Reverse Engineering on M$ windoze

1
Reverse Engineering on M windoze

• An intro to x86 win32 assembly with a lil hands
  on.

2
Topics

• Registers
• General Purpose
• Special
• Instructions intel opcodes
• The stack
• Windows API
• Tools of the trade

3
Registers

• General purpose registers
• EAX, ECX, EDX, EBX
• 32bits, accessible by their 8 16 bit
  counterparts
• EAX AL(8bit) AH(8bit) makeup AX (16bit) etc
• 8bits 1 byte, 2 bytes is 1 word 4 bytes, one
  dword makeup each register
• Special Registers
• ESP, EIP, a few others
• EIP instruction pointer, next line of code
• ESP stack pointer, youll really care about
  this later

4
Instructions opcodes

• Intel opcodes are hardcoded instructions used by
  the CPU.
• Convention used on windows x86 is
• Instruction dest, src
• ADD eax, 64
• Touching a few interesting ones
• CALL, J(jumps), XOR, AND, PUSH, POP, ADD,
  MUL/IMUL, DIV/IDIV, LEA, MOV, MOVSX, etc.

5
Logical Bit Manipulation

• The exclusive OR, XOR
• Source Dest Result
• 0 0 0
• 1 1 0
• 0 1 1
• 1 0 1

6
Dah Stack

• Youve heard about it since CS104
• LIFO like a stack of plates.. Just like you
  always heard.
• Every app has its own.
• Like plates, theyre breakable

7
Windows API

• Get Win32.hlp
• Useful in debugging/disassembly, what's used to
  break where we need
• MessageBox, GetDlgItemText, GetWindowText,
  ReadFile, CreateFile, WriteFile, RegOpenKey,
  RegQueryValue, etc etc
• Check what the EXE uses with OllyDbg, Imports
  Exports in IDA.

8
Tools

• Disassemblers
• IDA. (Chris Eagles book)
• Debuggers
• Ollydbg, SoftICE, IDA has one
• Books
• Intel manuals (free), Chris Eagles IDA book,
  Windows Internals, Linkers and Loaders, Secrets
  of Reversing (good intro stuff)
• Sysinternals
• Filemon, Regmon, Procmon etc
• PE Editors
• ImpREC, LordPE, PEID(Identifier), ProcDump
• Decompilers
• DeDe(Delphi),
• .Net Tools
• Reflector, MSIL Disassembler, de-obfuscation
  tools
• Custom Tools
• Write your own ?

9
Hands on