Reverse Engineering | Chapter 1
Posted 02-16-2018 - 02:36 PM by IcyJake
#1
What Reverse Engineering is:


Reverse Engineering is theoretically the practice of analyzing a program, either in whole or in part, to extract design and/or implementation information. Let me provide a quick scenario for you guys to help you understand in other terms. Let's say that you had some kind of software module that has worked for a long time and it contained important stuff inside of the program's code itself that you really needed, but you lost the source code that contained the important stuff that you needed. Well, if you had the program itself, you could just Reverse Engineer the program and it would help to retrieve that important stuff that you needed. I hope that you guys understood that because I am horrible at explaining stuff like that, lol.

My goal with this thread is to assist you guys with perform some basic Reverse Engineering. I also want to evaluate different methods/tools for Reverse Engineering and see what you guys can do with the knowledge of a reversed program. Also, I'm going to be focusing this on the BASICS of Reverse Engineering, but you guys will still get the general gist of it. In a nutshell, Reverse Engineers work on complex problems like integrating software with proprietary protocols and code. They also are often tasked with looking through the unknown of new products released by competitors.



Tools:


Debugger - A debugger is a program that connects to and controls other programs. A debugger allows single stepping of code, debug tracing, setting breakpoints, and viewing variables and memory state in the target program as it executes in a way that is easy to understand because it goes through different stages instead of being continuous and sloppy.

Fault injection tools - One class of fault injection tools are tools that can supply malformed or clumsily formatted input to a target software process to cause failures. Program failures can be analyzed to determine whether errors are present in the target software. Some failures have security connotation, such as failures that allow an attacker to be granted access to the host computer or network.

Disassembler - A disassembler is a tool that converts code that machines can read into assembly language. Assembly language is machine code that humans can read. (Well, more human readable than a string of bits anyway).

Decompiler - A decompiler is a tool that converts assembly (or the code that I said is more 'human-readable') or machine code into source code in a higher level language such as C. Decompilers also can be used to transform intermediate languages such as Java byte code and Microsoft Common Runtime Language (otherwise known as 'CLR') into source code such as Java.



Problems you might run into:


Obfuscated or encrypted code - Something that a developer might do to protect his/her code is obfuscating it. Code obfuscation is something that a developer might do, which is coming up with a number of techniques for making their code harder to reverse. These include changing the structure of the program, its logic, data, and layout without changing its functionality or how the program works. This can be done either manually, by renaming functions and variables or making disconcerting function calls (which is not very secure and can easily be reversed), or automatically, by using an obfuscation/encryption tool or program.

Optimized code - When a program is written in a high-level or professional language, like C++, the programmer/developer a large majority of the time goes through a lot of effort to structure and organize the program source code. They might have their code put into classes and structs, with very well thought-out variable names and extensive documentation. Function names are selected with great care, so that way, you will know what the different functions really do, even if you did not write them yourself or know how they were written.



Pointers:


Pointers are practically variables, but the difference is that pointers don't explicitly store a value, but instead an address in the memory. They can become a problem for reversers when they are used extensively and in chains (pointer pointing to a pointer, pointing to a pointer, etc.). The reason is that a value can reside at a location in memory, but when the value is edited or changed, it is pretty much instantly overwritten (or even ignored) because the real information was stored at a pointer at a completely different place. It also brings a problem for when you want to use the memory addresses within a trainer software, since the base pointer has the possibility of changing its address, which results in the data being stored at different places in the memory at different launches, even related to the base address of the program.



Solution approaches:


Most of these approaches aren't found in our literature, hence no sources are provided. Instead, we had to find these solutions by experimenting and trial and error, in many cases with guidance from our literature, others just by using the functions provided by the tool, and in all by using our knowledge about software engineering and problem solving; and our common sense.



Already known data:


When you want to reverse a popular or well-known software or a program which is built upon a well-known company or platform, you don't have to do all the work alone most of the time, even if the structure of programs like, for example, popular games and/or OS's can be very complex, most of the time there are sources available by people who have found bits and pieces of the code and made it available publicly. This can include the structure of object management, key memory locations in the program, or little bits of the engine that can be used and/or modified.
#2
Thanks, this really is quite helpful. I've heard of programs like OlyDBG and de4dot, but I never really understood them until I read this.
Do you have any suggestions on software that can be used to reverse engineer? I have no idea where to start with learning to read disassembled code.
#3
(04-05-2019 - 07:55 AM)Simkoo Wrote: Thanks, this really is quite helpful. I've heard of programs like OlyDBG and de4dot, but I never really understood them until I read this.
Do you have any suggestions on software that can be used to reverse engineer? I have no idea where to start with learning to read disassembled code.
https://github.com/wtsxDev/reverse-engineering#books
#4
(04-10-2019 - 04:10 AM)IcyJake Wrote:
(04-05-2019 - 07:55 AM)Simkoo Wrote: Thanks, this really is quite helpful. I've heard of programs like OlyDBG and de4dot, but I never really understood them until I read this.
Do you have any suggestions on software that can be used to reverse engineer? I have no idea where to start with learning to read disassembled code.
https://github.com/wtsxDev/reverse-engineering#books

Thank! one of the most useful links I've seen in a while
#5
(04-17-2019 - 04:38 AM)Simkoo Wrote:
(04-10-2019 - 04:10 AM)IcyJake Wrote:
(04-05-2019 - 07:55 AM)Simkoo Wrote: Thanks, this really is quite helpful. I've heard of programs like OlyDBG and de4dot, but I never really understood them until I read this.
Do you have any suggestions on software that can be used to reverse engineer? I have no idea where to start with learning to read disassembled code.
https://github.com/wtsxDev/reverse-engineering#books

Thank! one of the most useful links I've seen in a while

No problem, homie.

1 Guest(s)