Jump to content
Tuts 4 You

Reverse Code Engineering

55 files

  1. Win32 Reverse Engineering Cheat-Sheet

    A x86/Win32 reverse engineering cheat-sheet.

    100 downloads

    0 comments

    Submitted

  2. Reversing Microsoft Visual C++

    Microsoft Visual C++ is the most widely used compiler for Win32 so it is important for the Win32 reverser to be familiar with its inner working. Being able to recognize the compiler-generated glue code helps to quickly concentrate on the actual code written by the programmer. It also helps in recovering the high-level structure of the program.

    In part I of this 2-part article (see also: Part II: Classes, Methods and RTTI), I will concentrate on the stack layout, exception handling and related structures in MSVC-compiled programs. Some familiarity with assembler, registers, calling conventions etc. is assumed.

    Terms:
    Stack frame: A fragment of the stack segment used by a function. Usually contains function arguments, return-to-caller address, saved registers, local variables and other data specific to this function. On x86 (and most other architectures) caller and callee stack frames are contiguous.
    Frame pointer: A register or other variable that points to a fixed location inside the stack frame. Usually all data inside the stack frame is addressed relative to the frame pointer. On x86 it's usually ebp and it usually points just below the return address.
    Object: An instance of a (C++) class.
    Unwindable Object: A local object with auto storage-class specifier that is allocated on the stack and needs to be destructed when it goes out of scope.
    Stack UInwinding: Automatic destruction of such objects that happens when the control leaves the scope due to an exception.
    There are two types of exceptions that can be used in a C or C++ program.
    SEH exceptions (from "Structured Exception Handling"). Also known as Win32 or system exceptions. These are exhaustively covered in the famous Matt Pietrek article[1]. They are the only exceptions available to C programs. The compiler-level support includes keywords __try, __except, __finally and a few others.
    C++ exceptions (sometimes referred to as "EH"). Implemented on top of SEH, C++ exceptions allow throwing and catching of arbitrary types. A very important feature of C++ is automatic stack unwinding during exception processing, and MSVC uses a pretty complex underlying framework to ensure that it works properly in all cases.
    In the following diagrams memory addresses increase from top to bottom, so the stack grows "up". It's the way the stack is represented in IDA and opposite to the most other publications.

    88 downloads

    0 comments

    Submitted

  3. Tracing Delphi MessageBox

    This tutorial will explain how to use the Execute Till User Code function to trace MessageBoxes in Delphi, which is a little different than other programming languages. I try to explain it in a way beginners can understand it!

    I hope you will enjoy this tutorial, and that will come in handy once!

    81 downloads

    0 comments

    Submitted

  4. Reversing C++

    As reverse engineers, it is important that we are able to understand C++ concepts as they are represented in disassemblies and of course, have a big picture idea on what are the major pieces (classes) of the C++ target and how these pieces relate together (class relationships). In order to achieve this understanding, the reverse engineer must able to (1) Identify the classes (2) Identify relationships between classes (3) Identify class members. This paper attempts to provide the reader information on how to achieve these three goals. First, this paper discusses the manual approach on analyzing C++ targets in order to retrieve class information. Next, it discusses ways on how to automate these manual approaches.

    77 downloads

    0 comments

    Submitted

  5. Reversing MFC Applications

    MFC Programs seems to be the mainstream of Win32 GUI programming these days, other than QT applications that are rapidly gaining popularity recently. A few days ago, I suddenly got interested in embedded system reversing but was confronted by the task to reverse an application that uploads the firmware image to the embedded system. As expected, the application was MFC, and I was a bit taken back. I wasn't that confident in MFC reversing.

    I've seen many people (including me) reverse MFC applications in the same way as reversing pure Win32 API applications. Put breakpoints on certain APIs, search for a target string, search for a certain constant, etc etc. There is no problem with that. The same principles used in non-MFC app reversing can also be applied to MFC apps except.

    Except you can't find the Window Procedure within the application. Window Procedures are like the root function of where all the messages are processed, and when you know where it's located, you can always track down your target in a root to descendant kind of approach. It may take more time than the start from a certain function, string etc. approach, but when the later approach may sometimes make you get lost in a labyrinth of code and functions, the formal usually never goes wrong.

    The problem is, all the WndProc code is managed by the MFC framework, and the framework gives a slight twist to it to make it work in a different process than what we already know about Window Procedures. The principles are the same, but the structure is a little bit different, and the Message dispatcher code is no longer handled by the programmer. The question is, where is that code and what does it look like? And how could we use it to our advantage?

    That will be the main focus of this tutorial, and I will start with showing the usual approach, and point out the problems that may occur in certain situations.

    71 downloads

    0 comments

    Submitted

  6. Reversers Guide to Python

    Python has to be one of the more interesting languages I've seen. Its syntax is clear and easy to pick up. It is multi-platform. It is optimized per platform so it is very fast. In fact, in many ways it is a better choice than Java. Developers seem to be afraid to make commercial applications in python, and go with Oracle instead. They assume that since it is OSS, it will be easier to crack. Don't get me wrong, every python app I have ever cracked was a one byte fix, but that cannot be blamed on the language. Note that obfuscation is available, but I have yet to see in it use. This language has been around for 20 years, and its usage is bound to continue to increase.

    Those familiar with reversing Java, .Net, or VB P-code apps will feel right at home with Python. One thing to note is that Python has no decompiler yet. Luckily, Python byte-code is very readable. We will get to that in a bit.

    70 downloads

    0 comments

    Submitted

  7. Visual Basic Tricks

    Some people thinking crack the visual basic programs it difficult but in truth not difficult and through cracking many of visual basic programs accumulation for me some experience in cracking this quality of programs and let's start with the first example...

    64 downloads

    0 comments

    Submitted

  8. General Reversing Tutorial

    A movie tutorial for newbies explaining the process of bypassing the trial period of an application (this is very easy tut.. not too interesting).

    57 downloads

    0 comments

    Submitted

  9. Reverse Engineering Techniques - Part 1

    The whole tutorial is about playing with a target and implementing new things into it. The tutorial is not for newbies, you must know how the tools given in this tutorial works. The entire article is based on exploring the calibre of a reverse engineer. Reverse engineering is an art; how to analyse and play with the target and find out other possibilities which you can implement. Sometimes targets are so challenging you can't even imagine. The target I am going to use in this tutorial is a simple crackme by Nemo.

    48 downloads

    0 comments

    Submitted

  10. Java Bytecode Reversing

    I decided to make a Java bytecode reversing / jar patching tutorial I learned a lot from and wanted to share. A tutorial for complete beginners.

    44 downloads

    0 comments

    Submitted

  11. Inject Your Code to a Portable Executable File

    This article demonstrates five steps to inject your code in a portable executable (EXE, DLL, OCX,...) file without recompiling source code.

    43 downloads

    0 comments

    Submitted

  12. Notes on Reversing Java Applications

    This tutorial aim is show some simple techniques that can be used to reverse and patching Java target, a first classical approach will be about the class decompilation with JAD and JODE decompiler, then we can move into the JVM (Java virtual machine) analysis and deeper into the bytecode analysis and patching.

    In order to fix some concepts a simple Java CrackMe will be explored trough decompilation with the presented tool and bytecode patching by using IDA and Hex Editor. Of course this topic isn't new and was also covered into the past by other, but this essay will just point some well know concept and show some more hint about the Java patching, a minimum skill on the Java programming is needed to make code change and understand the program execution flow at the decompiled stage. Finally some consideration around how to better protect Java coded application was covered.

    43 downloads

    0 comments

    Submitted

  13. Reverse Engineering of Data and Binary Files

    The analysis of computer files poses a difficult problem for security researchers seeking to detect and analyze malicious content, software developers stress testing file formats for their products, and for other researchers seeking to understand the behavior and structure of undocumented file formats. Traditional tools, including hex editors, disassemblers and debuggers, while powerful, constrain analysis to primarily text based approaches. In this paper, we present design principles for file analysis which support meaningful investigation when there is little or no knowledge of the underlying file format, but are flexible enough to allow integration of additional semantic information, when available. We also present results from the implementation of a visual reverse engineering system based on our analysis. We validate the efficacy of both our analysis and our system with case studies depicting analysis use cases where a hex editor would be of limited value. Our results indicate that visual approaches help analysts rapidly identify files, analyze unfamiliar file structures, and gain insights that inform and complement the current suite of tools currently in use.

    42 downloads

    0 comments

    Submitted

  14. Reversed Compilation Techniques

    Techniques for writing reverse compilers or decompilers are presented in this thesis. These techniques are based on compiler and optimization theory, and are applied to decompilation in a unique way; these techniques have never before been published.

    A decompiler is composed of several phases which are grouped into modules dependent on language or machine features. The front-end is a machine dependent module that parses the binary program, analyzes the semantics of the instructions in the program, and generates an intermediate low-level representation of the program, as well as a control flow graph of each subroutine. The universal decompiling machine is a language and machine independent module that analyzes the low-level intermediate code and transforms it into a high-level representation available in any high-level language, and analyzes the structure of the control ow graph(s) and transform them into graphs that make use of high-level control structures. Finally, the back-end is a target language dependent module that generates code for the target language.

    Decompilation is a process that involves the use of tools to load the binary program into memory, parse or disassemble such a program, and decompile or analyze the program to generate a high-level language program. This process bene ts from compiler and library signatures to recognize particular compilers and library subroutines. Whenever a compiler signature is recognized in the binary program, all compiler start-up and library subroutines are not decompiled; in the former case, the routines are eliminated from the nal target program and the entry point to the main program is used for the decompiler analysis, in the latter case the subroutines are replaced by their library name.

    The presented techniques were implemented in a prototype decompiler for the Intel i80286 architecture running under the DOS operating system, dcc, which produces target C programs for source .exeor .com les. Sample decompiled programs, comparisons against the initial high-level language program, and an analysis of results is presented in Chapter 9. Chapter 1 gives an introduction to decompilation from a compiler point of view, Chapter 2 gives an overview of the history of decompilation since its appearance in the early 1960s, Chapter 3 presents the relations between the static binary code of the source binary program and the actions performed at run-time to implement the program, Chapter 4 describes the phases of the front-end module, Chapter 5 describes data optimization techniques to analyze the intermediate code and transform it into a higher-representation, Chapter 6 de nes control structure transformation techniques to analyze the structure of the control ow graph and transform it into a graph of high-level control structures, Chapter 7 describes the back-end module, Chapter 8 presents the decompilation tool programs, Chapter 9 gives an overview of the implementation of dcc and the results obtained, and Chapter 10 gives the conclusions and future work of this research.

    42 downloads

    0 comments

    Submitted

  15. Definitive Guide To Exploring File Formats

    Computer games are vast and many, however most computer games have something in common - they need a place to store all their important files like images, movies, and sounds. To do this, computer game developers typically store their data into a big archive file.

    There are many reasons for storing all your data files in one big archive, some reasons include reducing the number of files on a CD, hiding the data files to stop people hacking the game, and so that all data files can be accessed using a single data stream.

    However, the bad news for gamers is that there are almost as many different archives as there are different computer games - every game developer creates their own archive formats, and they even change their formats between games or departments in the company.

    This brings us to the focus of the tutorial - how to explore the archives and grab the files from within them. This tutorial will attempt to make it easy for anyone to explore a new format, with the aim of promoting game modifications and enhancements by the community.

    In the following pages, we will discuss the terms Game Resource Archives (GRAs) and Game Resource Archive Formats (GRAFs), common data types, and other definitions. From there, we will explain the fundamentals of cracking a file format, including the tools you use, and the patterns to look out for.

    Thanks for reading our guide; we wish you the best of luck in your exploration.

    42 downloads

    0 comments

    Submitted

  16. Writing a WinRAR Key Logger

    In this tutorial I will show how to write a WinRAR key logger. This key logger is different from other key loggers that are available on the net in the sense that it does not require any installation or starting any background hidden process/services that hijacks the keyboard and listens for key presses. This key logger is also not truly a key logger. It only logs password typed on the "Enter password" dialog box as shown below.

    41 downloads

    0 comments

    Submitted

  17. Cracking the MSI Files

    Today, we are discussing how to bypass serial number protections built in to windows binary installer files (.msi). Commonly, registration number protections are embedded within an InstallShield script, so we are going to make sure this is not the case before we delve into the .msi file.

    41 downloads

    0 comments

    Submitted

  18. How to Inject Code into an Executable File

    Our goal is to inject some code into the Notepad.exe.

    39 downloads

    0 comments

    Submitted

  19. Introduction to Reverse Engineering

    Reversing often implies converting low-level asm into some higher-level language or pseudo-code for digestion by humans...(and then using such specifications to understand, emulate, improve or copy the original).

    For us to do this we first investigate how some high-level constructs (in our case C) are represented in ASM. We then use this knowledge to infer high-level-constructs from the asm if we are attempting to discover what a segment of code does, or otherwise look for coding anomalies which may lead to discovering what compiler was used and possibly even fingerprint a style of coding.

    39 downloads

    0 comments

    Submitted

  20. Theories and Methods of Code-Caves

    Since many have read my tutorial on basic memory hacking and got stuck on the creation of code-caves, I've decided to make a short follow-up on some code-cave techniques where I'll explain the WHYs and the HOWs.

    Archive also contains "Theories and methods of memory hacking".

    39 downloads

    0 comments

    Submitted

  21. Point Events in Delphi Executables

    In the last weeks our companions Lisa Alquimista (Arapumk) they delighted us with MiniDE, a decompiler for Delphi executables that is able to obtain addresses of all the events of a program. MiniDE allows us to generate .MAP files that we will be able to import into OllyDbg with plugins like MapConv or GODUP, in order to add comments and/or labels with the names of the events.

    If we add the events information in the form of comments and/or labels we will see that it is much more simple to understand the operation of the program, and what matters more is, cracking it is much more comfortable.

    38 downloads

    0 comments

    Submitted

  22. In Memory Reverse Engineering for Obfuscated Python Bytecode

    Growing numbers of commercial and closed source applications are being developed using the Python programming language. The trend with developers of such applications appears to be that there is an increasing amount of effort being invested in order to stop the sourcecode of their application being easily obtainable by the end user. This is being achieved through the use of a variety of obfuscation techniques designed to impede the common methods of Python decompilation. Another trend occurring in parallel is the use of Python as an increasingly present component of 'Cloud' technologies where traditional bytecode decompilation techniques fall down not through obfuscation, but through lack of access to the bytecode files on disk.

    The techniques discussed in this paper extend existing Python decompilation technologies through taking an approach that does not require access to standard Python bytecode files (.pyc/.pyo), but rather focuses on gaining access to the bytecode through instantiated Python objects in memory and using these to reconstruct a sourcecode listing equivalent to that composed by the applications author. Approaches will also be discussed of how to defeat the common obfuscation techniques that have been observed in use in order to be able to use the in memory decompilation techniques.

    Finally a proof of concept embodiment of the techniques developed will be discussed which will allow people to quickly leverage them to evaluate code for bugs that was previously opaque to them.

    37 downloads

    0 comments

    Submitted

  23. Hump-and-Dump Efficient Generic Unpacking

    We present a new and efficient generic unpacking algorithm which effectively locates the original entry point (OEP) area of a packed program. The algorithm is based upon the dual observation that (a) even in a packed program, the OEP bytes are almost always only executed once, and (b) most packers unpack the original program to an area of memory which has not been previously executed. Given this, the technique relies upon creating a histogram of the addresses of executed instructions (EIP on x86). Whilst others have done this, the trick is to order the histogram by the last time an address is executed. Decryption, decompression and copying appear as large spikes at the start of the histogram, followed by a flat section, of height one, which is usually the OEP. We attach figures showing histograms for some popular packers, on both linear and log scales, which clearly illustrate the OEP after the massive unpacking "hump".

    This technique is extremely efficient to implement, and can compute the OEP "on-the-fly" in an emulator, or off-line from a trace of EIP. For instance, for UPX 2.03w, we need less than 1K of memory to hold the necessary data structures, and computation is similarly cheap (and compatible with dynamic-translation emulators). Given the shape of the chart, and the fact that after the "hump" represents a good opportunity to dump the memory, we have given this technique the somewhat sordid name of hump-and-dump.

    36 downloads

    0 comments

    Submitted

  24. Dealing With Funny Checksum

    After a while, I've decided to write about something interesting which I've found while unpacking one protection, and it will be also nice introduction to one of my tools which I have wrote for fun of it.

    However, I won't mention application name here, but to demonstrate checksum check which I have found I will be using one test application, thus you will get idea what happened, and how checksum is defeated. I will also introduce one tool I wrote, which served me well in this particular case. Tool should come with this document, thus I won't describe tool, and it's internals as source code should be well commented.

    36 downloads

    0 comments

    Submitted

  25. Reversing a Frozen Python Executable

    This document presents a way to reverse engineer frozen python executables.

    We all at some point of time have reversed native compiled application like the ones generated from Visual C++, Delphi etc, but reversing frozen python executable presents a new challenge and the area in this field is not yet fully explored.

    So this document is going to explore some of those and the way we can proceed in such a situation.

    [This whole tutorial is for learning purposes only and any other unethical use is strongly discouraged]

    35 downloads

    0 comments

    Submitted


×
×
  • Create New...