Reverse Engineering - Lecture 2 , By Ahmed Sherif

1

Reverse Engineering Reverse Engineering CourseCourse

IS|Reverse EngineeringIS|Reverse Engineering

Lec 2Lec 2

2

Stack MemoryStack Memory


Stacks in computing architectures are regions of memory where data is added or removed in a Stacks in computing architectures are regions of memory where data is added or removed in a last-in-first-out manner.last-in-first-out manner.

every process has at least one thread, and every thread has its own stackevery process has at least one thread, and every thread has its own stack

3

Stack MemoryStack Memory


4

Heap MemoryHeap Memory


The heap is memory space that can be allocated by a process when it needs more memory.The heap is memory space that can be allocated by a process when it needs more memory.

Each process has one heap and it is shared among the different threads. All the threadsEach process has one heap and it is shared among the different threads. All the threads

share the same heap. share the same heap.

5

Pointer RegistersPointer Registers


EBP - base pointer.EBP - base pointer.

ESP Stack Pointer.–ESP Stack Pointer.–

ESP is the stack pointer and always points to the top of the stackESP is the stack pointer and always points to the top of the stack

The base is the beginning of a stack frame . The base is the beginning of a stack frame . EBP points to the beginning of the functions stack frame EBP points to the beginning of the functions stack frame

EIP - Instruction pointerEIP - Instruction pointer

pointer to the next address instruction to be executedpointer to the next address instruction to be executed

6

Segment RegistersSegment RegistersSegmentation involves composing a memory address from two parts, a segment andSegmentation involves composing a memory address from two parts, a segment and

an offset.the segment points to the beginning of a 64 KB group of addresses and thean offset.the segment points to the beginning of a 64 KB group of addresses and the

offset determines how far from this beginning address the desired addressoffset determines how far from this beginning address the desired address

7

Segment RegistersSegment RegistersCS → Code segmentCS → Code segment

DS → Data segmentDS → Data segment

SS → Stack segmentSS → Stack segment

ES → Extra segmentES → Extra segment

FS → Extra segmentFS → Extra segment

Example : Example :

Segment:offsetSegment:offset

Mov eax, DS:offset mystringMov eax, DS:offset mystring

8

FlagsFlags


OF: Overflow Flag : indicates an overflow when setOF: Overflow Flag : indicates an overflow when set

DF: Direction Flag : used for string operations to check directionDF: Direction Flag : used for string operations to check direction

SF: Sign Flag : if set, resulting number of calculation is negativeSF: Sign Flag : if set, resulting number of calculation is negative

ZF: Zero Flag : if set, resulting number of calculation is zeroZF: Zero Flag : if set, resulting number of calculation is zero

CF: Carry Flag : used to indicate when an arithmetic carry or borrowCF: Carry Flag : used to indicate when an arithmetic carry or borrow

has been generated out of the most significant ALU bit positionhas been generated out of the most significant ALU bit position

9

InstructionsInstructions


Arithmetic operationsArithmetic operationsADDADD : :

add dest, src add dest, src

Examples : Examples :

add eax, ebx -> both dest and src are registersadd eax, ebx -> both dest and src are registers

add [esp], eax -> dest is a memory reference to the top of the stackadd [esp], eax -> dest is a memory reference to the top of the stackadd eax, 4 -> source is an immediate valueadd eax, 4 -> source is an immediate value

10



SubSub : :

sub dest, src sub dest, src

Arithmetic operationsArithmetic operations

DivDiv : :

mov eax, 65 ; move the dividend into eaxmov eax, 65 ; move the dividend into eax

mov ecx, 4; move the divisor into ecxmov ecx, 4; move the divisor into ecx

div ecxdiv ecx

ResultResult::

Eax : 16Eax : 16

Edx : 1 Edx : 1

11



Arithmetic operationsArithmetic operationsMULMUL : :

MULMUL dest, src dest, src

12



Bitwise operationsBitwise operationsAND, syntax: AND, syntax: add dest, srcadd dest, src

OR, syntax: OR, syntax: or dest, src or dest, src

XOR, syntax: XOR, syntax: xor dest, srcxor dest, src

NOT, syntax: NOT, syntax: not eaxnot eax

ExampleExample::

Value1 = 10011011Value1 = 10011011

Value2 = 11001001Value2 = 11001001

O/P =O/P =

AND -> 10001001AND -> 10001001

OR -> 11011011OR -> 11011011

XOR -> 01010010 XOR -> 01010010

13



BranchingBranchingJZ :JZ : jump if result = 0 jump if result = 0

JNZ : JNZ : Jump if result doesn't equal 0 Jump if result doesn't equal 0

JE JE : : Jump if result euqal zero Jump if result euqal zero

JNE : JNE : Jump if result doesn't equal zero Jump if result doesn't equal zero

ExampleExample::

CMP BL,3CMP BL,3

JE label2JE label2

MOV DX,4MOV DX,4

JMP label3JMP label3

label2:label2:

MOV BL ,7MOV BL ,7

14



Data MovingData MovingMOV syntax; Mov des,srcMOV syntax; Mov des,src

Movzx syntax ; movzx des,srcMovzx syntax ; movzx des,src

Both Source,Destination can be register OR memory reference .Both Source,Destination can be register OR memory reference .

Warning : Both can't be momery referenceWarning : Both can't be momery reference

Lea eax,dword ptr[eax+ecx]Lea eax,dword ptr[eax+ecx]

15



LOOPSLOOPSmov ecx, 5 ; mov ecx, 5 ; remember ecx stands for extended counter registerremember ecx stands for extended counter register

_proc:_proc:

dec ecx dec ecx ; decrements ecx; decrements ecx

loop _proc loop _proc ; loops back to _procs; loops back to _procs

16



Stack managementStack managementPOP ; POP destPOP ; POP dest

Push; Push value/regPush; Push value/reg

17

Hands-onHands-on


From C to AssemblyFrom C to Assembly

if (var == 0)if (var == 0)

{{

anyfunction();anyfunction();

}}

// AfterCondition// AfterCondition

Mov eax, [var]Mov eax, [var]

Test eax, eaxTest eax, eax

Jnz AfterConditionJnz AfterCondition

Call anyFunctionCall anyFunction

AfterCondition:AfterCondition:

18

Hands-onHands-on



if (var == 7)if (var == 7)

function();function();

elseelse

anotherFunction();anotherFunction();

Cmp [var], 7Cmp [var], 7

Jz ElseBlockJz ElseBlock

Call functionCall function

Jmp AfterConditionalBlockJmp AfterConditionalBlock

ElseBlock:ElseBlock:

Call anotherFunctionCall anotherFunction

AfterConditionalBlock:AfterConditionalBlock:

19

Hands-onHands-on



if (var1 == 100 && var2 == 50)if (var1 == 100 && var2 == 50)

yes;yes;

Cmp [var1], 100Cmp [var1], 100

Jne AfterConditionJne AfterCondition

Cmp [var2], 50Cmp [var2], 50

Jne AfterConditionJne AfterCondition

yesyes

AfterCondition:AfterCondition:

20

Hands-onHands-on



function (int x, char y );function (int x, char y ); mov eax, ymov eax, y

push eaxpush eax

Mov eax , xMov eax , x

Push eaxPush eax

call functioncall function

21

MS-DOS AssemblyMS-DOS Assembly


Hello World Example Hello World Example

Jmp 0103Jmp 0103

Db "Hello world$"Db "Hello world$"

Mov dx,0102Mov dx,0102

Mov ah,9Mov ah,9

nt 21İnt 21İ

nt 20İnt 20İ

22



Current System TimeCurrent System Time

Mov ah,2DMov ah,2D

nt 21İnt 21İ

nt 20İnt 20İ

23



Current DOS VersionCurrent DOS Version

Mov ax,0300Mov ax,0300

nt 21İnt 21İ

nt 20İnt 20İ

24

AssignmentsAssignments


Try With Some Try With Some interrupts with Site interrupts with Site

Below : Below :

http://spike.scu.edu.au/~barry/interruhttp://spike.scu.edu.au/~barry/interrupts.htmlpts.html

Reverse Engineering - Lecture 2 , By Ahmed Sherif

Engineering

Transcript of Reverse Engineering - Lecture 2 , By Ahmed Sherif