Reverse Engineering Tutorial

Reverse Engineering
====================

Engineering : To manufacture a product.
= Forward Engineering
= Reverse Engineering

Forward Engineering
====================
To use raw material and to make a fully working product
Engineer a car :
Tyre
Engine
Seats

Reverse Engineering
=====================
We got the car, we will dismantel it, and will get the juicy stuff out of it.
Softwares and products,
CD keys
Registration IDS
To convert a demo software into a full working software

Eg.

Install Games in computer —-> Copy —> crack|Patch and paste it, where it is installed. —> Patching

Conditional Branching
=====================
1. CMP –> Compare
2. JMP –> To Jump on certain memory address
3. JZ —> Jump if the result is zero, to a certain memory location
4. JNZ –> Jump If the result is non zero
5. JE –> Jump if the data is equal to the data in accumulator
6. JNE –> Jump if the data is not equal to the data in accumulator

Assembely Language Basics
=========================
1. ADD
add eax, ebx
eax = eax + ebx
add eax, 45
eax = eax + 45
2. MUL
3. SUB
4. DIV
5. Push –> Enter data into the data structure
6. POP —> Deletes the top most data from the stack.

Reverse Engineering via Algorithm Reversing
===========================================
We are going to make some changes in the application’s algorithm and will make it work as we want it to do.
It shows, Please enter the serial keys for making it a full version

OLly Debugger : http://www.ollydbg.de/download.htm

Walkthrough :
We Enter something
THe Error Message came
– We will search in the algorithm
– Make the algorithm to jump

1. Custom Based Application : Small application in C programming Language
2. BPK Keylogger Detector
3. POWER ISO

Requirements
============
1. Debugger – OllyDBG, Immunity Debugger
http://www.immunityinc.com/products/debugger/
Linux – GDB
2. OS : Windows 7 ultimate, XP(any service pack)
3. Vulnerable applications

1. Custom Based Applciation Cracking
====================================

#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
int main()
{
int key, inp;
key = 112233;
printf(“Please Enter the CD-KEY for continue\n”);
scanf(“%d”,&inp);
if(key == inp)
{
printf(“Successfully Registered….\nYou can continue with the full version\n”);
}
else
{
printf(“Invalid Key\n”);
}
getch();
return 0;
}

C to exe converter :http://www.onlinecompiler.net/

Convert this into .exe via Online Convertors.
—————————————————————————–

Steps to Reverse Engineer :

004012E8 |. C70424 2C30400>MOV DWORD PTR SS:[ESP],reee.0040302C ; |ASCII “Successfully Registered….
You can continue with the full version

JMP 004012E8

2. BPK Keylogger Detector
=========================

Download Link : https://ufile.io/q9xgl

—————————
Registration error
—————————
Registration code or user name is invalid. Please check all fields and try again!
—————————
OK
—————————

Successfull MEssage
004049A5 |. 68 504B4900 PUSH antispy.00494B50 ; |Text = “Registration succeeded. Thank you for choosing Keylogger Detector!”

Copy the address

JMP 004049A5

————————————————————————————

3. Power ISO
============
Download Link : https://www.filehorse.com/download-poweriso-32/

—————————
PowerISO
—————————
The username or serial number is invalid.
—————————
OK
—————————

1. Memory Address Register (MAR):
This register holds the address of memory where CPU wants to read or write data.When CPU wants to store some data in the memory or reads the data from the memory, it places the address of the required memory location in the MAR.
2. Memory Buffer Register (MBR):
This register holds the contents of data or instruction read from, or written in memory. The contents of instruction placed in this register are transferred to the Instruction Register, while the contents of data are transferred to the accumulator or I/O register. In other words you can say that this register is used to store data/instruction coming from the memory or going to the memory.
3. Flag Register:
The Flag register is used to indicate occurrence of a certain condition during an operation of the CPU. It is a special purpose register with size one byte or two bytes. Each bit of the flag register constitutes a flag (or alarm), such that the bit value indicates if a specified condition was encountered while executing an instruction.

 

Session 5
=========
Reverse Engineering via File Manipulation
—————————————–
1. BPK Key Logger Detector
————————–
Registration error
—————————
Registration code or user name is invalid. Please check all fields and try again!
—————————
OK
—————————

EAX 0018EB1C ASCII “QEDSGMLEFPFDGTPM”
ECX 0018EB2B
EDX 0000004D
EBX 00000001
ESP 0018EB0C
EBP 0018EB78
ESI 763B2B7A kernel32.lstrcatA
EDI 0017016A
EIP 00404994 antispy.00404994
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000216 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty -??? FFFF 00000066 00660066
ST1 empty -??? FFFF 00000000 00083600
ST2 empty -??? FFFF 00000000 00010000
ST3 empty 555.99998757243156440
ST4 empty 27.999993383884429930
ST5 empty 0.0
ST6 empty 16.000000000000000000
ST7 empty 16.000000000000000000
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

EAX 0018EB1C ASCII ”

ECX 0018EB2B
EDX 00000041
EBX 00000001
ESP 0018EB0C
EBP 0018EB78
ESI 763B2B7A kernel32.lstrcatA
EDI 00180144
EIP 00404994 antispy.00404994
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000216 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty -??? FFFF 00000066 00660066
ST1 empty -??? FFFF 00000000 00083600
ST2 empty -??? FFFF 00000000 00010000
ST3 empty 1266.9999716803431510
ST4 empty 1.0000000000000000000
ST5 empty 1.0000000000000000000
ST6 empty 16.000000000000000000
ST7 empty 16.000000000000000000
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

Username –> Vinayak
Key –> QEDSGMLEFPFDGTPM

username –> lucifer
key –> BBRKDIEHABNGCKOA

2. SMAC2.0

—————————
SMAC 2.0
—————————
Invalid Registration ID.
—————————
OK
—————————
Invalid Registration ID entered.

Text strings referenced in SMAC:.text, item 5105
Address=0048BCF6
Disassembly=PUSH SMAC.00438AB8
Text string=UNICODE “-375M-3932-563F-4967”

SMC2U-375M-3932-563F-4967

—————————
SMAC 2.0
—————————
Invalid Registration ID entered.
—————————
OK
—————————

004874EF . C785 58FFFFFF >MOV DWORD PTR SS:[EBP-A8],SMAC.00438A48 ; UNICODE “This product has been successfully registered.”

JMP 004874EF

—————————
SMAC 2.0
—————————
This product has been modified and will shutdown.
—————————
OK
—————————

https://challenges.re/

 

3 comments on “Reverse Engineering Tutorial
  1. Very interesting details you have mentioned, thankyou for putting up.

  2. Some genuinely nice and utilitarian information on this internet site, besides I think the design and style contains superb features.

  3. I was recommended this blog by my cousin. I am not sure whether this post is written by him as no one else know such detailed about my trouble. You’re incredible! Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

*