SlideShare a Scribd company logo

Revers engineering

Download as PPTX, PDF
AbdusSalam ALJBRI
AbdusSalam ALJBRI

Reverse engineering is the process of extracting the knowledge or design blueprints from anything man-made. and this is explanation of the Concept and Programming Understanding

EducationTechnology
1 of 51
Concept and Programing Understanding Dhamar University© 2012 Abdulsalam Aljbri
What’s Revers Engineering? Reverse engineering is the process of extracting the knowledge or design blueprints from anything manmade. [1]  Reverse engineering in the realm of software is the process of taking a functioning, fully-developed piece of software and, based on the functionality it demonstrates, re-discovering the original source code either through a manual but more often through an automated process. Decompression and disassembly are also synonyms for reverse engineering. [2] 
Reverse Engineering and Forward Engineering Chikofsky and Cross (1990) define reverse engineering and forward engineering:  Reverse engineering: “the process of analyzing a subject system to (i) identify the system’s components and their interrelationships and (ii) create representations of the system in another form or at a higher level of abstraction”  Forward engineering: “the traditional process of moving from high-level abstractions and logical, implementation-independent designs to the physical implementation of a system”
What are Disassembler and Decompilers ? In essence, a disassembler is the exact opposite of an assembler. Where an assembler converts code written in an assembly language into binary machine code, a disassembler reverses the process and attempts to recreate the assembly code from the binary machine code.  Since most assembly languages have a one-to-one correspondence with underlying machine instructions, the process of disassembly is relatively straight-forward, and a basic disassembler can often be implemented simply by reading in bytes, and performing a table lookup.  Akin to Disassembly, Decompilers take the process a step further and actually try to reproduce the code in a high level language. Frequently, this high level language is C, because C is simple and primitive enough to facilitate the decompilation process. 
Why Reverse Engineering? standard practice for replicate or repair a worn component when original data or specifications are unavailable.  The original product design documentation has been lost or never existed.  Creating data to refurbish or manufacture a part for which there are no CAD data, or for which the data have become obsolete or lost.  Analyzing the good and bad features of competitors’ products. 
Where Reverse Engineering? Medical.  Chemistry.  Industrial Development.  Military Applications.  Computer Science.  Many others fields. 
When Reverse Engineering?         Developing the old or legacy products. Remodeling the original structure of the Products. Tracking the errors especial the Runtime Errors. Analysis and Enhancing Network Protocols. Extracting or discovering an Algorithms which was written in the Close Program. Edit the original code for another purpose without having the source code. Cracking the Programs or reproduce the Key generator. Finding malicious code: using reverse engineering to understand how abhorrent code is structured and functions.
Files Format Most file formats begin with header, a few bytes that describe the file type and version. The bytes which describe the file type called “Magic Number” or “File Signature”. This signature always becomes on the beginning of the file. The size of those magic numbers depends on the file itself. Those magic numbers one of the most important thing in the recovering data from the hard disk when it deleted from the desk.
Example of the Formats PDF file format 25 50 44 46 %PDF PNG file format 89 50 4E 47 .PNG RAR file format 52 61 72 21 1A 07 00 Rar!...
Reverse engineering and related process Requirements Reverse engineering Design Recovery Design Reverse engineering Design Recovery Implementation Forward engineering Restructuring Forward engineering Redocumentation Restructuring
Execution Files MS-DOS COM Files  MS-DOS EXE Files  PE Files  * Relative Virtual Addressing (RVA) 
MS-DOS COM Files COM files are loaded into RAM exactly as they appear; no change is made at all from the hard disk image to RAM. This is possible due to the 20-bit memory model of the early x86 line. Two 16-bit registers would have to be set, one dividing the 1MB+64K memory space into 65536 'segments' and one specifying an offset from that. The segment register would be set by DOS and the COM file would be expected to respect this setting and not ever change the segment registers. The offset registers, however, were free game and served (for COM files) the same purpose as a modern 32-bit register. The downside was that the offset registers were only 16-bit and, therefore, since COM files could not change the segment registers, COM files were limited to using 64K of RAM.
MS-DOS COM Files The good thing about this approach, however, was that no extra work was needed by DOS to load and run a COM file: just load the file, set the segment register, and jmp to it. (The programs could perform 'near' jumps by just giving an offset to jump too.) COM files are loaded into RAM at offset $100. The space before that would be used for passing data to and from DOS (for example, the contents of the command line used to invoke the program). Note that COM files, by definition, cannot be 32-bit. Windows provides support for COM files via a special CPU mode.
MS-DOS EXE Files One way MS-DOS compilers got around the 64k memory limitation was with the introduction of memory models. The basic concept is to cleverly set different segment registers in the x86 CPU (CS, DS, ES, SS) to point to the same or different segments, thus allowing varying degrees of access to memory. Typical memory models were:  Tiny All memory access are 16-bit (never reload any segment register). Produces a .COM file instead of an .EXE file.  Small All memory access are 16-bit (never reload any segment register).  Compact accesses to the code segment reload the CS register, allowing 32-bit of code. Data accesses don't reload the DS, ES, SS registers, allowing 16-bit of data.
MS-DOS EXE Files  Medium accesses to the data segment reload the DS, ES, SS register, allowing 32-bit of data. Code accesses don't reload the CS register, allowing 16-bit of code.  Large both code and data accesses use the segment registers (CS for code, DS, ES, SS for data), allowing 32-bit of code and 32-bit of data.  Huge same as the large model, with additional arithmetic being generated by the compiler to allow access to arrays larger than 64k. When looking at a COM file, one has to decide which memory model was used to build that file.
PE Files A Portable Executable (PE) file is the standard binary file format for an Executable or DLL under Windows NT, Windows 95, and Win32. The Win32 SDK contains a file, winnt.h, which declares various structs and variables used in the PE files. Some functions for manipulating PE files are also included in imagehlp.dll. PE files are broken down into various sections which can be examined.
Relative Virtual Addressing (RVA) In a Windows environment, executable modules can be loaded at any point in memory, and are expected to run without problem. To allow multiple programs to be loaded at seemingly random locations in memory, PE files have adopted a tool called RVA: Relative Virtual Addresses. RVA's assume that the "base address" of where a module is loaded into memory is not known at compile time. So, PE files describe the location of data in memory as an offset from the base address, wherever that may be in memory. Some processor instructions require the code itself to directly identify where in memory some data is. This is not possible when the location of the module in memory is not known at compile time. The solution to this problem is described in the section on "Relocations". It is important to remember that the addresses obtained from a disassembly of a module will not always match up to the addresses seen in a debugger as the program is running.
File Format The PE portable executable file format includes a number of informational headers, and is arranged in the following format: DOS header PE Header COFF Header Optional Header Section Table Mappable Section
DOS header The first 2 letters are always the letters "MZ“ which call Magic Number, File ID, or File Signature. After the File ID, the hex editor will show several bytes of either random-looking symbols, or whitespace, before the human-readable string "This program cannot be run in DOS mode". What is this? Microsoft has engineered a series of DOS instructions into the head of each PE file. When a 32-bit Windows file is run in a 16-bit DOS environment, the program will terminate immediately with the error message: "This program cannot be run in DOS mode".
DOS header The DOS header is also known by some as the EXE header. Here is the DOS header presented as a C data structure -> Immediately following the DOS Header will be the classic error message "This program cannot be run in DOS mode". struct DOS_Header { char signature[2] = "MZ"; short lastsize; short nblocks; short nreloc; short hdrsize; short minalloc; short maxalloc; void *ss; void *sp; short checksum; void *ip; void *cs; short relocpos; short noverlay; short reserved1[4]; short oem_id; short oem_info; short reserved2[10]; long e_lfanew; }
PE Header At offset 60 from the beginning of the DOS header is a pointer to the Portable Executable (PE) File header. DOS will print the error message and terminate, but Windows will follow this pointer to the next batch of information. The PE header consists only of a File ID signature, with the value "PE00" where each '0' character is an ASCII NUL character. This signature shows that a) this file is a legitimate PE file, and b) the byte order of the file. Byte order will not be considered in this chapter, and all PE files are assumed to be in "little endian" format. The first big chunk of information lies in the COFF header, directly after the PE signature.
COFF Header The COFF header is present in both COFF object files (before they are linked) and in PE files where it is known as the "File header". The COFF header has some information that is useful to an executable, and some information that is more useful to an object file.      Machine Thisstruct COFFHeader { machine the file was compiled for. A field determines what hex value of 0x14Cshort Machine; is the code for an Intel 80386. (332 in decimal) NumberOfSections The number of sections that are described at the end short NumberOfSections; of the PE headers. long TimeDateStamp; long time at which this header TimeDateStamp 32 bit PointerToSymbolTable; was generated: is used in long NumberOfSymbols; the process of "Binding", see below. short this field shows how SizeOfOptionalHeader SizeOfOptionalHeader; long the "PE Optional short Characteristics; Header" is that follows the COFF header. } Characteristics This is a field of bit flags, that show some characteristics of the file.0x02 = Executable file, 0x200 = file is non-relocatable (addresses are absolute, not RVA), 0x2000 = File is a DLL Library, not an EXE.
Code Sections The PE Header defines the number of sections in the executable file. Each section definition is 40 bytes in length. The structure of the section descriptor is as follows: Offset Length Purpose 0x00 8 bytes Section Name (e.g .text .data .bss ) 0x08 4 bytes Size of the section once it is loaded to memory 0x0C 4 bytes RVA (location) of section once it is loaded to memory 0x10 4 bytes Physical size of section on disk 0x14 4 bytes Physical location of section on disk (from start of disk image) 0x18 12 bytes Reserved (usually zero) (used in object formats) 0x24 4 bytes Section flags
Windows DLL Files Windows DLL files are a brand of PE file with a few key differences:  A .DLL file extension  A DLLMain() entry point, instead of a WinMain() or main().  The DLL flag set in the PE header. DLLs may be loaded in one of two ways, a) at load-time, or b) by calling the LoadModule() Win32 API function.
Function Exports Functions are exported from a DLL file by using the following syntax: __declspec(dllexport) void MyFunction() ... The "__declspec" keyword here is not a C language standard, but is implemented by many compilers to set extendable, compiler-specific options for functions and variables. Microsoft C Compiler and GCC versions that run on windows allow for the __declspec keyword, and the dllexport property. Functions may also be exported from regular .exe files, and .exe files with exported functions may be called dynamically in a similar manner to .dll files. This is a rare occurrence, however.
Identifying DLL Exports There are several ways to determine which functions are exported by a DLL. The method that this book will use (often implicitly) is to use dumpbin in the following manner: dumpbin /EXPORTS <dll file> This will post a list of the function exports, along with their ordinal and RVA to the console.
Function Imports In a similar manner to function exports, a program may import a function from an external DLL file. The dll file will load into the process memory when the program is started, and the function will be used like a local function. DLL imports need to be prototyped in the following manner, for the compiler and linker to recognize that the function is coming from an external library: __declspec(dllimport) void MyFunction();
Identifying DLL Imports If is often useful to determine which functions are imported from external libraries when examining a program. To list import files to the console, use dumpbin in the following manner __declspec(dllimport) void MyFunction(); You can also use depends.exe to list imported and exported functions. Depends is a GUI tool and comes with Microsoft Platform SDK.
Analysis Tools Debuggers  Hex Editors  Resource Monitors  API Monitors  PE File Header dumpers 
Debuggers Debuggers are programs that allow the user to execute a compiled program one step at a time. You can see what instructions are executed in which order, and which sections of the program are treated as code and which are treated as data. Debuggers allow you to analyze the program while it is running, to help you get a better picture of what it is doing.  Advanced debuggers often contain at least a rudimentary disassembler, often times hex editing and reassembly features. Debuggers often allow the user to set breakpoints on instructions, function calls, and even memory locations.  A breakpoint is an instruction to the debugger that allows program execution to be halted when a certain condition is met. For instance, when a program accesses a certain variable, or calls a certain API function, the debugger can pause program execution. 
Windows Debuggers SoftICE A de facto standard for Windows debugging. SoftICE can be used for local kernel debugging, which is a feature that is very rare, and very valuable. SoftICE was taken off the market in April 2006. WinDbg WinDbg is a free piece of software from Microsoft that can be used for local user-mode debugging, or even remote kernel-mode debugging. WinDbg is not the same as the better-known Visual Studio Debugger, but comes with a nifty GUI nonetheless. Available in 32 and 64-bit versions.
Windows Debuggers IDA Pro The multi-processor, multi-OS, interactive disassembler by DataRescue. OllyDbg OllyDbg is a free and powerful Windows debugger with a built-in disassembly and assembly engine. Very useful for patching, disassembling, and debugging. Immunity Debugger Immunity Debugger is a branch of OllyDbg v1.10, with built-in support for Python scripting and much more.
Hex Editors Hex editors are able to directly view and edit the binary of a source file, and are very useful for investigating the structure of proprietary closed-format data files. There are many hex editors in existence. This section will attempt to list some of the best, some of the most popular, or some of the most powerful.
Windows Hex Editors wxHexEditor (Free & Open Source): A fast hex editor specially for HUGE files and disk devices, allows up to Exabyte, allow size changes (inject and deletes) without creating temp file, could view files with multiple panes, has built-in disassembler, supports tags for (reverse) engineering big binaries or file systems, could view files thru XOR encryption. http:/ / wxhexeditor. sourceforge. net/ HxD (Freeware) A fast and powerful free hex, disk and RAM editor http:/ / mh-nexus. de/ hxd/
Assemble There are three reasons for using assembly language: speed, speed, and more speed. As the middle language between the High-level and low-level (Machine Language) Programing Language which almost of the HLL most pass throw to be an execution file. Furthermore, it’s the bridge to get the original design of the binary files. Assembly language has several benefits:  Speed. Assembly language programs are generally the fastest programs around.  Space. Assembly language programs are often the smallest.  Capability. You can do things in assembly which are difficult or impossible in HLLs.  Knowledge. Your knowledge of assembly language will help you write better programs, even when using HLLs.
Registers The IA-32 platform processors have multiple groups of registers of different sizes. Different processors within the IA-32 platform include specialized registers. The core groups of registers available to all processors in the IA-32 family. General purpose: Eight 32-bit registers used for storing working data  Segment: Six 16-bit registers used for handling memory access  Instruction pointer: A single 32-bit register pointing to the next instruction code to execute 
General-purpose registers EAX Accumulator for operands and results data EBX Pointer to data in the data memory segment ECX Counter for string and loop operations EDX I/O pointer EDI Data pointer for destination of string operations ESI Data pointer for source of string operations ESP Stack pointer EBP Stack data pointer
Segment registers CS Code segment DS Data segment SS Stack segment ES Extra segment pointer FS Extra segment pointer GS Extra segment pointer
Flags CF 0 Code segment PF 2 Data segment AF 4 Stack segment ZF 6 Extra segment pointer SF 7 Extra segment pointer OF 11 Extra segment pointer
Logical Operators Operator Syntax Description SHR expr SHR expr Shift right SHL expr SHL expr Shift left NOT NOT expr Logical (bit by bit) NOT AND expr AND expr Logical AND OR expr OR expr Logical OR expr XOR expr Logical XOR Syntax Description expr SHR expr Shift right XOR Operator SHR
Relational Operators Operator Syntax Description EQ expr EQ expr True (0FFh) if equal, false (0) otherwise NE expr NE expr True (0FFh) if not equal, false (0) otherwise LT expr LT expr True (0FFh) if less, false (0) otherwise LE expr LE expr True (0FFh) if less or equal, false (0) otherwise GT expr GT expr True (0FFh) if greater, false (0) otherwise GE expr GE expr True (0FFh) if greater or equal, false (0) otherwise Operator Syntax EQ Description expr EQ expr True (0FFh) if equal, false (0) otherwise
Jump Instructions Jcc Instructions That Test Flags Instruction Condition Aliases Opposite Jump if carry Carry = 1 JB, JNAE JNC Jump if no carry Carry = 0 JNB, JAE JC Jump if zero Zero = 1 JE JNZ Jump if not zero Zero = 0 JNE JZ Jump if sign Sign = 1 - JNS JNS Jump if no sign Sign = 0 - JS JO Jump if overflow Ovrflw=1 - JNO JNO Jump if no Ovrflw Ovrflw=0 - JO Jump if parity Parity = 1 JPE JNP JPE Jump if parity even Parity = 1 JP JPO JNP Jump if no parity Parity = 0 JPO JP JPO Jump if parity odd Parity = 0 JNP JPE JC JNC JZ JNZ JS JP Description
Jump Instructions Jcc Instructions for Unsigned Comparisons Instruction JA JNBE Description Jump if above (>) Condition Carry=0, Zero=0 Jump if not below or equal (not <=) Carry=0, Zero=0 Aliases Opposite JNBE JNA JA JBE JAE Jump if above or equal (>=) Carry = 0 JNC, JNB JNAE JNB Jump if not below (not <) Carry = 0 JNC, JAE JB Jump if below (<) Carry = 1 JC, JNAE JNB JC, JB JAE JB JNAE Jump if not above or equal (not >=) Carry = 1 JBE Jump if below or equal (<=) Carry = 1 or Zero = 1 JNA JNBE JNA Jump if not above (not >) Carry = 1 or Zero = 1 JBE JA Jump if equal (=) Zero = 1 JZ JNE Jump if not equal () Zero = 0 JNZ JE Jump if above (>) Carry=0, Zero=0 JNBE JNA JA JBE JE JNE JA JNBE Jump if not below or equal (not <=) Carry=0, Zero=0
Jump Instructions Jcc Instructions for Signed Comparisons Instruction JG Description Condition Jump if greater (>) Sign = Ovrflw or Zero=0 JNLE Jump if not less than or equal (not <=) JGE JNL Aliases Opposite JNLE JNG Sign = Ovrflw or Zero=0 JG JLE Jump if greater than or equal (>=) Sign = Ovrflw JNL JGE Jump if not less than (not <) Sign = Ovrflw JGE JL Jump if less than (<) Sign Ovrflw JNGE JNL Jump if not greater or equal (not >=) Sign Ovrflw JL JGE JLE Jump if less than or equal (<=) Sign Ovrflw or Zero = 1 JNG JNLE JNG Jump if not greater than (not >) Sign Ovrflw or Zero = 1 JLE JG Jump if equal (=) Zero = 1 JZ JNE JNE Jump if not equal () Zero = 0 JNZ JE JG Jump if greater (>) Sign = Ovrflw or Zero=0 JNLE JNG Jump if not less than or equal (not <=) Sign = Ovrflw or Zero=0 JG JLE JL JNGE JE JNLE
OllyDbg Control Bar Registers Window Disassembler Window Dump Memory Window Stack Window
OllyDbg - Disassembler Window CommentsCommand Assemble Hex Dump Address section Information Section
OllyDbg - Stack Window registers Instruction Pointer Register Segment registers Flags Additional registers
Recourse for the RE tools http://www.openrce.org/  http://www.at4re.com/  http://www.ollydbg.de/  http://www.tuts4you.com/  http://www.peid.info/ 
Eilam, Eldad. "Reversing: Secrets of Reverse Engineering." 2005. Wiley Publishing Inc. ISBN 0764574817  Raja, Vinesh II. Fernandes, Kiran J. "Reverse Engineering An Industrial Perspective" 2008. Springer Series in Advanced Manufacturing .ISBN 978-1-84628-855-5  Hyde, Randall. "The Art of Assembly Language," No Starch, 2003 ISBN 1886411972  Blum, Richard. “Professional Assembly Language”, 2005. Wiley Publishing, Inc. ISBN: 0-7645-7901-0 
Revers engineering

Recommended

Reverse code engineering
Reverse code engineeringReverse code engineering
Reverse code engineeringKrishs Patil
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringSaswat Padhi
 
resume_v36
resume_v36resume_v36
resume_v36Zhiqiang Liu
 
Making reverse engineering fun
Making reverse engineering funMaking reverse engineering fun
Making reverse engineering funn|u - The Open Security Community
 
Fel Flyer F11
Fel Flyer F11Fel Flyer F11
Fel Flyer F11chitlesh
 
Embedded C - Lecture 1
Embedded C - Lecture 1Embedded C - Lecture 1
Embedded C - Lecture 1Mohamed Abdallah
 
Embedded _c_
Embedded _c_Embedded _c_
Embedded _c_Moorthy Peesapati
 
Embedded c c++ programming fundamentals master
Embedded c c++ programming fundamentals masterEmbedded c c++ programming fundamentals master
Embedded c c++ programming fundamentals masterHossam Hassan
 

Recommended

Reverse code engineering
Reverse code engineeringReverse code engineering
Reverse code engineeringKrishs Patil
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringSaswat Padhi
 
resume_v36
resume_v36resume_v36
resume_v36Zhiqiang Liu
 
Making reverse engineering fun
Making reverse engineering funMaking reverse engineering fun
Making reverse engineering funn|u - The Open Security Community
 
Fel Flyer F11
Fel Flyer F11Fel Flyer F11
Fel Flyer F11chitlesh
 
Embedded C - Lecture 1
Embedded C - Lecture 1Embedded C - Lecture 1
Embedded C - Lecture 1Mohamed Abdallah
 
Embedded _c_
Embedded _c_Embedded _c_
Embedded _c_Moorthy Peesapati
 
Embedded c c++ programming fundamentals master
Embedded c c++ programming fundamentals masterEmbedded c c++ programming fundamentals master
Embedded c c++ programming fundamentals masterHossam Hassan
 
FEL Flyer F12
FEL Flyer F12FEL Flyer F12
FEL Flyer F12chitlesh
 
C programming session 14
C programming session 14C programming session 14
C programming session 14AjayBahoriya
 
WhitePaperTemplate
WhitePaperTemplateWhitePaperTemplate
WhitePaperTemplateJo Marques
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
 
Interview Question of Aspdotnet
Interview Question of AspdotnetInterview Question of Aspdotnet
Interview Question of AspdotnetMohitKumar1985
 
Shravani_Nerella
Shravani_NerellaShravani_Nerella
Shravani_NerellaShravani Nerella
 
Reversing and Patching Machine Code
Reversing and Patching Machine CodeReversing and Patching Machine Code
Reversing and Patching Machine CodeTeodoro Cipresso
 
Denis Nagorny - Pumping Python Performance
Denis Nagorny - Pumping Python PerformanceDenis Nagorny - Pumping Python Performance
Denis Nagorny - Pumping Python PerformanceSergey Arkhipov
 
Advanced IDE functionality in modern language workbenches
Advanced IDE functionality in modern language workbenchesAdvanced IDE functionality in modern language workbenches
Advanced IDE functionality in modern language workbenchesVaclav Pech
 
Safe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereSafe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereAdaCore
 
verification resume
verification resumeverification resume
verification resumevishwanath swamy
 
TULIKA KESHRI (1)
TULIKA KESHRI (1)TULIKA KESHRI (1)
TULIKA KESHRI (1)Tulika Keshri
 
Vasiliy Litvinov - Python Profiling
Vasiliy Litvinov - Python ProfilingVasiliy Litvinov - Python Profiling
Vasiliy Litvinov - Python ProfilingSergey Arkhipov
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resumeChing-Tsun Chou
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) ijceronline
 
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...Pradeep Singh
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMNational Cheng Kung University
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Reverse engineering power point!
Reverse engineering power point!Reverse engineering power point!
Reverse engineering power point!foy8447
 
Transistor2015
Transistor2015Transistor2015
Transistor2015KMohamed92
 

More Related Content

What's hot

FEL Flyer F12
FEL Flyer F12FEL Flyer F12
FEL Flyer F12chitlesh
 
C programming session 14
C programming session 14C programming session 14
C programming session 14AjayBahoriya
 
WhitePaperTemplate
WhitePaperTemplateWhitePaperTemplate
WhitePaperTemplateJo Marques
 
Interview Question of Aspdotnet
Interview Question of AspdotnetInterview Question of Aspdotnet
Interview Question of AspdotnetMohitKumar1985
 
Reversing and Patching Machine Code
Reversing and Patching Machine CodeReversing and Patching Machine Code
Reversing and Patching Machine CodeTeodoro Cipresso
 
Denis Nagorny - Pumping Python Performance
Denis Nagorny - Pumping Python PerformanceDenis Nagorny - Pumping Python Performance
Denis Nagorny - Pumping Python PerformanceSergey Arkhipov
 
Advanced IDE functionality in modern language workbenches
Advanced IDE functionality in modern language workbenchesAdvanced IDE functionality in modern language workbenches
Advanced IDE functionality in modern language workbenchesVaclav Pech
 
Safe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereSafe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereAdaCore
 
Vasiliy Litvinov - Python Profiling
Vasiliy Litvinov - Python ProfilingVasiliy Litvinov - Python Profiling
Vasiliy Litvinov - Python ProfilingSergey Arkhipov
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) ijceronline
 
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...Pradeep Singh
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 

What's hot (20)

FEL Flyer F12
FEL Flyer F12FEL Flyer F12
FEL Flyer F12
 
C programming session 14
C programming session 14C programming session 14
C programming session 14
 
WhitePaperTemplate
WhitePaperTemplateWhitePaperTemplate
WhitePaperTemplate
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resume
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resume
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resume
 
Interview Question of Aspdotnet
Interview Question of AspdotnetInterview Question of Aspdotnet
Interview Question of Aspdotnet
 
Shravani_Nerella
Shravani_NerellaShravani_Nerella
Shravani_Nerella
 
Reversing and Patching Machine Code
Reversing and Patching Machine CodeReversing and Patching Machine Code
Reversing and Patching Machine Code
 
Denis Nagorny - Pumping Python Performance
Denis Nagorny - Pumping Python PerformanceDenis Nagorny - Pumping Python Performance
Denis Nagorny - Pumping Python Performance
 
Advanced IDE functionality in modern language workbenches
Advanced IDE functionality in modern language workbenchesAdvanced IDE functionality in modern language workbenches
Advanced IDE functionality in modern language workbenches
 
Safe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get ThereSafe and Reliable Embedded Linux Programming: How to Get There
Safe and Reliable Embedded Linux Programming: How to Get There
 
verification resume
verification resumeverification resume
verification resume
 
TULIKA KESHRI (1)
TULIKA KESHRI (1)TULIKA KESHRI (1)
TULIKA KESHRI (1)
 
Vasiliy Litvinov - Python Profiling
Vasiliy Litvinov - Python ProfilingVasiliy Litvinov - Python Profiling
Vasiliy Litvinov - Python Profiling
 
ctchou-resume
ctchou-resumectchou-resume
ctchou-resume
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...
Development of Signal Processing Algorithms using OpenCL for FPGA based Archi...
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 

Viewers also liked

Reverse engineering power point!
Reverse engineering power point!Reverse engineering power point!
Reverse engineering power point!foy8447
 
Transistor2015
Transistor2015Transistor2015
Transistor2015KMohamed92
 
Analyse technique du service par Guillaume BREVET
Analyse technique du service par Guillaume BREVETAnalyse technique du service par Guillaume BREVET
Analyse technique du service par Guillaume BREVETjc WECKERLE
 
Reengineering including reverse & forward Engineering
Reengineering including reverse & forward EngineeringReengineering including reverse & forward Engineering
Reengineering including reverse & forward EngineeringMuhammad Chaudhry
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse EngineeringDobromir Enchev
 
Software re engineering
Software re engineeringSoftware re engineering
Software re engineeringdeshpandeamrut
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringYuffie Valen
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringananya0122
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineeringdswanson
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its applicationmapqrs
 

Viewers also liked (13)

Reverse engineering power point!
Reverse engineering power point!Reverse engineering power point!
Reverse engineering power point!
 
Transistor2015
Transistor2015Transistor2015
Transistor2015
 
Page layout
Page layoutPage layout
Page layout
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Analyse technique du service par Guillaume BREVET
Analyse technique du service par Guillaume BREVETAnalyse technique du service par Guillaume BREVET
Analyse technique du service par Guillaume BREVET
 
Reengineering including reverse & forward Engineering
Reengineering including reverse & forward EngineeringReengineering including reverse & forward Engineering
Reengineering including reverse & forward Engineering
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Software re engineering
Software re engineeringSoftware re engineering
Software re engineering
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineering
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
 

Similar to Revers engineering

Source vs object code
Source vs object codeSource vs object code
Source vs object codeSana Ullah
 
Arm based controller - basic bootcamp
Arm based controller - basic bootcampArm based controller - basic bootcamp
Arm based controller - basic bootcampRoy Messinger
 
Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008guestd9065
 
What Have We Lost - A look at some historical techniques
What Have We Lost - A look at some historical techniquesWhat Have We Lost - A look at some historical techniques
What Have We Lost - A look at some historical techniquesLloydMoore
 
Itroduction about java
Itroduction about javaItroduction about java
Itroduction about javasrmohan06
 
Creating user-mode debuggers for Windows
Creating user-mode debuggers for WindowsCreating user-mode debuggers for Windows
Creating user-mode debuggers for WindowsMithun Shanbhag
 
Ms dos commands for Multimedia Students and Facultyes
Ms dos commands for Multimedia Students and FacultyesMs dos commands for Multimedia Students and Facultyes
Ms dos commands for Multimedia Students and FacultyesSEO SKills
 
Codescape Debugger 8
Codescape Debugger 8Codescape Debugger 8
Codescape Debugger 8Damien Ruscoe
 
Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)myanddy
 
Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)myanddy
 
Assignment#1 Mapacpac, F M P (Cs3112 Os)
Assignment#1 Mapacpac, F M P (Cs3112 Os)Assignment#1 Mapacpac, F M P (Cs3112 Os)
Assignment#1 Mapacpac, F M P (Cs3112 Os)dyandmy
 
Cartilla en ingles
Cartilla en inglesCartilla en ingles
Cartilla en inglesanderson
 

Similar to Revers engineering (20)

Source vs object code
Source vs object codeSource vs object code
Source vs object code
 
Arm based controller - basic bootcamp
Arm based controller - basic bootcampArm based controller - basic bootcamp
Arm based controller - basic bootcamp
 
Linking in MS-Dos System
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos System
 
Ghel os
Ghel osGhel os
Ghel os
 
Ghel os
Ghel osGhel os
Ghel os
 
Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008Purdue CS354 Operating Systems 2008
Purdue CS354 Operating Systems 2008
 
What Have We Lost - A look at some historical techniques
What Have We Lost - A look at some historical techniquesWhat Have We Lost - A look at some historical techniques
What Have We Lost - A look at some historical techniques
 
Itroduction about java
Itroduction about javaItroduction about java
Itroduction about java
 
A
AA
A
 
Mp &mc programs
Mp &mc programsMp &mc programs
Mp &mc programs
 
Creating user-mode debuggers for Windows
Creating user-mode debuggers for WindowsCreating user-mode debuggers for Windows
Creating user-mode debuggers for Windows
 
Ms dos
Ms dosMs dos
Ms dos
 
Ms dos commands for Multimedia Students and Facultyes
Ms dos commands for Multimedia Students and FacultyesMs dos commands for Multimedia Students and Facultyes
Ms dos commands for Multimedia Students and Facultyes
 
Codescape Debugger 8
Codescape Debugger 8Codescape Debugger 8
Codescape Debugger 8
 
Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)
 
Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)Assignment#1 lograbo, s.f. (cs3112-os)
Assignment#1 lograbo, s.f. (cs3112-os)
 
IDAPRO
IDAPROIDAPRO
IDAPRO
 
Assignment#1 Mapacpac, F M P (Cs3112 Os)
Assignment#1 Mapacpac, F M P (Cs3112 Os)Assignment#1 Mapacpac, F M P (Cs3112 Os)
Assignment#1 Mapacpac, F M P (Cs3112 Os)
 
Cartilla en ingles
Cartilla en inglesCartilla en ingles
Cartilla en ingles
 
Cao 2012
Cao 2012Cao 2012
Cao 2012
 

Recently uploaded

Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 

Recently uploaded (20)

Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 

Revers engineering

  • 1. Concept and Programing Understanding Dhamar University© 2012 Abdulsalam Aljbri
  • 2. What’s Revers Engineering? Reverse engineering is the process of extracting the knowledge or design blueprints from anything manmade. [1]  Reverse engineering in the realm of software is the process of taking a functioning, fully-developed piece of software and, based on the functionality it demonstrates, re-discovering the original source code either through a manual but more often through an automated process. Decompression and disassembly are also synonyms for reverse engineering. [2] 
  • 3. Reverse Engineering and Forward Engineering Chikofsky and Cross (1990) define reverse engineering and forward engineering:  Reverse engineering: “the process of analyzing a subject system to (i) identify the system’s components and their interrelationships and (ii) create representations of the system in another form or at a higher level of abstraction”  Forward engineering: “the traditional process of moving from high-level abstractions and logical, implementation-independent designs to the physical implementation of a system”
  • 4. What are Disassembler and Decompilers ? In essence, a disassembler is the exact opposite of an assembler. Where an assembler converts code written in an assembly language into binary machine code, a disassembler reverses the process and attempts to recreate the assembly code from the binary machine code.  Since most assembly languages have a one-to-one correspondence with underlying machine instructions, the process of disassembly is relatively straight-forward, and a basic disassembler can often be implemented simply by reading in bytes, and performing a table lookup.  Akin to Disassembly, Decompilers take the process a step further and actually try to reproduce the code in a high level language. Frequently, this high level language is C, because C is simple and primitive enough to facilitate the decompilation process. 
  • 5. Why Reverse Engineering? standard practice for replicate or repair a worn component when original data or specifications are unavailable.  The original product design documentation has been lost or never existed.  Creating data to refurbish or manufacture a part for which there are no CAD data, or for which the data have become obsolete or lost.  Analyzing the good and bad features of competitors’ products. 
  • 6. Where Reverse Engineering? Medical.  Chemistry.  Industrial Development.  Military Applications.  Computer Science.  Many others fields. 
  • 7. When Reverse Engineering?         Developing the old or legacy products. Remodeling the original structure of the Products. Tracking the errors especial the Runtime Errors. Analysis and Enhancing Network Protocols. Extracting or discovering an Algorithms which was written in the Close Program. Edit the original code for another purpose without having the source code. Cracking the Programs or reproduce the Key generator. Finding malicious code: using reverse engineering to understand how abhorrent code is structured and functions.
  • 8. Files Format Most file formats begin with header, a few bytes that describe the file type and version. The bytes which describe the file type called “Magic Number” or “File Signature”. This signature always becomes on the beginning of the file. The size of those magic numbers depends on the file itself. Those magic numbers one of the most important thing in the recovering data from the hard disk when it deleted from the desk.
  • 9.
  • 10. Example of the Formats PDF file format 25 50 44 46 %PDF PNG file format 89 50 4E 47 .PNG RAR file format 52 61 72 21 1A 07 00 Rar!...
  • 11. Reverse engineering and related process Requirements Reverse engineering Design Recovery Design Reverse engineering Design Recovery Implementation Forward engineering Restructuring Forward engineering Redocumentation Restructuring
  • 12. Execution Files MS-DOS COM Files  MS-DOS EXE Files  PE Files  * Relative Virtual Addressing (RVA) 
  • 13. MS-DOS COM Files COM files are loaded into RAM exactly as they appear; no change is made at all from the hard disk image to RAM. This is possible due to the 20-bit memory model of the early x86 line. Two 16-bit registers would have to be set, one dividing the 1MB+64K memory space into 65536 'segments' and one specifying an offset from that. The segment register would be set by DOS and the COM file would be expected to respect this setting and not ever change the segment registers. The offset registers, however, were free game and served (for COM files) the same purpose as a modern 32-bit register. The downside was that the offset registers were only 16-bit and, therefore, since COM files could not change the segment registers, COM files were limited to using 64K of RAM.
  • 14. MS-DOS COM Files The good thing about this approach, however, was that no extra work was needed by DOS to load and run a COM file: just load the file, set the segment register, and jmp to it. (The programs could perform 'near' jumps by just giving an offset to jump too.) COM files are loaded into RAM at offset $100. The space before that would be used for passing data to and from DOS (for example, the contents of the command line used to invoke the program). Note that COM files, by definition, cannot be 32-bit. Windows provides support for COM files via a special CPU mode.
  • 15. MS-DOS EXE Files One way MS-DOS compilers got around the 64k memory limitation was with the introduction of memory models. The basic concept is to cleverly set different segment registers in the x86 CPU (CS, DS, ES, SS) to point to the same or different segments, thus allowing varying degrees of access to memory. Typical memory models were:  Tiny All memory access are 16-bit (never reload any segment register). Produces a .COM file instead of an .EXE file.  Small All memory access are 16-bit (never reload any segment register).  Compact accesses to the code segment reload the CS register, allowing 32-bit of code. Data accesses don't reload the DS, ES, SS registers, allowing 16-bit of data.
  • 16. MS-DOS EXE Files  Medium accesses to the data segment reload the DS, ES, SS register, allowing 32-bit of data. Code accesses don't reload the CS register, allowing 16-bit of code.  Large both code and data accesses use the segment registers (CS for code, DS, ES, SS for data), allowing 32-bit of code and 32-bit of data.  Huge same as the large model, with additional arithmetic being generated by the compiler to allow access to arrays larger than 64k. When looking at a COM file, one has to decide which memory model was used to build that file.
  • 17. PE Files A Portable Executable (PE) file is the standard binary file format for an Executable or DLL under Windows NT, Windows 95, and Win32. The Win32 SDK contains a file, winnt.h, which declares various structs and variables used in the PE files. Some functions for manipulating PE files are also included in imagehlp.dll. PE files are broken down into various sections which can be examined.
  • 18. Relative Virtual Addressing (RVA) In a Windows environment, executable modules can be loaded at any point in memory, and are expected to run without problem. To allow multiple programs to be loaded at seemingly random locations in memory, PE files have adopted a tool called RVA: Relative Virtual Addresses. RVA's assume that the "base address" of where a module is loaded into memory is not known at compile time. So, PE files describe the location of data in memory as an offset from the base address, wherever that may be in memory. Some processor instructions require the code itself to directly identify where in memory some data is. This is not possible when the location of the module in memory is not known at compile time. The solution to this problem is described in the section on "Relocations". It is important to remember that the addresses obtained from a disassembly of a module will not always match up to the addresses seen in a debugger as the program is running.
  • 19. File Format The PE portable executable file format includes a number of informational headers, and is arranged in the following format: DOS header PE Header COFF Header Optional Header Section Table Mappable Section
  • 20. DOS header The first 2 letters are always the letters "MZ“ which call Magic Number, File ID, or File Signature. After the File ID, the hex editor will show several bytes of either random-looking symbols, or whitespace, before the human-readable string "This program cannot be run in DOS mode". What is this? Microsoft has engineered a series of DOS instructions into the head of each PE file. When a 32-bit Windows file is run in a 16-bit DOS environment, the program will terminate immediately with the error message: "This program cannot be run in DOS mode".
  • 21. DOS header The DOS header is also known by some as the EXE header. Here is the DOS header presented as a C data structure -> Immediately following the DOS Header will be the classic error message "This program cannot be run in DOS mode". struct DOS_Header { char signature[2] = "MZ"; short lastsize; short nblocks; short nreloc; short hdrsize; short minalloc; short maxalloc; void *ss; void *sp; short checksum; void *ip; void *cs; short relocpos; short noverlay; short reserved1[4]; short oem_id; short oem_info; short reserved2[10]; long e_lfanew; }
  • 22. PE Header At offset 60 from the beginning of the DOS header is a pointer to the Portable Executable (PE) File header. DOS will print the error message and terminate, but Windows will follow this pointer to the next batch of information. The PE header consists only of a File ID signature, with the value "PE00" where each '0' character is an ASCII NUL character. This signature shows that a) this file is a legitimate PE file, and b) the byte order of the file. Byte order will not be considered in this chapter, and all PE files are assumed to be in "little endian" format. The first big chunk of information lies in the COFF header, directly after the PE signature.
  • 23. COFF Header The COFF header is present in both COFF object files (before they are linked) and in PE files where it is known as the "File header". The COFF header has some information that is useful to an executable, and some information that is more useful to an object file.      Machine Thisstruct COFFHeader { machine the file was compiled for. A field determines what hex value of 0x14Cshort Machine; is the code for an Intel 80386. (332 in decimal) NumberOfSections The number of sections that are described at the end short NumberOfSections; of the PE headers. long TimeDateStamp; long time at which this header TimeDateStamp 32 bit PointerToSymbolTable; was generated: is used in long NumberOfSymbols; the process of "Binding", see below. short this field shows how SizeOfOptionalHeader SizeOfOptionalHeader; long the "PE Optional short Characteristics; Header" is that follows the COFF header. } Characteristics This is a field of bit flags, that show some characteristics of the file.0x02 = Executable file, 0x200 = file is non-relocatable (addresses are absolute, not RVA), 0x2000 = File is a DLL Library, not an EXE.
  • 24. Code Sections The PE Header defines the number of sections in the executable file. Each section definition is 40 bytes in length. The structure of the section descriptor is as follows: Offset Length Purpose 0x00 8 bytes Section Name (e.g .text .data .bss ) 0x08 4 bytes Size of the section once it is loaded to memory 0x0C 4 bytes RVA (location) of section once it is loaded to memory 0x10 4 bytes Physical size of section on disk 0x14 4 bytes Physical location of section on disk (from start of disk image) 0x18 12 bytes Reserved (usually zero) (used in object formats) 0x24 4 bytes Section flags
  • 25. Windows DLL Files Windows DLL files are a brand of PE file with a few key differences:  A .DLL file extension  A DLLMain() entry point, instead of a WinMain() or main().  The DLL flag set in the PE header. DLLs may be loaded in one of two ways, a) at load-time, or b) by calling the LoadModule() Win32 API function.
  • 26. Function Exports Functions are exported from a DLL file by using the following syntax: __declspec(dllexport) void MyFunction() ... The "__declspec" keyword here is not a C language standard, but is implemented by many compilers to set extendable, compiler-specific options for functions and variables. Microsoft C Compiler and GCC versions that run on windows allow for the __declspec keyword, and the dllexport property. Functions may also be exported from regular .exe files, and .exe files with exported functions may be called dynamically in a similar manner to .dll files. This is a rare occurrence, however.
  • 27. Identifying DLL Exports There are several ways to determine which functions are exported by a DLL. The method that this book will use (often implicitly) is to use dumpbin in the following manner: dumpbin /EXPORTS <dll file> This will post a list of the function exports, along with their ordinal and RVA to the console.
  • 28. Function Imports In a similar manner to function exports, a program may import a function from an external DLL file. The dll file will load into the process memory when the program is started, and the function will be used like a local function. DLL imports need to be prototyped in the following manner, for the compiler and linker to recognize that the function is coming from an external library: __declspec(dllimport) void MyFunction();
  • 29. Identifying DLL Imports If is often useful to determine which functions are imported from external libraries when examining a program. To list import files to the console, use dumpbin in the following manner __declspec(dllimport) void MyFunction(); You can also use depends.exe to list imported and exported functions. Depends is a GUI tool and comes with Microsoft Platform SDK.
  • 30. Analysis Tools Debuggers  Hex Editors  Resource Monitors  API Monitors  PE File Header dumpers 
  • 31. Debuggers Debuggers are programs that allow the user to execute a compiled program one step at a time. You can see what instructions are executed in which order, and which sections of the program are treated as code and which are treated as data. Debuggers allow you to analyze the program while it is running, to help you get a better picture of what it is doing.  Advanced debuggers often contain at least a rudimentary disassembler, often times hex editing and reassembly features. Debuggers often allow the user to set breakpoints on instructions, function calls, and even memory locations.  A breakpoint is an instruction to the debugger that allows program execution to be halted when a certain condition is met. For instance, when a program accesses a certain variable, or calls a certain API function, the debugger can pause program execution. 
  • 32. Windows Debuggers SoftICE A de facto standard for Windows debugging. SoftICE can be used for local kernel debugging, which is a feature that is very rare, and very valuable. SoftICE was taken off the market in April 2006. WinDbg WinDbg is a free piece of software from Microsoft that can be used for local user-mode debugging, or even remote kernel-mode debugging. WinDbg is not the same as the better-known Visual Studio Debugger, but comes with a nifty GUI nonetheless. Available in 32 and 64-bit versions.
  • 33. Windows Debuggers IDA Pro The multi-processor, multi-OS, interactive disassembler by DataRescue. OllyDbg OllyDbg is a free and powerful Windows debugger with a built-in disassembly and assembly engine. Very useful for patching, disassembling, and debugging. Immunity Debugger Immunity Debugger is a branch of OllyDbg v1.10, with built-in support for Python scripting and much more.
  • 34. Hex Editors Hex editors are able to directly view and edit the binary of a source file, and are very useful for investigating the structure of proprietary closed-format data files. There are many hex editors in existence. This section will attempt to list some of the best, some of the most popular, or some of the most powerful.
  • 35. Windows Hex Editors wxHexEditor (Free & Open Source): A fast hex editor specially for HUGE files and disk devices, allows up to Exabyte, allow size changes (inject and deletes) without creating temp file, could view files with multiple panes, has built-in disassembler, supports tags for (reverse) engineering big binaries or file systems, could view files thru XOR encryption. http:/ / wxhexeditor. sourceforge. net/ HxD (Freeware) A fast and powerful free hex, disk and RAM editor http:/ / mh-nexus. de/ hxd/
  • 36. Assemble There are three reasons for using assembly language: speed, speed, and more speed. As the middle language between the High-level and low-level (Machine Language) Programing Language which almost of the HLL most pass throw to be an execution file. Furthermore, it’s the bridge to get the original design of the binary files. Assembly language has several benefits:  Speed. Assembly language programs are generally the fastest programs around.  Space. Assembly language programs are often the smallest.  Capability. You can do things in assembly which are difficult or impossible in HLLs.  Knowledge. Your knowledge of assembly language will help you write better programs, even when using HLLs.
  • 37. Registers The IA-32 platform processors have multiple groups of registers of different sizes. Different processors within the IA-32 platform include specialized registers. The core groups of registers available to all processors in the IA-32 family. General purpose: Eight 32-bit registers used for storing working data  Segment: Six 16-bit registers used for handling memory access  Instruction pointer: A single 32-bit register pointing to the next instruction code to execute 
  • 38. General-purpose registers EAX Accumulator for operands and results data EBX Pointer to data in the data memory segment ECX Counter for string and loop operations EDX I/O pointer EDI Data pointer for destination of string operations ESI Data pointer for source of string operations ESP Stack pointer EBP Stack data pointer
  • 39. Segment registers CS Code segment DS Data segment SS Stack segment ES Extra segment pointer FS Extra segment pointer GS Extra segment pointer
  • 40. Flags CF 0 Code segment PF 2 Data segment AF 4 Stack segment ZF 6 Extra segment pointer SF 7 Extra segment pointer OF 11 Extra segment pointer
  • 41. Logical Operators Operator Syntax Description SHR expr SHR expr Shift right SHL expr SHL expr Shift left NOT NOT expr Logical (bit by bit) NOT AND expr AND expr Logical AND OR expr OR expr Logical OR expr XOR expr Logical XOR Syntax Description expr SHR expr Shift right XOR Operator SHR
  • 42. Relational Operators Operator Syntax Description EQ expr EQ expr True (0FFh) if equal, false (0) otherwise NE expr NE expr True (0FFh) if not equal, false (0) otherwise LT expr LT expr True (0FFh) if less, false (0) otherwise LE expr LE expr True (0FFh) if less or equal, false (0) otherwise GT expr GT expr True (0FFh) if greater, false (0) otherwise GE expr GE expr True (0FFh) if greater or equal, false (0) otherwise Operator Syntax EQ Description expr EQ expr True (0FFh) if equal, false (0) otherwise
  • 43. Jump Instructions Jcc Instructions That Test Flags Instruction Condition Aliases Opposite Jump if carry Carry = 1 JB, JNAE JNC Jump if no carry Carry = 0 JNB, JAE JC Jump if zero Zero = 1 JE JNZ Jump if not zero Zero = 0 JNE JZ Jump if sign Sign = 1 - JNS JNS Jump if no sign Sign = 0 - JS JO Jump if overflow Ovrflw=1 - JNO JNO Jump if no Ovrflw Ovrflw=0 - JO Jump if parity Parity = 1 JPE JNP JPE Jump if parity even Parity = 1 JP JPO JNP Jump if no parity Parity = 0 JPO JP JPO Jump if parity odd Parity = 0 JNP JPE JC JNC JZ JNZ JS JP Description
  • 44. Jump Instructions Jcc Instructions for Unsigned Comparisons Instruction JA JNBE Description Jump if above (>) Condition Carry=0, Zero=0 Jump if not below or equal (not <=) Carry=0, Zero=0 Aliases Opposite JNBE JNA JA JBE JAE Jump if above or equal (>=) Carry = 0 JNC, JNB JNAE JNB Jump if not below (not <) Carry = 0 JNC, JAE JB Jump if below (<) Carry = 1 JC, JNAE JNB JC, JB JAE JB JNAE Jump if not above or equal (not >=) Carry = 1 JBE Jump if below or equal (<=) Carry = 1 or Zero = 1 JNA JNBE JNA Jump if not above (not >) Carry = 1 or Zero = 1 JBE JA Jump if equal (=) Zero = 1 JZ JNE Jump if not equal () Zero = 0 JNZ JE Jump if above (>) Carry=0, Zero=0 JNBE JNA JA JBE JE JNE JA JNBE Jump if not below or equal (not <=) Carry=0, Zero=0
  • 45. Jump Instructions Jcc Instructions for Signed Comparisons Instruction JG Description Condition Jump if greater (>) Sign = Ovrflw or Zero=0 JNLE Jump if not less than or equal (not <=) JGE JNL Aliases Opposite JNLE JNG Sign = Ovrflw or Zero=0 JG JLE Jump if greater than or equal (>=) Sign = Ovrflw JNL JGE Jump if not less than (not <) Sign = Ovrflw JGE JL Jump if less than (<) Sign Ovrflw JNGE JNL Jump if not greater or equal (not >=) Sign Ovrflw JL JGE JLE Jump if less than or equal (<=) Sign Ovrflw or Zero = 1 JNG JNLE JNG Jump if not greater than (not >) Sign Ovrflw or Zero = 1 JLE JG Jump if equal (=) Zero = 1 JZ JNE JNE Jump if not equal () Zero = 0 JNZ JE JG Jump if greater (>) Sign = Ovrflw or Zero=0 JNLE JNG Jump if not less than or equal (not <=) Sign = Ovrflw or Zero=0 JG JLE JL JNGE JE JNLE
  • 46. OllyDbg Control Bar Registers Window Disassembler Window Dump Memory Window Stack Window
  • 47. OllyDbg - Disassembler Window CommentsCommand Assemble Hex Dump Address section Information Section
  • 48. OllyDbg - Stack Window registers Instruction Pointer Register Segment registers Flags Additional registers
  • 49. Recourse for the RE tools http://www.openrce.org/  http://www.at4re.com/  http://www.ollydbg.de/  http://www.tuts4you.com/  http://www.peid.info/ 
  • 50. Eilam, Eldad. "Reversing: Secrets of Reverse Engineering." 2005. Wiley Publishing Inc. ISBN 0764574817  Raja, Vinesh II. Fernandes, Kiran J. "Reverse Engineering An Industrial Perspective" 2008. Springer Series in Advanced Manufacturing .ISBN 978-1-84628-855-5  Hyde, Randall. "The Art of Assembly Language," No Starch, 2003 ISBN 1886411972  Blum, Richard. “Professional Assembly Language”, 2005. Wiley Publishing, Inc. ISBN: 0-7645-7901-0 