> For the complete documentation index, see [llms.txt](https://ymiir.gitbook.io/extra/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ymiir.gitbook.io/extra/extra-notes/other/basic-re.md). # Basic RE ## Reverse Engineer ### What is RE * Reverse engineering mean to take some product, program or any executable application and break it down in order to understand how it was produced. * To understand how application or software work without having it code. * Deconstruct design into information. To determine how it work in part or to fix certain thing in code or to exploit any possibility of program or software. ### Why RE * Sometime program or software might have problem /bug on it. There is why reverse engineering is needed to analyze it **statically.** RE is challenging * We need to admit that reverse engineering not easy. This is because, 1. It might be obfuscated 2. It might be packed 3. It might be huge/messy 4. X86 Overview ## Assembly Languange * Assembly language is low level language. * Human writing in high level language (C,Java,etc) and the machine need to convert it into low level language since it only understand that. ### Compilation & Disassembly * The program written in any high-level language (assume C) * The code then compiled into machine code. A series of bytes that CPU understand * Since researcher didn’t have source code, it only can read bytes of machine code. * Therefore, disassembler needed to translate those bytes into easier readable textual ![](/files/I45tagmGAnht2uKhCxSu) ### Architecture As a program running, the loop is executed * CPU instruction is read from the main memory by CU * The instruction then processes and execute by ALU along with user input or registers. * Operation output is stored in CPU register or sent to an output device. ![](/files/WutP5qFomCvoq78oGDC1) ### Instruction The instruction will look like `Assembly instruction = mnemonic +`` `**`optional operand`**`.` `Mov eax,`` `**`0xFF`**` ``~ B8 FF 00 00 00` **Operand can be either** 1. Immediate value (example `0x4`) 2. Register (`eax`) 3. Memory address (`0x400101+4`) {% hint style="info" %} **Opcode:** The byte corresponding to the instruction and it operands. {% endhint %} ### Basic Popular Instructions. | | Data Storage | | | --- | ------------------------------------------------------------------ | ----------------- | | mov | Move data from one operand into another | Mov eax, 0x8 | | lea | Loads the address of operands into another | Lea edx, \[eax-1] | | | Arithmetic | | | add | Add one operand with another and store the result in register | Add eax, 0x8 | | Sub | subtract one operand with another and store the result in register | sub eax, 0x8 | | Inc | increase one operand with another and store the result in register | | | dec | decrease one operand with another and store the result in register | | | Mul | multiply one operand with another and store the result in register | mul eax, 0x8 | | div | Divide one operand with another and store the result in register | div eax, 0x8 | | | Logic | | | --- | ---------------------------------------------------------------------------- | ----------- | | Or | Logical (either one true) | Or eax,ebx | | And | Logical (both true) | And eax,ebx | | Xor | Logical (either one true return false) (applying twice will return original) | Xor eax,ebx | | Shr | Logical (Shift right) | | | shl | Logical (shift left) | | ![](/files/GodTaG6G4IISjzdIaO36) ### Register * Part of memory access in CPU where it pointing location in memory. * Flag register contain lots of information of CPU. * Stack refers to current user data. ![](/files/LBLAkNevK1Ru680kqcEF) {% hint style="success" %} * X = register, P = pointer, I = index. * EIP =Join pointer. Point to next instruction. {% endhint %} #### Register Breakdown ![](/files/Hn2FWbgACjMvb9LiYoBq) ``` EAX = A9DC81F5 = 32 bits AX- 16 least (last bit) of EAX (81F5) AH & AL = 8 bit most(AH) or least (AL) of AX If 16 most of EAX = AX the most (A9DC) ** EAX – function that return value ** ECX – (counter) loop variable ** EAX:EDX – remainder in mul or div ``` #### EFLAGS Register Give information on the result of previous computation. It only contain status of register 1. **Zero Flag** – set if operation result is result (null) 2. **Carry Flag** – set if operation result to large/small for destination operand 3. **Sign Flag** – set if MSB is set(negative result) 4. O**verflow Flag** – set if value more than it can hold. (0xFFFFFFFF + 1) (result will 0 but the overflow flag will be sent) ### Branching (Control Flow) Basically there have two (2) type of jump 1. Unconditional * It will jump directly to any address. 2. Conditional * First, it will check result of computation/input * It will follow the condition (if else) to jump for next address. #### Jump Lot of type for conditional jump. It often referred to jcc (jump condition). Each jump instruction performs different EFLAG register to determine the jump should be performing or not. `NOP – null/no operation` `PUSH/POP – move/remove either word/dword/qword or register (!EIP) onto stack` {% hint style="info" %} `Every “n” mean not` {% endhint %} `Jz/jnz – jump to location` `Je/jne – common use after instruction (cmp). Jump to destination when condition meets. (Jump equal / jump not equal)` `Jg/jge - common use after instruction (cmp). Jump to destination when condition meets. (Jump greater / jump greater or equal)` `Ja/jae – same as jg/jge. But if perform without unassigned comparison.` `Jl/jle – same as jg/jge. But this time for less.` `Jb/jbe – same as jl/jle. But it perform without unassigned comparison.` `Jo – jump if previous instruction are overflow flag.` `Js - jump if previous instruction are sign flag.` `Jecxz – jump to location if ECX = 0. (end of loop)` ### Main Memory ![](/files/wLnMNaZC7KksBfSL7mF3) `Data- static/global variable` `Code – instruction` `Heap – dynamic memory, allocated and freed during runtime` `Stack – variable and argument local to program function.` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ymiir.gitbook.io/extra/extra-notes/other/basic-re.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.