Basic RE

Reverse Engineer

What is RE

Reverse engineering mean to take some product, program or any executable application and break it down in order to understand how it was produced.
To understand how application or software work without having it code.
Deconstruct design into information. To determine how it work in part or to fix certain thing in code or to exploit any possibility of program or software.

Why RE

Sometime program or software might have problem /bug on it. There is why reverse engineering is needed to analyze it statically.

RE is challenging

We need to admit that reverse engineering not easy. This is because,

It might be obfuscated
It might be packed
It might be huge/messy
X86 Overview

Assembly Languange

Assembly language is low level language.
Human writing in high level language (C,Java,etc) and the machine need to convert it into low level language since it only understand that.

Compilation & Disassembly

The program written in any high-level language (assume C)
The code then compiled into machine code. A series of bytes that CPU understand
Since researcher didn’t have source code, it only can read bytes of machine code.
Therefore, disassembler needed to translate those bytes into easier readable textual

Architecture

As a program running, the loop is executed

CPU instruction is read from the main memory by CU
The instruction then processes and execute by ALU along with user input or registers.
Operation output is stored in CPU register or sent to an output device.

Instruction

The instruction will look like

Assembly instruction = mnemonic + optional operand.

Mov eax, 0xFF ~ B8 FF 00 00 00

Operand can be either

Immediate value (example 0x4)
Register (eax)
Memory address (0x400101+4)

Opcode: The byte corresponding to the instruction and it operands.

Basic Popular Instructions.

Data Storage

mov

Move data from one operand into another

Mov eax, 0x8

lea

Loads the address of operands into another

Lea edx, [eax-1]

Arithmetic

add

Add one operand with another and store the result in register

Add eax, 0x8

Sub

subtract one operand with another and store the result in register

sub eax, 0x8

Inc

increase one operand with another and store the result in register

dec

decrease one operand with another and store the result in register

Mul

multiply one operand with another and store the result in register

mul eax, 0x8

div

Divide one operand with another and store the result in register

div eax, 0x8

Logic

Logical (either one true)

Or eax,ebx

And

Logical (both true)

And eax,ebx

Xor

Logical (either one true return false) (applying twice will return original)

Xor eax,ebx

Shr

Logical (Shift right)

shl

Logical (shift left)

Register

Part of memory access in CPU where it pointing location in memory.
Flag register contain lots of information of CPU.
Stack refers to current user data.

X = register, P = pointer, I = index.
EIP =Join pointer. Point to next instruction.

Register Breakdown

EAX = A9DC81F5 = 32 bits
AX- 16 least (last bit) of EAX (81F5)
AH & AL = 8 bit most(AH) or least (AL) of AX
If 16 most of EAX = AX the most (A9DC)
** EAX – function that return value
** ECX – (counter) loop variable
** EAX:EDX – remainder in mul or div

EFLAGS Register

Give information on the result of previous computation. It only contain status of register

Zero Flag – set if operation result is result (null)
Carry Flag – set if operation result to large/small for destination operand
Sign Flag – set if MSB is set(negative result)
Overflow Flag – set if value more than it can hold. (0xFFFFFFFF + 1) (result will 0 but the overflow flag will be sent)

Branching (Control Flow)

Basically there have two (2) type of jump

Unconditional
- It will jump directly to any address.
Conditional
- First, it will check result of computation/input
- It will follow the condition (if else) to jump for next address.

Jump

Lot of type for conditional jump. It often referred to jcc (jump condition). Each jump instruction performs different EFLAG register to determine the jump should be performing or not.

NOP – null/no operation

PUSH/POP – move/remove either word/dword/qword or register (!EIP) onto stack

Every “n” mean not

Jz/jnz – jump to location

Je/jne – common use after instruction (cmp). Jump to destination when condition meets. (Jump equal / jump not equal)

Jg/jge - common use after instruction (cmp). Jump to destination when condition meets. (Jump greater / jump greater or equal)

Ja/jae – same as jg/jge. But if perform without unassigned comparison.

Jl/jle – same as jg/jge. But this time for less.

Jb/jbe – same as jl/jle. But it perform without unassigned comparison.

Jo – jump if previous instruction are overflow flag.

Js - jump if previous instruction are sign flag.

Jecxz – jump to location if ECX = 0. (end of loop)

Main Memory

Data- static/global variable

Code – instruction

Heap – dynamic memory, allocated and freed during runtime

Stack – variable and argument local to program function.

PreviousNmap CheatSheat NextMalware Things

Last updated 2 years ago

Basic RE

Reverse Engineer

What is RE

Reverse engineering mean to take some product, program or any executable application and break it down in order to understand how it was produced.
To understand how application or software work without having it code.
Deconstruct design into information. To determine how it work in part or to fix certain thing in code or to exploit any possibility of program or software.

Why RE

Sometime program or software might have problem /bug on it. There is why reverse engineering is needed to analyze it statically.

RE is challenging

We need to admit that reverse engineering not easy. This is because,

It might be obfuscated
It might be packed
It might be huge/messy
X86 Overview

Assembly Languange

Assembly language is low level language.
Human writing in high level language (C,Java,etc) and the machine need to convert it into low level language since it only understand that.

Compilation & Disassembly

The program written in any high-level language (assume C)
The code then compiled into machine code. A series of bytes that CPU understand
Since researcher didn’t have source code, it only can read bytes of machine code.
Therefore, disassembler needed to translate those bytes into easier readable textual

Architecture

As a program running, the loop is executed

CPU instruction is read from the main memory by CU
The instruction then processes and execute by ALU along with user input or registers.
Operation output is stored in CPU register or sent to an output device.

Instruction

The instruction will look like

Assembly instruction = mnemonic + optional operand.

Mov eax, 0xFF ~ B8 FF 00 00 00

Operand can be either

Immediate value (example 0x4)
Register (eax)
Memory address (0x400101+4)

Opcode: The byte corresponding to the instruction and it operands.

Basic Popular Instructions.

Data Storage

mov

Move data from one operand into another

Mov eax, 0x8

lea

Loads the address of operands into another

Lea edx, [eax-1]

Arithmetic

add

Add one operand with another and store the result in register

Add eax, 0x8

Sub

subtract one operand with another and store the result in register

sub eax, 0x8

Inc

increase one operand with another and store the result in register

dec

decrease one operand with another and store the result in register

Mul

multiply one operand with another and store the result in register

mul eax, 0x8

div

Divide one operand with another and store the result in register

div eax, 0x8

Logic

Logical (either one true)

Or eax,ebx

And

Logical (both true)

And eax,ebx

Xor

Logical (either one true return false) (applying twice will return original)

Xor eax,ebx

Shr

Logical (Shift right)

shl

Logical (shift left)

Register

Part of memory access in CPU where it pointing location in memory.
Flag register contain lots of information of CPU.
Stack refers to current user data.

X = register, P = pointer, I = index.
EIP =Join pointer. Point to next instruction.

Register Breakdown

EAX = A9DC81F5 = 32 bits
AX- 16 least (last bit) of EAX (81F5)
AH & AL = 8 bit most(AH) or least (AL) of AX
If 16 most of EAX = AX the most (A9DC)
** EAX – function that return value
** ECX – (counter) loop variable
** EAX:EDX – remainder in mul or div

EFLAGS Register

Give information on the result of previous computation. It only contain status of register

Zero Flag – set if operation result is result (null)
Carry Flag – set if operation result to large/small for destination operand
Sign Flag – set if MSB is set(negative result)
Overflow Flag – set if value more than it can hold. (0xFFFFFFFF + 1) (result will 0 but the overflow flag will be sent)

Branching (Control Flow)

Basically there have two (2) type of jump

Unconditional
- It will jump directly to any address.
Conditional
- First, it will check result of computation/input
- It will follow the condition (if else) to jump for next address.

Jump

Lot of type for conditional jump. It often referred to jcc (jump condition). Each jump instruction performs different EFLAG register to determine the jump should be performing or not.

NOP – null/no operation

PUSH/POP – move/remove either word/dword/qword or register (!EIP) onto stack

Every “n” mean not

Jz/jnz – jump to location

Je/jne – common use after instruction (cmp). Jump to destination when condition meets. (Jump equal / jump not equal)

Jg/jge - common use after instruction (cmp). Jump to destination when condition meets. (Jump greater / jump greater or equal)

Ja/jae – same as jg/jge. But if perform without unassigned comparison.

Jl/jle – same as jg/jge. But this time for less.

Jb/jbe – same as jl/jle. But it perform without unassigned comparison.

Jo – jump if previous instruction are overflow flag.

Js - jump if previous instruction are sign flag.

Jecxz – jump to location if ECX = 0. (end of loop)