# Basic RE

## Reverse Engineer

### What is RE

* Reverse engineering mean to take some product, program or any executable application and break it down in order to understand how it was produced.
* To understand how application or software work without having it code.
* Deconstruct design into information. To determine how it work in part or to fix certain thing in code or to exploit any possibility of program or software.

### Why RE

* Sometime program or software might have problem /bug on it. There is why reverse engineering is needed to analyze it **statically.**

RE is challenging

* We need to admit that reverse engineering not easy. This is because,

1. It might be obfuscated
2. It might be packed
3. It might be huge/messy
4. X86 Overview

## Assembly Languange

* Assembly language is low level language.
* Human writing in high level language (C,Java,etc) and the machine need to convert it into low level language since it only understand that.

### Compilation & Disassembly

* The program written in any high-level language (assume C)
* The code then compiled into machine code. A series of bytes that CPU understand
* Since researcher didn’t have source code, it only can read bytes of machine code.
* Therefore, disassembler needed to translate those bytes into easier readable textual

![](https://3121131891-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQeFYsVgq7Gj5gy3amsLE%2Fuploads%2FQTegPaG6RtXJixPpSQ5I%2F0?alt=media)

### Architecture

As a program running, the loop is executed

* CPU instruction is read from the main memory by CU
* The instruction then processes and execute by ALU along with user input or registers.
* Operation output is stored in CPU register or sent to an output device.

![](https://3121131891-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQeFYsVgq7Gj5gy3amsLE%2Fuploads%2FblqzwWzb4SLRq3WW9CAV%2F1?alt=media)

### Instruction

The instruction will look like

`Assembly instruction = mnemonic +`` `**`optional operand`**`.`

`Mov eax,`` `**`0xFF`**` ``~ B8 FF 00 00 00`

**Operand can be either**

1. Immediate value (example `0x4`)
2. Register (`eax`)
3. Memory address (`0x400101+4`)

{% hint style="info" %}
**Opcode:** The byte corresponding to the instruction and it operands.
{% endhint %}

### Basic Popular Instructions.

|     | Data Storage                                                       |                   |
| --- | ------------------------------------------------------------------ | ----------------- |
| mov | Move data from one operand into another                            | Mov eax, 0x8      |
| lea | Loads the address of operands into another                         | Lea edx, \[eax-1] |
|     | Arithmetic                                                         |                   |
| add | Add one operand with another and store the result in register      | Add eax, 0x8      |
| Sub | subtract one operand with another and store the result in register | sub eax, 0x8      |
| Inc | increase one operand with another and store the result in register |                   |
| dec | decrease one operand with another and store the result in register |                   |
| Mul | multiply one operand with another and store the result in register | mul eax, 0x8      |
| div | Divide one operand with another and store the result in register   | div eax, 0x8      |

|     | Logic                                                                        |             |
| --- | ---------------------------------------------------------------------------- | ----------- |
| Or  | Logical (either one true)                                                    | Or eax,ebx  |
| And | Logical (both true)                                                          | And eax,ebx |
| Xor | Logical (either one true return false) (applying twice will return original) | Xor eax,ebx |
| Shr | Logical (Shift right)                                                        |             |
| shl | Logical (shift left)                                                         |             |

![](https://3121131891-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQeFYsVgq7Gj5gy3amsLE%2Fuploads%2Fza92e2UB7tzmmYh1XLeW%2F2?alt=media)

### Register

* Part of memory access in CPU where it pointing location in memory.
* Flag register contain lots of information of CPU.
* Stack refers to current user data.

![](https://3121131891-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQeFYsVgq7Gj5gy3amsLE%2Fuploads%2FvqvLMlqDU8ucqlxDvaK3%2F3?alt=media)

{% hint style="success" %}

* X = register, P = pointer, I = index.
* EIP =Join pointer. Point to next instruction.
  {% endhint %}

#### Register Breakdown

![](https://3121131891-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQeFYsVgq7Gj5gy3amsLE%2Fuploads%2FJmkjBA5NYQttw301tfNG%2F4?alt=media)

```
EAX = A9DC81F5 = 32 bits
AX- 16 least (last bit) of EAX (81F5)
AH & AL = 8 bit most(AH) or least (AL) of AX
If 16 most of EAX = AX the most (A9DC)
** EAX – function that return value
** ECX – (counter) loop variable
** EAX:EDX – remainder in mul or div
```

#### EFLAGS Register

Give information on the result of previous computation. It only contain status of register

1. **Zero Flag** – set if operation result is result (null)
2. **Carry Flag** – set if operation result to large/small for destination operand
3. **Sign Flag** – set if MSB is set(negative result)
4. O**verflow Flag** – set if value more than it can hold. (0xFFFFFFFF + 1) (result will 0 but the overflow flag will be sent)

### Branching (Control Flow)

Basically there have two (2) type of jump

1. Unconditional
   * It will jump directly to any address.
2. Conditional
   * First, it will check result of computation/input
   * It will follow the condition (if else) to jump for next address.

#### Jump

Lot of type for conditional jump. It often referred to jcc (jump condition). Each jump instruction performs different EFLAG register to determine the jump should be performing or not.

`NOP – null/no operation`

`PUSH/POP – move/remove either word/dword/qword or register (!EIP) onto stack`

{% hint style="info" %}
`Every “n” mean not`
{% endhint %}

`Jz/jnz – jump to location`

`Je/jne – common use after instruction (cmp). Jump to destination when condition meets. (Jump equal / jump not equal)`

`Jg/jge - common use after instruction (cmp). Jump to destination when condition meets. (Jump greater / jump greater or equal)`

`Ja/jae – same as jg/jge. But if perform without unassigned comparison.`

`Jl/jle – same as jg/jge. But this time for less.`

`Jb/jbe – same as jl/jle. But it perform without unassigned comparison.`

`Jo – jump if previous instruction are overflow flag.`

`Js - jump if previous instruction are sign flag.`

`Jecxz – jump to location if ECX = 0. (end of loop)`

### Main Memory

![](https://3121131891-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQeFYsVgq7Gj5gy3amsLE%2Fuploads%2FdXCbEiwNHRRbOjcwmbAA%2F5?alt=media)

`Data- static/global variable`

`Code – instruction`

`Heap – dynamic memory, allocated and freed during runtime`

`Stack – variable and argument local to program function.`