files. Assembly language has several benefits:  Speed. Assembly language programs are generally the fastest programs around.  Space. Assembly language programs are often the smallest.  Capability. You can do things in assembly which are difficult or impossible in HLLs.  Knowledge. Your knowledge of assembly language will help you write better programs, even when using HLLs.
  • 37. Registers The IA-32 platform processors have multiple groups of registers of different sizes. Different processors within the IA-32 platform include specialized registers. The core groups of registers available to all processors in the IA-32 family. General purpose: Eight 32-bit registers used for storing working data  Segment: Six 16-bit registers used for handling memory access  Instruction pointer: A single 32-bit register pointing to the next instruction code to execute 
  • 38. General-purpose registers EAX Accumulator for operands and results data EBX Pointer to data in the data memory segment ECX Counter for string and loop operations EDX I/O pointer EDI Data pointer for destination of string operations ESI Data pointer for source of string operations ESP Stack pointer EBP Stack data pointer
  • 39. Segment registers CS Code segment DS Data segment SS Stack segment ES Extra segment pointer FS Extra segment pointer GS Extra segment pointer
  • 40. Flags CF 0 Code segment PF 2 Data segment AF 4 Stack segment ZF 6 Extra segment pointer SF 7 Extra segment pointer OF 11 Extra segment pointer
  • 41. Logical Operators Operator Syntax Description SHR expr SHR expr Shift right SHL expr SHL expr Shift left NOT NOT expr Logical (bit by bit) NOT AND expr AND expr Logical AND OR expr OR expr Logical OR expr XOR expr Logical XOR Syntax Description expr SHR expr Shift right XOR Operator SHR
  • 42. Relational Operators Operator Syntax Description EQ expr EQ expr True (0FFh) if equal, false (0) otherwise NE expr NE expr True (0FFh) if not equal, false (0) otherwise LT expr LT expr True (0FFh) if less, false (0) otherwise LE expr LE expr True (0FFh) if less or equal, false (0) otherwise GT expr GT expr True (0FFh) if greater, false (0) otherwise GE expr GE expr True (0FFh) if greater or equal, false (0) otherwise Operator Syntax EQ Description expr EQ expr True (0FFh) if equal, false (0) otherwise
  • 43. Jump Instructions Jcc Instructions That Test Flags Instruction Condition Aliases Opposite Jump if carry Carry = 1 JB, JNAE JNC Jump if no carry Carry = 0 JNB, JAE JC Jump if zero Zero = 1 JE JNZ Jump if not zero Zero = 0 JNE JZ Jump if sign Sign = 1 - JNS JNS Jump if no sign Sign = 0 - JS JO Jump if overflow Ovrflw=1 - JNO JNO Jump if no Ovrflw Ovrflw=0 - JO Jump if parity Parity = 1 JPE JNP JPE Jump if parity even Parity = 1 JP JPO JNP Jump if no parity Parity = 0 JPO JP JPO Jump if parity odd Parity = 0 JNP JPE JC JNC JZ JNZ JS JP Description
  • 44. Jump Instructions Jcc Instructions for Unsigned Comparisons Instruction JA JNBE Description Jump if above (>) Condition Carry=0, Zero=0 Jump if not below or equal (not <=) Carry=0, Zero=0 Aliases Opposite JNBE JNA JA JBE JAE Jump if above or equal (>=) Carry = 0 JNC, JNB JNAE JNB Jump if not below (not <) Carry = 0 JNC, JAE JB Jump if below (<) Carry = 1 JC, JNAE JNB JC, JB JAE JB JNAE Jump if not above or equal (not >=) Carry = 1 JBE Jump if below or equal (<=) Carry = 1 or Zero = 1 JNA JNBE JNA Jump if not above (not >) Carry = 1 or Zero = 1 JBE JA Jump if equal (=) Zero = 1 JZ JNE Jump if not equal () Zero = 0 JNZ JE Jump if above (>) Carry=0, Zero=0 JNBE JNA JA JBE JE JNE JA JNBE Jump if not below or equal (not <=) Carry=0, Zero=0
  • 45. Jump Instructions Jcc Instructions for Signed Comparisons Instruction JG Description Condition Jump if greater (>) Sign = Ovrflw or Zero=0 JNLE Jump if not less than or equal (not <=) JGE JNL Aliases Opposite JNLE JNG Sign = Ovrflw or Zero=0 JG JLE Jump if greater than or equal (>=) Sign = Ovrflw JNL JGE Jump if not less than (not <) Sign = Ovrflw JGE JL Jump if less than (<) Sign Ovrflw JNGE JNL Jump if not greater or equal (not >=) Sign Ovrflw JL JGE JLE Jump if less than or equal (<=) Sign Ovrflw or Zero = 1 JNG JNLE JNG Jump if not greater than (not >) Sign Ovrflw or Zero = 1 JLE JG Jump if equal (=) Zero = 1 JZ JNE JNE Jump if not equal () Zero = 0 JNZ JE JG Jump if greater (>) Sign = Ovrflw or Zero=0 JNLE JNG Jump if not less than or equal (not <=) Sign = Ovrflw or Zero=0 JG JLE JL JNGE JE JNLE
  • 46. OllyDbg Control Bar Registers Window Disassembler Window Dump Memory Window Stack Window
  • 47. OllyDbg - Disassembler Window CommentsCommand Assemble Hex Dump Address section Information Section
  • 48. OllyDbg - Stack Window registers Instruction Pointer Register Segment registers Flags Additional registers
  • 49. Recourse for the RE tools http://www.openrce.org/  http://www.at4re.com/  http://www.ollydbg.de/  http://www.tuts4you.com/  http://www.peid.info/ 
  • 50. Eilam, Eldad. "Reversing: Secrets of Reverse Engineering." 2005. Wiley Publishing Inc. ISBN 0764574817  Raja, Vinesh II. Fernandes, Kiran J. "Reverse Engineering An Industrial Perspective" 2008. Springer Series in Advanced Manufacturing .ISBN 978-1-84628-855-5  Hyde, Randall. "The Art of Assembly Language," No Starch, 2003 ISBN 1886411972  Blum, Richard. “Professional Assembly Language”, 2005. Wiley Publishing, Inc. ISBN: 0-7645-7901-0 