Reverse engineering is the process of extracting the knowledge or design blueprints from anything man-made. The concept has been around since long before computers or modern technology, and probably dates back to the days of the industrial revolution. It is very similar to scientific research, in which a researcher is attempting to work out the “blueprint” of the atom or the human mind.
The difference between reverse engineering and conventional scientific research is that with reverse engineering the artifact being investigated is manmade, unlike scientific research where it is a natural phenomenon.
Detail in content
Part I Reversing
Chapter 1 Foundations
What Is Reverse Engineering?
Software Reverse Engineering: Reversing
Reversing Applications
Security-Related Reversing
Malicious Software
Reversing Cryptographic Algorithms
Digital Rights Management
Auditing Program Binaries
Reversing in Software Development
Achieving Interoperability with Proprietary Software
Developing Competing Software
Evaluating Software Quality and Robustness
Low-Level Software
Assembly Language
Compilers
Virtual Machines and Bytecodes
Operating Systems
Contents
The Reversing Process
System-Level Reversing
Code-Level Reversing
The Tools
System-Monitoring Tools
Disassemblers
Debuggers
Decompilers
Is Reversing Legal?
Interoperability
Competition
Copyright Law
Trade Secrets and Patents
The Digital Millenium Copyright Act
DMCACases
License Agreement Considerations
Code Samples & Tools
Conclusion
Chapter 2 Low-Level Software
High-Level Perspectives
Program Structure
Modules
Common Code Constructs
Data Management
Variables
User-Defined Data Structures
Lists
Control Flow
High-Level Languages
C
C++
Java
C#
Low-Level Perspectives
Low-Level Data Management
Registers
The Stack
Heaps
Executable Data Sections
Control Flow
Assembly Language
Registers
Flags
Instruction Format
Basic Instructions
Moving Data
Arithmetic
Comparing Operands
Conditional Branches
Function Calls
Examples
A Primer on Compilers and Compilation
Defining a Compiler
Compiler Architecture
Front End
Intermediate Representations
Optimizer
Back End
Listing Files
Specific Compilers
Execution Environments
Software Execution Environments (Virtual Machines)
Bytecodes
Interpreters
Just-in-Time Compilers
Reversing Strategies
Hardware Execution Environments in Modern Processors 63
Intel NetBurst
ops (Micro-Ops)
Pipelines
Branch Prediction
Conclusion
Chapter 3 Windows Fundamentals
Components and Basic Architecture
Brief History
Features
Supported Hardware
Memory Management
Virtual Memory and Paging
Paging
Page Faults
Working Sets
Kernel Memory and User Memory
The Kernel Memory Space
Section Objects
VAD Trees
User-Mode Allocations
Memory Management APIs
Objects and Handles
Named objects
Processes and Threads
Processes
Threads
Context Switching
Synchronization Objects
Process Initialization Sequence
Application Programming Interfaces
The Win32 API
The Native API
System Calling Mechanism
Executable Formats
Basic Concepts
Image Sections
Section Alignment
Dynamically Linked Libraries
Headers
Imports and Exports
Directories
Input and Output
The I/O System
The Win32 Subsystem
Object Management
Structured Exception Handling
Conclusion
Chapter 4 Reversing Tools
Different Reversing Approaches
Offline Code Analysis (Dead-Listing)
Live Code Analysis
Disassemblers
IDA Pro
ILDasm
Debuggers
User-Mode Debuggers
OllyDbg
User Debugging in WinDbg
IDA Pro
PEBrowse Professional Interactive
Kernel-Mode Debuggers
Kernel Debugging in WinDbg
Numega SoftICE
Kernel Debugging on Virtual Machines
Decompilers
System-Monitoring Tools
Patching Tools
Hex Workshop
Miscellaneous Reversing Tools
Executable-Dumping Tools
DUMPBIN
PEView
PEBrowse Professional
Conclusion
Part II Applied Reversing
Chapter 5 Beyond the Documentation
Reversing and Interoperability
Laying the Ground Rules
Locating Undocumented APIs
What Are We Looking For?
Case Study: The Generic Table API in NTDLL.DLL
RtlInitializeGenericTable
RtlNumberGenericTableElements
RtlIsGenericTableEmpty
RtlGetElementGenericTable
Setup and Initialization
Logic and Structure
Search Loop 1
Search Loop 2
Search Loop 3
Search Loop 4
Reconstructing the Source Code
RtlInsertElementGenericTable
RtlLocateNodeGenericTable
RtlRealInsertElementWorker
Splay Trees
RtlLookupElementGenericTable
RtlDeleteElementGenericTable
Putting the Pieces Together
Conclusion
Chapter 6 Deciphering File Formats
Cryptex
Using Cryptex
Reversing Cryptex
The Password Verification Process
Catching the Bad Password Message
The Password Transformation Algorithm
Hashing the Password
The Directory Layout
Analyzing the Directory Processing Code
Analyzing a File Entry
Dumping the Directory Layout
The File Extraction Process
Scanning the File List
Decrypting the File
The Floating-Point Sequence
The Decryption Loop
Verifying the Hash Value
The Big Picture
Digging Deeper
Conclusion
Chapter 7 Auditing Program Binaries
Defining the Problem
Vulnerabilities
Stack Overflows
A Simple Stack Vulnerability
Intrinsic Implementations
Stack Checking
Nonexecutable Memory
Heap Overflows
String Filters
Integer Overflows
Arithmetic Operations on User-Supplied Integers
Type Conversion Errors
Case-Study: The IIS Indexing Service Vulnerability
CVariableSet::AddExtensionControlBlock
DecodeURLEscapes
Conclusion
Chapter 8 Reversing Malware
Types of Malware
Viruses
Worms
Trojan Horses
Backdoors
Mobile Code
Adware/Spyware
Sticky Software
Future Malware
Information-Stealing Worms
BIOS/Firmware Malware
Uses of Malware
Malware Vulnerability
Polymorphism
Metamorphism
Establishing a Secure Environment
The Backdoor.Hacarmy.D
Unpacking the Executable
Initial Impressions
The Initial Installation
Initializing Communications
Connecting to the Server
Joining the Channel
Communicating with the Backdoor
Running SOCKS4 Servers
Clearing the Crime Scene
The Backdoor.Hacarmy.D: A Command Reference
Conclusion 306
Part III Cracking
Chapter 9 Piracy and Copy Protection
Copyrights in the New World
The Social Aspect
Software Piracy
Defining the Problem
Class Breaks
Requirements
The Theoretically Uncrackable Model 314
Types of Protection
Media-Based Protections
Serial Numbers
Challenge Response and Online Activations
Hardware-Based Protections
Software as a Service
Advanced Protection Concepts
Crypto-Processors
Digital Rights Management
DRM Models
The Windows Media Rights Manager
Secure Audio Path
Watermarking
Trusted Computing
Attacking Copy Protection Technologies
Conclusion
Chapter 10 Antireversing Techniques
Why Antireversing?
Basic Approaches to Antireversing
Eliminating Symbolic Information
Code Encryption
Active Antidebugger Techniques
Debugger Basics
The IsDebuggerPresent API
SystemKernelDebuggerInformation
Detecting SoftICE Using the Single-Step Interrupt
The Trap Flag
Code Checksums
Confusing Disassemblers
Linear Sweep Disassemblers
Recursive Traversal Disassemblers
Applications
Code Obfuscation
Control Flow Transformations
Opaque Predicates
Confusing Decompilers
Table Interpretation
Inlining and Outlining
Interleaving Code
Ordering Transformations
Data Transformations
Modifying Variable Encoding
Restructuring Arrays
Conclusion
Chapter 11 Breaking Protections
Patching
Keygenning
Ripping Key-Generation Algorithms
Advanced Cracking: Defender
Reversing Defender’s Initialization Routine
Analyzing the Decrypted Code
SoftICE’s Disappearance
Reversing the Secondary Thread
Defeating the Killer Thread
Loading KERNEL32.DLL
Reencrypting the Function
Back at the Entry Point
Parsing the Program Parameters
Processing the Username
Validating User Information
Unlocking the Code
Brute-Forcing Your Way through Defender
Protection Technologies in Defender
Localized Function-Level Encryption
Relatively Strong Cipher Block Chaining
Reencrypting
Obfuscated Application/Operating System Interface
Processor Time-Stamp Verification Thread
Runtime Generation of Decryption Keys
Interdependent Keys
User-Input-Based Decryption Keys
Heavy Inlining
Conclusion
Part IV Beyond Disassembly
Chapter 12 Reversing .NET
Ground Rules
.NET Basics
Managed Code
.NET Programming Languages
Common Type System (CTS)
Intermediate Language (IL)
The Evaluation Stack
Activation Records
IL Instructions
IL Code Samples
Counting Items
A Linked List Sample
Decompilers
Obfuscators
Renaming Symbols
Control Flow Obfuscation
Breaking Decompilation and Disassembly
Reversing Obfuscated Code
XenoCode Obfuscator
DotFuscator by Preemptive Solutions
Remotesoft Obfuscator and Linker
Remotesoft Protector
Precompiled Assemblies
Encrypted Assemblies
Conclusion
Chapter 13 Decompilation
Native Code Decompilation: An Unsolvable Problem?
Typical Decompiler Architecture
Intermediate Representations
Expressions and Expression Trees
Control Flow Graphs
The Front End
Semantic Analysis
Generating Control Flow Graphs
Code Analysis
Data-Flow Analysis
Single Static Assignment (SSA)
Data Propagation
Register Variable Identification
Data Type Propagation
Type Analysis
Primitive Data Types
Complex Data Types
Control Flow Analysis
Finding Library Functions
The Back End
Real-World IA-32 Decompilation
Conclusion
Appendix A Deciphering Code Structures
Appendix B Understanding Compiled Arithmetic
Appendix C Deciphering Program Data
Index 5
Posts
