Lecture 1: Introduction to Reverse Engineering

1 Fotis Fotopoulos Boston, 2001 Table of Contents 2 Table of Contents Table of 2 1. 5 About the Course and Notes .. 5 5 Typical Examples .. 6 Hacking .. 7 Hiding Information from Public .. 7 Cell Phones .. 10 Computer Applications .. 10 Requirements .. 12 Scope .. 13 Ethics .. 13 Miscellaneous Information .. 14 2. Programming Processors .. 16 Programming Languages .. 16 Processor Arithmetic .. 18 Memory Structure .. 22 23 Unicode Strings .. 24 Pointers .. 24 3. Windows Anatomy .. 26 Windows 26 File System.

2 27 File Anatomy .. 28 File 29 Into PE Format .. 31 The PE Header .. 34 Section Table .. 43 Commonly Encountered Sections .. 51 PE File Imports .. 59 Table of Contents 3 PE File Exports .. 62 4. Basic Concepts of 67 67 Flag .. 70 Memory .. 71 73 Interrupts .. 74 5. Assembly Commands .. 76 CMP: Compare Two Operands .. 76 76 76 Opcode Instruction Description .. 77 J cc: Jump if Condition Is Met .. 77 77 79 Opcode Instruction Description .. 79 PUSH: Push Word or Doubleword Onto the Stack.

3 81 81 82 Opcode Instruction Description .. 83 POP: Pop a Value from the Stack .. 84 84 85 Opcode Instruction Description .. 88 AND: Logical AND .. 88 88 Operation and Example .. 88 Opcode Instruction Description .. 89 NOT: One's Complement Negation .. 90 90 Operation and Example .. 90 Opcode Instruction Description .. 90 Table of Contents 4 OR: Logical Inclusive OR .. 91 91 Operation and Example .. 91 Opcode Instruction Description .. 92 XOR: Logical Exclusive OR .. 92 92 Operation and Example.

4 92 Opcode Instruction Description .. 93 Other instructions .. 94 CALL: Call 94 ADD: 99 SUB: 99 MUL: Unsigned 99 DIV: Unsigned Divide .. 100 MOV: Move .. 100 6. SoftIce for Windows .. 103 Installing SoftIce .. 103 Configuring SoftIce .. 105 Resizing 105 106 Other Useful Settings .. 107 SoftIce Window .. 107 108 Breakpoints .. 109 Useful Functions .. 112 Navigation in 112 7. Hackman Editor .. 114 String Manipulation .. 114 Version Stamp .. 116 Date Stamp .. 117 Icon 118 Other Tools.

5 119 Chapter 1: Introduction to Reverse Engineering 5 Chapter 1 1. Introduction About the Course and Notes The sole purpose of these Lecture notes is to provide an aid to the high school students attending the HSSP course C-01B Reverse Engineering in Computer Applications taught during Spring 2001 at the Massachusetts Institute of Technology. The information presented hereby is on an as-is basis and the author cannot be possibly held liable for damages caused or initiated using methods or techniques described (or mentioned) in these notes.

6 The reader should make sure to obey copyright laws and international treaties. No responsibility is claimed regarding the reliability and accuracy of the material discussed throughout the lectures. Definitions Programming language is a program that allows us to write programs and be understood by a computer. Application is any compiled program that has been composed with the aid of a programming language. Reverse Engineering (RE) is the decompilation of any application, regardless of the programming language that was used to create it, so that one can acquire its source code or any part of it.

7 The Reverse engineer can re-use this code in his own programs or modify an existing (already compiled) program to perform in other ways. He can use the knowledge gained from RE to correct application programs, also known as bugs. But the most important is that one can get extremely useful ideas by observing how other programmers work and think, thus improve his skills and knowledge! Chapter 1: Introduction to Reverse Engineering 6 Here are just a few reasons that RE exists nowadays and its usage is increasing each year: Personal education Understand and work around (or fix) limitations and defects in tools Understand and work around (or fix) defects in third-party products.

8 Make a product compatible with (able to work with) another product. Make a product compatible with (able to share data with) another product. To learn the principles that guided a competitor's design. Determine whether another company stole and reused some of source code. Determine whether a product is capable of living up to its advertised claims. Not all actions performed can be considered legal . Hence, extreme caution must be taken, not to violate any copyright laws or other treaties. Usually each product comes with a copyright law or license agreement.

9 Typical Examples What comes in our minds when we hear RE, is cracking. Cracking is as old as the programs themselves. To crack a program, means to trace and use a serial number or any other sort of registration information, required for the proper operation of a program. Therefore, if a shareware program (freely distributed, but with some inconveniences, like crippled functions, nag screens or limited capabilities) requires a valid registration information, a Reverse engineer can provide that information by decompiling a particular part of the program.

10 Many times in the past, several software corporations have accused others for performing RE in their products and stealing technology and knowledge. RE is not limited to computer applications, the same happens with car, weapons, hi-fi components etc. Chapter 1: Introduction to Reverse Engineering 7 All major software developers do have knowledge of RE and they try to find programmers that are familiar with the concepts that will be taught during this class. RE are well paid, sometimes their salaries are double or even more, depending on the skills they have.