The Art of Reversing
by Ap0x
Preface to second edition
We live our daily lives unaware of the little things and small things
We are happening before the eyes. We move through the obvious things because we are
make simple and logical. Not feel need that peek below
simple uniform exterior things, or just do not want to? Set
myself the question: When we last see an object and wondered how he
it works? What are the processes behind us available his face? Why is
something is going well as it happens? When we have an object last
decomposed the components of the power of their minds? When we last saw
beyond the obvious and accessible? The answers to these questions lie within ourselves and
are very on reverse engineering. The very tendency that the
penetrate in beginnings and causes fact, that the to initial conditions come of
results opens amazing opportunities, only if change point
view, only if the with of passive observers move in place
reverser, the only way to get to the core of reverse engineering. Please
to note that the reverse Engineering not applied only to computers,
all around us is the reverse engineering, but it needs to observe.
This is the second edition of The Art Of Cracking to receive new
behalf of The Art Of Reversing it is now woven into it my second book under
as PE and ASM for Crackers. In this second edition have been added some
chapters are complemented by some but most of the corrections related to grammatical-
semantic errors were noted in the book for this author owes special thanks
MDHamel-in that he did review the book and language departments. On this occasion I wanted
that the thank all that are me supported and more always me support that
continue work on this project.
The book is dedicated to all the people who have left an indelible impression on my
life: family, best friends, first love, mentors, other
friends, enemies and others that not here listed but
are more or less important part of my life.
"The more I learn, the more I realize how much I don` t know! "
Ap0x
The Art Of Reversing by Ap0x
Page 2 of 293
The Book
1:00 Intro to 6
01:01 What is 7
1:02 Beginners Guide to Reversing ............................................. ............................................. 8
Becoming a 01:03 9
01:04 ASM 10
01:05 ASM for Crackers - Part I. .......................................... .................................................. .. 10
01:06 ASM for Crackers - Part II ........................................... .................................................. . 18
01:07 ASM for Crackers - Part III ........................................... .................................................. 21
01:08 ASM for Crackers - Part IV ........................................... .................................................. 24
01:09 ASM for Crackers - Part V. .......................................... .................................................. . 26
1:10 Reading Time 30
01:11 Tools of Trade 31
Configuring 01:12 Tools of Trade ............................................. ................................................ 32
01:13 OllyDbg 32
01:14 W32Dism + + / W32Dasm 8.93 ............................................. ........................................... 32
01:15 Numega Smart Check v.6.03 ........................................... .............................................. 33
01:16 peido v.0.93. 33
01:17 My first crack 34
01:18 My second crack 39
01:19 OllyDbg from beginning .............................................. .................................................. 43
Debugging Basics 1:20 - Breakpoints ............................................. ....................................... 43
01:21 Debugging basics - User VS kernel mode .......................................... .......................... 44
01:22 Introduction to OllyDbg .............................................. .................................................. . 44
02:00 NAG 48
02:01 Killing NAGS - 49
02:02 Killing NAGS - 51
02:03 Killing NAGS - MsgBoxes & Olly ........................................... ......................................... 53
02:04 Killing NAGS - Dialogs & Olly ........................................... .............................................. 56
Cracking 03:00 57
03:01 The Serials - Jumps 58
03:02 The Serials - Fishing # 1 ........................................... .................................................. .... 60
03:03 The Serials - Fishing # 2 ........................................... .................................................. .... 63
03:04 The Serials - Fishing # 3 ........................................... .................................................. .... 66
03:05 The Serials - Fishing # 4 ........................................... .................................................. .... 67
03:06 The Serials - Fishing # 5 ........................................... .................................................. .... 69
03:07 The Serials - Fishing # 6 ........................................... .................................................. .... 70
03:08 The Serials - Fishing # 7 ........................................... .................................................. .... 71
03:09 The Serials - Smart Check # 1 ......................................... .............................................. 73
03:10 The Serials - Smart Check # 2 ......................................... .............................................. 75
03:11 The Serials - Computer ID ............................................ ................................................. 76
03:12 The Serials - VB & Olly ........................................... .................................................. ..... 78
The Serials 3:13 - 79
The Serials 3:14 - 81
03:15 The Serials - keyfile and Registry ........................................... ..................................... 84
04:00 Making 92
04:01 KeyGen - Ripping 93
04:01 KeyGen - Ripping 94
04:02 KeyGen - Beginning # 1 ............................................ .................................................. .... 95
04:03 KeyGen - Beginning # 2 ............................................ .................................................. .... 97
04:04 KeyGen - Beginning # 3 ............................................ .................................................. .... 99
04:05 KeyGen - Beginning # 4 ............................................ .................................................. .. 102
04:06 Keygens & Smart Check # 1 ........................................... ............................................. 104
04:07 Keygens & Smart Check # 2 ........................................... ............................................. 106
The Art Of Reversing by Ap0x
Page 3 of 293
05:00 CD 108
CD Checking 05:01 - 109
05:02 CD Checking - CrackMe ............................................. ................................................. 111
06:00 Code 114
06:01 Delphi ASM 115
6:02 VC + + and ASM 117
06:03 Adding functions 118
06:04 Adding functions 121
06:05 Adding functions 125
07:00 "Getting 126
07:01 Softic detection 127
07:02 Windows API debugger check ............................................. ........................................ 129
07:03 Memory modification check .............................................. ............................................ 130
Reversing 07:04 CRC32 checks .............................................. .............................................. 132
Not Getting Caught 07:05 - Exerecise ............................................ ....................................... 136
Cracking 08:00 138
08:01 ReEnable buttons - ASM ............................................. ................................................. 139
08:02 ReEnable buttons - API ............................................. .................................................. . 140
08:03 ReEnable buttons - ResHacker ............................................. ....................................... 143
08:04 ReEnable buttons - ResHacker & Delphi ........................................... .......................... 144
08:05 ReEnable buttons - Olly & Delphi ........................................... ...................................... 145
08:06 ReEnable buttons - Olly & VB ........................................... ........................................... 147
08:07 ReEnable buttons - DeDe & Delphi ........................................... .................................. 148
Passwords 08:08 - Olly & Delphi ............................................ ................................................ 149
Passwords 08:09 - Olly & VB ............................................ .................................................. ... 150
Passwords 08:10 - Olly & ASM ............................................ .................................................. 151
8:11 Time-Trial 152
Patching a 08:12 155
09:00 Decrypt 157
Cryptography basics ............................................... 9:01 .................................................. ... 158
09:02 Simple Encryption 163
Reversing MD5 9:03 165
Basics RSA 09:04. 167
09:05 bruteforce 169
09:06 bruteforce 172
09:07 bruteforce the 174
09:08 bruteforce with 179
Advanced bruteforceing ............................................... 9:09 ................................................ 180
182
Unpacking 10:01 183
10:02 PE Basics. 184
10:03 PE EXE Files - 184
10:04 PE EXE Files - Basics ............................................ .................................................. .... 186
10:05 PE EXE Files - Tables ............................................ .................................................. .... 191
10:06 PE DLL Files - 194
10:07 UPX 0.89.6 - 1.02 / 1:05 to 1:24 ....................................... ............................................. 195
10:08 UPX-Scrambler RC1.x ........................................... .................................................. .... 199
10:09 UPX Protector 1.0x- 200
10:10 UPXShit 201
10:11 FSG 1.30 - 205
10:12 FSG 2.0. 206
10:13 ASPack 1.x - 207
10:14 Petite 2.2. 209
10:15 tElock 0.80. 210
10:16 tElock 0.96. 213
10:17 tElock 214
The Art Of Reversing by Ap0x
Page 4 of 293
10:18 PeCompact 2:22 217
10:19 PeCompact 1:40 218
10:20 PePack 220
ASProtect 10:21 1:22 / 1.2c ............................................ .................................................. ..... 223
10:22 ASProtect 2.0x 226
ReCrypt 10:23 12:15 228
10:24 ReCrypt 0.74 229
10:25 ReCrypt 0.80 230
10:26 ACProtect 1.4x 231
10:27 WinUPack 233
10:28 Neola 2.0. 234
NT PELock 10:29 2:04 235
10:30 Virogena Crypt 0.75 236
10:31 eZip 1.0. 237
10:32 SPEC b3. 237
10:33 CExe 1.0a - 1.0b 237
10:34 MEW 238
10:35 PEBundle 2.0x - 2.4x ........................................... .................................................. ...... 239
10:36 PkLite32 1.1 240
10:37 PEX 0.99. 241
10:38 ExEStealth 2.72 - 2.73 ............................................. .................................................. .. 242
10:39 Arm Protector 243
10:40 EXE32Pack 1.3x 244
10:41 PC Gurd 5.0 245
10:42 yC 1.3. 246
10:43 SVKP 1.3x. 247
10:44 xPressor 1.2.0 249
10:45 JDPack 1.x / 0.9 JDProtect .......................................... ................................................ 250
10:46 ap0x Crypt 251
Patching 11:00 254
11:01 'Hard patchers' 255
11:02 patchers Registry 255
11:03 patchers Memory 255
11:04 inline patching - UPX 0.8x - 1.9x ........................................ ......................................... 256
11:05 inline patching - nSPack 2.x. ......................................... ............................................... 257
Inline patching 11:06 - 1.x-2.x ASPack ...................................... ............................................ 259
11:07 inline patching - EZip 1.0 ............................................ ................................................. 260
Inline patching 11:08 - 1:33 ............................................ FSG ............................................... 261
11:09 inline patching - PEX ............................................ 0.99 ................................................ 262
11:10 Making a 265
266
12:01 BruteForceing the Secret .............................................. ............................................... 267
12:02 Keygening Scarabee # 4 ............................................ .................................................. 269
Patching 12:03 aC 272
12:04 Obsidium 1.2 Unpacking .............................................. ................................................ 274
12:05 & Cracking 275
Tricks of 13:00 287
13:01 Coding 288
Cracking 13:02 289
13:03 Only Fools and 290
13:04 Crackers Guide 290
13:05 FAQ. 291
13:06 Epilogue. 293
The Art Of Reversing by Ap0x
Page 5 of 293
01 Intro to cracking
In the first chapter in this section aims to introduce you to
reverse Engineering and that you show very on cracking, way
thinking and some basic tricks with tools for cracking. First you adopt
some primary terms related for cracking, you'll learn as the configures
tools we use, and finally we will make our first crack.
The Art Of Reversing by Ap0x
Page 6 of 293
What is RCE?
Reverse Code Engineering is a technique that gives the initial
values some features Beginning of its results. You'll note that I
used uopsteno definition RCEa, and not one who to the related to RCE
applied to computer applications. RCE I defined thus because is he
just to, without matter to area to by the applied RCE a
thinking techniques and procedures for the settlement of a problem from another
angle. But if it is confined to computers, then we define the RCE
as a mechanism for modifying an unknown source, when the source code of the program
is not available. Using techniques described in this book realize primary
problems in the analysis or modification of an unknown source is not known when the original
at the problems. Then we access reverse observation
problem, namely finding the causes of the different behavior of the program, starting
the very result that we would reach the beginner causes. Of course, like any
other area of human endeavor, including the RCEu have different problems
that in most case no unique solutions. This also means that the
most problems can resolved to great number ways and that in most cases
There are only the easiest and quickest solution, and those that are not. Since
in most cases we are not interested in the time needed to solve a problem,
major factor in solving the problem RCE will be the accuracy of the results.
This accuracy is cruel when it comes to RCE problems, because in most cases
There are only two case resolution problems. There are only true resolved
problems and those who are not. RCE problems that were solved incorrectly can lead
system instability, and rupture of the operating system
use as on for RCE. This also means that RCE is not Platform
defined as it can be applied, and applied on all computer
platforms.
Although the book is "pompous" called The Art Of Cracking It is not
refers to the true meaning of reverse engineering, nor is such a thing at all
possible. No, this book has set itself the goal to put the limit to only one
narrowly defined area, commonly called Cracking, seeking to describe what is
more possible phenomenon related for I Cracking. Of course and this is difficult
feasible, but I will try to guide you through this book assure that there is no point
called a "trusted application". From now on the term delete
from his vocabulary. The term, which will instead adopt a "heavy applications
for reversing ", which means that any application that can be run
be "broken" and should not trust the so-called commercial applications
to protect your or other people's programs. This book will destroy the delusions of those who
believe that their passwords are safe in the database, that their
passwords safe behind "Star". These misconceptions will fall in water after
reading this books. Developers save is, because your Applications will be
placed on a comprehensive test ...
The Art Of Reversing by Ap0x
Page 7 of 293
Beginners Guide to Reversing
Before you start to deal with reverse engineering needed
to know some basics of computer hierarchy and ways of writing / reading
data. The operating system that we have chosen to learn the basics on it
Reverse engineering the Windows, which will, whatever the version, give
insight into the architecture and way of thinking that is carried out when reversing.
Although I sure that but know that is itself basis Windows
operating system series executabilnih (. Exe) and static (. Dll) files, that
represent the core system. What most of you certainly did not know that
the content of these. exe and. dll files can be changed on the way in which these programs
execute instructions who we want. Technique modification other people
executabilnih and other Files that contain excellent at called the Cracking.
Note that reversing the application for which you do not have the approval of its
by extremely illegal and therefore be careful in choosing target who will
reversovati.
Now the certainly wondering as us knowledge that the Operating system
consists of large number . Exe and . Dll Files can help in Reversing? And
percent know this we that suppose that the their content to some
I have written in a way. exe file! Here we are on the right track for all. Exe and
. Dll Files have unique ways writing. These ways write are
standardized on Windows 32-bit systems (Windows versions from 98 and the
on) and called the PE (Portable Executable) standard. This standard narrowly
defines position and meanings each bytes (At least Units each file,
1024b = 1kb) in a standard. Exe file. With this standard will be
introduced later but for now important to know that part of the standard PE file
izrsavanje responsible for the functions themselves. exe file performs. These functions
are also written in a standard mechanical way. This only means that strings
bytes that represent a true great in their significance. Interpretation
series bytes performed I processor your computers, and this standard
commands are called ASM (Assembler) command. With ASM standard will be
familiarize to the beginning this books. Understanding the works books is
prerequisite for understanding all other Chapters and therefore it a
framework for understanding the whole of this book.
These are just a basic way of thinking that all beginners have to
have in mind before you start dealing with reversing. Other very important
things will be cf. the introduction parallel with problems with where will the meet
When reading this book.
The Art Of Reversing by Ap0x
Page 8 of 293
Becoming a Reverser
This is a very common question that everyone wants to be involved in reversing
ask themselves. How to become a reverser? What that really means? What all have
I know?
The answers to these questions are more individual, depending from person to person,
but it table I I learned during these year In addressing the programming and
Reversing that everything is possible, that everything can be done. The only two things
they need to solve every problem the time and patience. Wishing
you become what you want to become you will need to learn much more.
Most of the things you learn will be related to the structure of computers, the way
program execution, the structure of files, the structure of Windows, but
Despite all this you will need to learn the basics of cryptography and mathematics.
Believe it or not but the best reverserskog world problems are mathematical. Therefore
No matter how hated math, trust me on word, zavolecete is safe ...
As I already said there is no exact "recipe" how to become a reverser
but there is a basic guide that will guide you which line you have to learn how
To become a reverser. This sequence should look like this:
™ Basics of the Windows operating system
™ Basics hexadecimal / decimal numbers
™ The basic set of commands ASM
™ Crackerski basic tools: W32Dasm and Hiew
™ Basic tools crackerski: Soft ICE, Olly, SmartCheck, DeDe
™ Basics PE STRUCTURE
™ Crackerski basic tools: peido, ResHacker, LordPe, Impreca
™ Programming languages: Visual Basic, Delphi, C + +, MASM
™ Basics of cryptography: SHA1, MD5, RSA, RC4, RC5, SkipJask
Of course this order the relations to some logically order thinking and
learning that should be applied to gain insight into the final reverserske
problems. Of course analogous this there and list species target who to
should "break". This list should look like this:
™ Removing the NAG screen
™ Changing rebounds to arrive at the post about the exact registration
™ Advanced patchovanje, killing dialogue, protect CD ...
™ Fishing serial numbers with the help of debugger
™ Simply unpacking easy targets: ASPack, UPX
™ Change the target themselves in their keygeneratore
™ Creating keygeneratora in a programming language
™ ASM ripping keygeneratora
™ Creating bruteforcera
™ Odpakivanje advanced tread: ASProtect, ACProtect, SCMM, Armadillo
™ Advanced reversing target in order to understand someone else's algorithm
Will you become reversers after reading this book?
No, but you'll be well on its way to become ....
The Art Of Reversing by Ap0x
Page 9 of 293
ASM Basics
ASM is the basis of reverserskog problems, so it is necessary
good to know even the basic ASM commands to be able to understand the
that the is front you. Basic and only tools that will us need further in
OllyDbg is a chapter, but we are beginning to deal with the theory.
ASM for Crackers - Part I
ASM that I am here to explain not using ASM programmers to
wrote programs. Not although is most Command same here will be only say on
essentially each ASM Command with which will the meet during reversovanja
target. Let's start with a little math ...
Since the as basis each program state simple
mathematical surgery, therefore are primary ASM Command intended bass
these operations.
Assigning values - ASM is the basic command that is used to
to the some variable (EAX, EBX, EDX, ECX ,...) whose are name defined
assigned a constant arithmetic value. This would seem in assembly
follows:
MOV EAX, 1
and its mathematical meaning is: EAX = 1
Addition - the basic mathematical operations and is a very good
known. I'm sure you know that adds up but you probably do not know how to
performs addition of numbers in assembly. An example is the addition of two variables:
ADD EAX, EBX
This simple ASM command is equivalent mathematical Command
addition of two numbers: EAX = EAX + EBX.
Subtraction - is also basic Mathematical command who to in
assembler like this:
SUB EAX, EBX
This simple ASM command is equivalent mathematical Command
subtraction of two numbers: EAX = EAX - EBX.
Multiply - is often used command, and looks just like this:
IMUL EAX, EBX
The Art Of Reversing by Ap0x
Page 10 of 293
This simple ASM command is equivalent mathematical Command
mnozenja two numbers: EAX = EAX * EBX.
These are only the beginning of some basic commands that ASM will be used to
resolve some simple math problems. So far there is no need to
worry about what variables we use, for now it will not explain
because there is no need, I'll get to later that, for now is only important to understand
how to perform ASM command.
First we write a program that will multiply two numbers and their product
add a fourth
Solution:
MOV EAX, 3
MOV ECX, 4
IMUL EAX, ECX
ADD EAX, 4
I think it is clear that for this simple program, but just in case
I will explain why We program written bass like this. First we assign
changing the value of EAX and ECX to what we had to multiply. This
for the first two rows. After doing this a standard multiplication of two numbers,
after which we will in the last row to add the product to their fourth Of course
result of the execution of this program will be: 3 * 4 + 4 = 16
Probacemo that do modification this examples so that program after
adding 4 to 8 and the product takes away the result multiplied by 4
Solution:
MOV EAX, 3
MOV ECX, 4
IMUL EAX, ECX
ADD EAX, 4
SUB EAX, 8
IMUL EAX, 4
As we can see the result will be: (((3 * 4) + 4) - 8) * 4 = 32 Of course, should
have to note that if we write ASM programs all numbers must be in
hexadecimal, so the task will be the result of the last 20h and not
32nd
Since we have successfully mastered the basic mathematical operations, work time
to explain why and how to use variables.
As and in mathematics and in assembler we define Variable where
We can assign any value arithmetic. The only restriction when
the to with assembler is that there but defined number variables who
we used. These Variable the call Registries and used the for all
assembler operation. Some names of these registers have already been mentioned but the whole
list to seemed follows: EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI, EIP. These
The Art Of Reversing by Ap0x
Page 11 of 293
Registries although the can use for any who surgery, are assigned
specific types of operations. So:
EAX
EBX
ECX
use for basic mathematical operations,
use for basic mathematical operations,
serves as a counter in the loop,
EDX serves as a register in which is recorded and the remainder for other things,
ESP
EBP
ESI
EDI
EIP
serves as a pointer to the various controls / stack
serves as a pointer to the memory of parts,
serves as a free registry,
serves as a free registry,
serves as a pointer to the current RVA address.
But this does not mean you have to realize that this list use registries black
White, this are only usually use registers, but the their use
can change in Depending on of situation to situation. See We that as and
variables in mathematics, the registry can take any numeric value and
use the for mathematical operations. Before than table continue with
Explaining other ASM commands you need to understand the difference between
32bit, 16bit and 8bit registers and realize the connection between them.
The registries we met up (EAX-EIP) are 32-bit registers. This means that
numbers that may contain registers range from 00000000 - FFFFFFFF, which makes
This 32-bit registers. For backward compatibility, standard 32-bit
registers contain the 8bitne 16bit registers. This means that if for example
EAX contains heksadecimani number FF443322 he a his 32 bits
value. But there are other registers that are closely related to the very registo
EAX. These registers are AX (16 bit), AH (8bit) and AL (8bit). The connection between the registers
given in the following table:
Register
EAX
AX
AL
AH
The first byte
FF
-
-
-
Second Byte
44
-
-
-
Third byte
33
33
-
33
The fourth byte
22
22
22
-
As can be seen in the table there are registers with which to modify or
only access to various registers 32bitnih. Although the example given in
EAX register and the same goes for the other registers. This is important because it takes
understand why the 32-bit registers in the program change if you change some
16bitnih of 8bitnih or register. For example I will explain parts of the accession
EAX register in the example:
MOV EAX, FF443322
MOV AX, 1111
MOV AH, 22
MOV AL, 66
The result of executing these commands ASM row would be:
EAX = FF443322, EAX = FF441111, EAX = FF442211, EAX = FF442266. As
table Notice impossible is access first and other byte 32bitnog
The Art Of Reversing by Ap0x
Page 12 of 293
Register EAX over 16bitnih or 8bitnih registers. This is substantially at writing
keygeneratora because it is important to know how it will change 16/8bitni regist
final value of a registry. Now there's certainly clear what we were doing
When we wrote up a simple ASM program. Since we know so far only
four ASM Command time is that extend the this list with additional
ASM mathematical commands.
Adding a +1 - a mathematical operation that further add to
value 1 at any register. In the ASM-it looks like this:
INC EAX
This simple command is the ASM equivalent mathematical EAX = EAX + 1
Now surely this is just wondering why we do with ASM
ADD command. The answer is that ASM ADD command takes from 4-8 bytes
file while INC takes only one. Is not great save but Compilers so
exe files are compiled.
Subtraction -1 - is additional Mathematical operation who to
subtracting 1 from any registry. It looks like this in ASM:
DEC EAX
This simple command is the ASM equivalent mathematical EAX = EAX - 1
This command also takes only one byte in the file.
Sharing - a mathematical operation that I left for the end because
knowledge that is necessary registers to understand how the numbers are divided
in asthma. Example number two sharing:
MOV EAX, 10
MOV ECX, 4
MOV EDX, 0
DIV ECX
Although this seems a little complicated, in fact, it is not. Here, the following happens:
First EAXu ECXu and assigned a value, then assign the value EDXu
EDX will be zero because they contain the remainder of sharing, and ultimately share with ECX. This would
Science look like this:
EAX = 16 (decimal)
ECX = 4
EDX = 0
EAX = EAX / ECX
That I is need place EDX to zero? Is because if this not do
integer overflow and cause the program will crash. Sharing may seem
little complicated but is not when learn that the always EAX share with some
other registers of your choice in this case ECXom.
The Art Of Reversing by Ap0x
Page 13 of 293
As we learned all the basic mathematical commands them to provezbacemo
one example. For example going to write an ASM program that will gather
two numbers, multiply the sum by 4, add a value to the product of
6 products seized, confiscated share value with 3 and finally subtract one
of the results.
Solution:
MOV EAX, 4
MOV ECX, 3
ADD EAX, ECX
IMUL EAX, 4
INC EAX
SUB EAX, 6
MOV EDX, 0
MOV ECX, 3
DIV ECX
DEC EAX
I think everyone knows what is going on, but if not here is the mathematical
solution of the problem:
EAX = 4
ECX = 3
EAX = EAX + ECX
EAX = EAX * 4
EAX = EAX + 1
EAX = EAX - 6
EDX = 0
ECX = 3
EAX = EAX / ECX
EAX = EAX - 1
Understanding basic mathematical operation is key at resolution
reverserskih basic problems. Since we did all the basic mathematical
Command time is that do logical ASM command. Not afraid the this
name, because the commands are the only logical mathematical operations
logical operators such as NOT, AND, OR and the like. This is the same as when
in mathematics using conjunctions, disjunctions and similar operators. The results of these
mathematical operations are either TRUE or FALSE.
AND - is basic logical command in Asthma. Benefits the as logically
operator between two registers. It looks like this in ASM:
AND EAX, ECX
After execution this Command EAX gets value who corresponds
mathematical operation between two registers. To thoroughly understand what
to the logical command we will make a small table with two binary numbers and
will show how to count the result that we obtained using the command
AND. Say you are trying to gather logical 3 and 5
The Art Of Reversing by Ap0x
Page 14 of 293
AND Operation
EAX
ECX
The result - EAX
Number of decimal
3
5
1
Number of binary
0011
0101
0001
As table the see from top table result logical addition 3 AND 5 = 1st
Why is it just a number? AND command compares the binary numbers bit by bit and
formed on the basis of the result. If the bits are 0, 0, 0, 1 or 1 and 0 will result
always be 0, and only if are two bits who the compare equal 1 then will
result of this will be equal to 1 Because of this, 0011 AND 0101 = 1
OR - is logical command in Asthma. Benefits the as logically operator
between two registers. It looks like this in ASM:
OR EAX, ECX
After execution this ASM Command result will the set in EAX, and
value you will get EAX register is shown in the following table:
OR Operation
EAX
ECX
The result - EAX
Number of decimal
3
5
7
Number of binary
0011
0101
0111
As can be seen from the table result of logical OR of the command number 3
and 5 on 7 But why is the result of just 7? OR command compares the binary numbers
bit by bit, which formed the basis of the result. If our numbers are 0011 and 0101
the result will be 0111 because the OR command puts the result 0 only if both
bits equal to 0 and if the first or second bit is 1 then the result will be the first
NOT - the logical command in asthma. Used as a logical operator
applies to a Register. Example:
NOT EAX
After execution this ASM Command EAX gets value who the can
read the following table:
NOT Operation
EAX
The result - EAX
Number of decimal
3
12
Number of binary
0011
1100
As seen in Table command NOT invert the bits only. That is, if
bit equal 0 then will in result be equal 1 and vice versa. This is extremely
ASM simple command.
The Art Of Reversing by Ap0x
Page 15 of 293
LOL - ASM is a very important command that is because of its reversibility
used for the purpose encryption and dekriptcije. This command applies to the two
ASM in the registry as follows:
XOR EAX, ECX
After execution this ASM Command EAX gets value who the gets
XORom EAXa ECXom. XORovanja principle can be seen from the following table:
XOR Operation
EAX
ECX
The result - EAX
Number of decimal
3
5
6
Number of binary
0011
0101
0110
Result is 6, but Why? XOR is such operation who compare bits from
EAXa ECXa and so if a bit out-source (EAXa) different from the target (ECXa)
then result in an immediate and if the numbers are the same then the result immediately 0th
Because this is a 0011 XOR 0101 = 0110 that is 3 XOR 5 = 6 XOR function is
most important because of its reversibility. This means that 3 xor 5 = 6 and that 6
xor 5 = 3 and that 6 xor 3 = 5 Also important feature of XOR function is that if
XORujemo a number of self will always get zero as a result, it
is 3 XOR 3 = 0
These were the most important logical functions of ASM. In order to determine what we do
bottom, we'll do one task. ASM are going to write code that will add up
two number, then will XORovati result with 7, to what we logically add 4,
negation will do, so we do logical subtract the number 5 from the obtained
values, and eventually will do the negation of the values obtained.
Solution:
MOV EAX, 2
MOV ECX, 3
ADD EAX, ECX
XOR EAX, 7
AND EAX, 4
NOT EAX
OR EAX, 5
NOT EAX
The solution of this equation will NOT ((NOT ((2 + 3) xor 7) AND 4) OR 5) = 0
Of course you may have noticed that this is a double negation here is nullified and
there is no need for its introduction to the algorithm.
LEA - the mathematical command in asthma. It is used as a mathematical
operator for execution more operation simultaneously. It in ASM looks
follows:
LEA EAX, DWORD PTR DS: [ECX * 4 +6]
The Art Of Reversing by Ap0x
Page 16 of 293
After execution this ASM Command result will the set in EAX, and
value you will get EAX register ECX is equal to the result * 4 +6. Of course
here to respect the principle of mathematical operations so that the benefits will be the first
execute the multiplication and then add.
SHL / SHR - Binary command is used to move bytes
registers to the left or right side. This command would look like in ASM:
SHR AL, 3
Therefore see that that SHR / SHL command there are two parameters: destination in
as a registry of applied operations that count and that tells us to
how to move binary numerical value of AL register. In practice, the execution
the above command, if the AL was the same binary 01011011, should be as follows:
01011011 - Original content AL
00101101 - Moving Ala in one position right
00010110 - Scroll to the right of ALA for another place
00001011 - Scroll to the right of ALA for another place
All Bytes that are moving brought to end physical size Register
are being pushed out. Last Squeeze is recorded in byte carry-flag. Of course this
operation the can apply and to 8bitnim, 16bit and to 32 bits
registers.
ROL / ROR - Binary command is used to rotate the byte
registers to the left or right side. This command would look like in ASM:
ROL AL, 3
Therefore see that that ROL / ROR command there are two parameters: destination in
as a registry of applied operations that count and that tells us to
how to move binary numerical value of AL register. In practice, the execution
the above command, if the AL was the same binary 01011011, should be as follows:
01011011xxx - Original content AL
x01011011xx - ALA Moving to the right one position
xx01011011x - ALA Moving to the right for another place
xxx01011011 - ALA Moving to the right for another place
11001011 - Final appearance after rotation
As you can see the rotation is similar to sifting with the difference that can squeeze the data
back to the beginning register rotated to the left (ROL) or right (ROR) side.
Now we have learned most of the standard ASM commands with which you are
meet when Reversing applications, but this not means that We finished with
ASMom, on the contrary only begin with interesting related for ASM
programs.
The Art Of Reversing by Ap0x
Page 17 of 293
ASM for Crackers - Part II
To now You learned as the used primary mathematical ASM
commands, now is the time to learn how to use the jumps, comparisons and
programming similar things from ASMA.
Zero Flag - a single-bit memory allocation that can hold only
two values, or 0 or 1st Why the used zero flag? Since There are ASM
commands that compare two values, as a result of that comparison is set
zero flag due to which will the certain Command execute or not. This will you
certainly be clearer when you get to the part that explains the conditional jumps.
CMP - is the basic command that is used to compare two numeric
values. Comparison can be made between two registers or between register and
number. Thus both of these cases appear in asthma:
CMP EAX, EBX
CMP EAX, 1
Here the first case compares the content of EAX EBXa. If the EAX and EBX are equal
then the zero flag will be set to 1 and if not then it will be equal to zero flag
0th CMP is the equivalent of IF commands in various languages.
TEST - is advanced command who the used for comparison two
numeric values. Comparison is done in such a way as compared to registers
logically adding each other on the basis of the results will not be recorded either in
one register zero flag is set. The ASM command has the form:
TEST EAX, EAX
Of course, as with CMP, commands can be compared with each other or registers or
registers with numbers. In the event that I gave as an example, if EAX is 0
then the zero flag will be equal to 1, and if the EAX equal to 1 then the zero flag will be
0th This is important because the majority of checking serial numbers based on a comparison
register EAX with itself.
JMP - is one of many variants same Command for conditionally /
unconditional jumps. These jumps are jumping through the code one
to another virtual address. These jumps are mostly followers of the above
function for comparison registers and numbers. Example one unconditional jump
command that always executes is:
JMP 00401000
After execution of the ASM command the program will continue execution from the address
00,401,000th This jump is called unconditional because it does not matter what the value zero
Flaga to jump committed, that is, jump regardless of any parameter or
The Art Of Reversing by Ap0x
Page 18 of 293
register is always running. There are many variations to jumps that depend on zero
flag. JMP Command who depend of values zero Flaga (Ie of his
value depends on whether the jump is performed or not) are called conditional jumps. Examples
these are conditional jumps JE (jump if zero flag is equal to 1) and JNE (jump if
zero flag is equal to 0) List of all varieties of hops ASM:
Hex:
75 or 0F85
74 or 0F84
EB
77 or 0F87
0F86
0F83
0F82
0F82
0F83
0F86
0F87
0F8F
0F8E
0F8D
0F8C
0F8C
0F8D
0F8E
0F8F
Asm:
JNE / jnz
IS
JMP
I
JNA
JAE
JNAE
JB
JNB
JBE
JNBE
JG
JnG
JGE
JNGE
JL
JNL
JLE
JNLE
Signs:
jump if not equal
jump if equal
unconditional jump
jump if above
jump if not above
jump if above or equal
jump if not above or equal
jump if below
jump if not below
jump if below or equal
jump if not below or equal
jump if greater
jump if not greater
jump if greater or equal
jump if not greater or equal
jump if less
jump if not less
jump if less or equal
jump if not less or equal
Since We learned as the in Asthma to so-called program branching,
will use to now acquired knowledge as we resolved pair simple
mathematical tasks. Going to write program that will calculated surface
entered the triangle for two parameters of a particular site and height. If the surface
triangle is less than or equal to 6, then we add 3 to the calculated value for
surface, after which we in case any who values area take away
One of the results. Area of a triangle is calculated by the formula: P = (a * h) / 2
Solution:
MOV EAX, 3
MOV ECX, 4
XOR EDX, EDX
IMUL EAX, ECX
MOV ECX, 2
DIV ECX
CMP EAX, 6
JLE three
Jmp end
three:
end:
ADD EAX, 3
DEC EAX
In case you do not understand what is going on in the program will explain to
C language and mathematical. This would look like in C + +:
The Art Of Reversing by Ap0x
Page 19 of 293
# Include <iostream>
using namespace std;
int main (int argc, char * argv [])
{
int eax;
int ecx;
int edx;
/ / Integer variable Definisi
/ / Integer variable Definisi
/ / Integer variable Definisi
printf ("Enter the base of the triangle:");
cin>> eax;
printf ("Enter the height:");
/ / Enter the EAX console
cin>> ecx;
edx = 0;
eax = eax * ecx;
ecx = 2;
eax = eax / ecx;
if (eax <= 6) {
eax = eax + 3;
}
eax = eax - 1;
/ / Enter from the console ECX
/ / EDX = 0
/ / EAX = EAX * ECX
/ / ECX = 2
/ / EAX = EAX / ECX
/ / If EAX <= 6
/ / EAX = EAX Then + 3
/ / End if conditions
/ / EAX = EAX - 1
printf ("result"); / / Print result on screen
printf ("% i", eax);
return 0;
}
Mathematical solution of this task would be:
EAX = 3
ECX = 4
EDX = 0
EAX = EAX * ECX
ECX = 2
EAX = EAX / ECX
If EAX <= 6 then EAX = EAX + 3
EAX = EAX - 1
As table view from this C + + a source ASM JMP Command the appear to
places where the copper but also in other programming languages are conditional IF
clause. Unimaginable programs are without comparison or programs without conditional
rebounds. For these targets will not find in reverserske practice, so
extremely important to know how to perform jumps ...
The Art Of Reversing by Ap0x
Page 20 of 293
ASM for Crackers - Part III
By now you've learned how to use basic mathematical operations
Asthma, as the to program branching, ... Now we learn as the
Stack is used.
STACK - a part Memory that the used for temporarily
accommodate the data. These data the usually used for needs different
functions contained within the PE file. The stack should be considered as
pile of plates stacked one on another. These plates are ordered so that
plate with the number 1 with the top of the pile until the last plate is
at the bottom. This means that the data is sent to the stack in reverse order,
it is that the first piped last parameter, and only to end the
forwarded first. Same as agree to a bunch of records, agreeing on a plate
another, first we set last plate, and we slowly agree plates
one to another until you get to the first plate. ASM command that
used to send data on the stack PUSH. In case this is not clear
I'll give a brief example:
Windows API functions GetDlgItemText requires the following parameters:
(1) Handle the dialog box
(2) Identifier of control from which to read text
(3) Address to which the text immediately
(4) Maximum length of text
Thus the reading of the text in asthma look like this:
MOV EDI, ESP
PUSH 00000100
PUSH 00406130
PUSH 00000405
PUSH EDI
CALL GetDlgItemText
; Handle dialog box is placed in the EDI
; PUSH (4) Maximum length of text
; PUSH (3) Address to which the text immediately
; PUSH (2) Identifier of control
; PUSH (1) Handle the dialog box
; Calling the function that returns the text
I think it's all clear example. If you complain of that relates to
handle, it simply does not observe it, it is important to understand that each
function that has input parameters prior to ASM PUSH command to it and
parameters piped in reverse order. As table the see from examples
PUSH command has only one parameter and it can be either a number or register.
CALL - surely you've wondered what to ASM function that I mentioned
at the end of the Stack. CALL sub-functions are internal
representing a separate entity code which is responsible for the execution of some
operations. These features can but and not must have input parameters to
the basis of which will be calculated within the budget of some functions. If the function
there are input parameters the CALL will precede PUSH Command and if
function has no input parameters, it will precede CALL PUSH none
command. To understand the difference between the CALL that has input parameters and
no one who will write to the two general functions CALL:
The Art Of Reversing by Ap0x
Page 21 of 293
The case - without the input parameters:
...
00403200:
00403209:
...
00401001:
00401002:
00401100:
...
CALL 00401001
DEC EAX
INC EAX
... an ASM operations
RET
As table the see in example function CALL not preceding no PUSH
commands from which we conclude that at Call 00403200 no input
parameters. Certainly You noticed that the to first at CALL, 00401001
INC EAX is command. This command and all other commands in the CALL
CALL arbitrary and can be used for anything. What you know is safe
what is used for RET command at the end of the CALL. Just as the sea
be the first command in the beginning sequence of CALL commands,
so there must be the last command in the Call of the program are to
the back from CALL and continue with execution program. There are many
variations of these same commands, such as eg. 4 RET, RET 10 and similar, but all
are done one and the same return from the CALL operation.
How to perform a written command? Simply, you first call
concerned CALL, after which the exert all Command in him conclusive with
RET command. After this the program returns from the execution of CALL and
continues from the address 00403209, that is, executes the command DEC EAX.
The case - with the input parameters:
...
00403198:
00403199:
00403200:
00403209:
...
00401001:
00401002:
00401003:
00401090:
00401092:
00401100:
...
PUSH EAX
PUSH EBX
CALL 00401001
DEC EAX
PUSH EAX
PUSH EBX
... an ASM operations
POP EBX
POP EAX
RET
As can be seen in the example preceding two PUSH CALL command
table means that function there are two input parameter. These input Parameters the
temporarily located on the Stack. You'll note that the parameters of the function of surrender in
reverse order, first being taught EAX, EBX and then. Of course this is
only here that illustrates as the Parameters surrender function, because in reality
order registers is not important, substantial is order their sending to STACK.
Inside CALL is the same as in the previous example, but you'll eventually CALL
notice of the new POP commands. What are the POP commands? Popovic necessary
on this basis if the data is sent at the beginning of the STACK function at its
end the all enter Parameters with STACK must remove with Command
POP. Therefore POP command mucus for Download parameters with Stack.
The Art Of Reversing by Ap0x
Page 22 of 293
Notice that the Parameters with STACK removed in reverse order of
their entry. Think of this as a reflection in the mirror registers. And at the very
Finally after the execution of CALL, the program continues with further code execution
from the first address that is under CALL, that is, from 00403209, DEC
EAX commands.
Now that we have learned how to use PUSH, CALL, POP, RET command, the time
is to write a program. Going to write a program that will multiply two
Call the number in one and come back multiplied.
Solution:
MOV EAX, 3
MOV EBX, 4
PUSH ECX
PUSH EAX
CALL multiplication
RET
multiplication: PUSH ECX
PUSH EAX
IMUL EAX, EBX
MOV EDX, EAX
POP EAX
POP ECX
MOV EAX, EDX
RET
I think everyone knows why this is a CALL structure written. It is important
just to note a few details. First and foremost is that the same command PUSH
is and front CALL and in the CALL. Else that the POP Command
apply vice versa of PUSH commands. Third that the result immediately
EDX temporarily in order only after POP EAX commands back in EAX. Why?
Because table will POP EAX command return values 3 in EAX and will result
mnozenja be lost. Therefore, only after the execution of POP EAX commands EAXu
awards his rights value. When the finally execute CALL, EAX will
contain the value multiplication, and the next command to be executed after exiting
from the other RET CALL command.
Of course there are a number of types of CALL, but this is a general example where
the can understand itself purpose CALL and as the it back values from
CALL.
The Art Of Reversing by Ap0x
Page 23 of 293
ASM for Crackers - Part IV
Last chapter on basis ASMA is intended explanation
strings and accessing memory in the ASMA.
Strings - are series ASCII letters who together make one
sentence or one word. Length strings can be arbitrary but what is
characteristic of strings is that each string must end with the same
00h byte. Since this is not a byte of every letter, strings are easily
different from stalog code. For example, here is a string:
00403040
59 6F 75 72
00403048 20 6E 61 6D 65 20 6D 75
00403050 73 74 20 62 65 20 61 74
00403058 20 6C 65 61 73 74 20 66
00403060 69 76 65 20 63 68 61 72
00403068 61 63 74 65 72 73 20 6C
00403070 6F 6E 67 21 00
Your
His name
st be at
least f
ive int
acters l
ong!.
As can be seen and each string has its own character but the address is the address of the whole
string address first letters. When the reading string that begins of address
00403040 he the reading of the first bytes and all to last 00 bytes.
We conclude that the strings are all text messages that are
in a program.
Memory - With ASMA is possible very easily access all
addresses exe's that the currently executed. There more number Command and
variations of the same so that I would mention only the most commonly used commands.
There are two types of memory manipulation:
1) Manipulation of a single byte
2) Manipulation of a series of bytes
BYTE PTR - First, I'll explain how to use a command that behaves
as a reference to a given byte. For this it uses only one command in
form:
BYTE PTR DS: [RVA address]
In it everything is constant except RVA addresses that can be either address or
register. Since this is only part of the command can be used with all other
commands that have one or two parameters. This means that the BYTE PTR
can be used with MOV, XOR, ADD, IMUL ...
DWORD PTR - Unlike the last command, this command is used to
Accession number of bytes. For this it uses only one command in the form of:
DWORD PTR DS: [RVA address]
In it everything is constant except RVA addresses that can be either address or
register. Since this is only part of the command can be used with all other
The Art Of Reversing by Ap0x
Page 24 of 293
commands that have one or two parameters. What is very important to
know that if you use the command DWORD PTR in the form of:
MOV DWORD PTR [EAX], 019EB
You must bear in mind that the bytes that will be recorded on location
EAX record shows that in reverse order. It is to the location
EAX for example, recorded 19 EB command must be designed to put the first 0
and then reverse the order of 19 bytes of EB. Note that I do not look
numbers of bytes, but only their order. Of course this is not the case when
BYTE PTR used command because it applies only to one byte.
Analyze one example that we understand as to this manipulation
memory.
00401154
00401156
00401158
0040115A
0040115C
0040115D
0040115E
|> / 8A10
|. | 2aD1
|. | 3813
|. | 75 18
|. | 40
|. | 43
|. ^ \ E2 F4
/ MOV DL, BYTE PTR DS: [EAX]
| SUB DL, CL
| ADD DL, 1
| 00401174 jnz
| INC EAX
| INC EBX
\ JNE 00401154
Let's say that the in EAXu is a address to where the is string 'Ap0x'
of course without the quotes. Since the at command that uses 00401154
in the DL register will only set up one byte, we see that it is a simple
byte case. You'll note also that the EAX register constantly
increases by one, using the INC EAX commands. This means that for every
passage of this loop in the register DL to put one letter from our string
until all the letters in the string are not used. When this happens the program will
continue to execute code located below the address 0040115E.
Why is it important to understanding the manipulation of memory?
It is on this basis that with direct access from the ASM code exe
pieces of code file can be edited or polymorphno can check whether the
I at to a at modified, can the make features whose will
execution depend on the content code and so on. But if only
want to deal with strings and reversing the manipulation of memory, you
bit because the most algorithms that the used for check serial numbers
based on the accession of the whole or parts of a string entered data.
This data can be the name, serial number ... * PTR as a command
substantial reverser for ...
The Art Of Reversing by Ap0x
Page 25 of 293
ASM for Crackers - Part V
So far we have met with the standard commands that are used
to manipulate the registers, and now we will expand our horizons and you will learn what
the FPU registers and how they are used.
First: "What are the FPU registers?". They are a function of processor
handling of floating point numbers. These figures are in contrast to 32bitnih
registers (EAX, EBX, ¼) represented in decimal form. It is extremely important
you know that 32-bit registers are represented in hexadecimal form, and that
FPU registers are represented by decimal. Regardless of this difference FPU registers
have a lot of similarities with the 32-bit registers.
The first similarity is that as and at 32bitnih registers and FPU Registries have
memory location who the can meet numbers, over where the
can later execute mathematical operations. When these registers 32bitnih
memory locations were called EAX, EBX, and ¼ of FPU registers and the location is
called ST0, ST1, ST2, ST7 ¼. They can see in the same area as Olly and 32
registers only if the title of the window is set to Registers (FPU),
and this can be done by clicking on the name of that part of the window. The difference between these
two types registers are in size number that can that hold. 32 bits Registries
can take values from 0000000 - FFFFFFFF, and FPU registers can
have much higher numbers as values.
The following similarities between these two types of registries is that over
both types of registers can perform a similar mathematical operation. Let's start from the
easiest:
Basic Math operands
Initialize FPU - FPU is the basic command that is used to
program announced processor that follows series Command who will access FPU
registers. Although the this Command Finite, used and for directly setting
initial FPU flags, it can be omitted and the FPU registers can be
access without it.
Assigning values - the basic FAA command that is used to
to some variable (ST0, ST1 ,...) whose names are defined by constant
assigned a value. This command looks like this:
FLD source - REAL load variable [eg 1.22 or 1.44 ¼]
Field source - load INTEGER variable [integer, eg 1, 2]
where FLD is a command source destination from which to read the sequence of bytes that
turns in real variable and immediately by default in first The available
memory space, which in this case ST0. Of course, if you execute another FLD
ST1 will receive a new value. An example of these commands in practice would be:
FLD TBYTE PTR DS: [403197]
The Art Of Reversing by Ap0x
Page 26 of 293
The meaning of the command is transferred from the address table 00403197 bytes in ST0
Memoriski register. Table bytes is form similar DWORD but is more because
a sequence of bytes is greater than four.
Addition - the basic mathematical FAA command that is used to
to add up the two variables. Example can be gathered to ST0 and ST1 so
ST0 to hold the result of addition. To use this command:
Fadda destination, source - Adding a REAL variable
FIADD destination, source - Add integer variables [source]
Example usage of this command would be:
Fadda ST (0), ST (1);
who in ST0 register puts result addition registers ST0 and ST1. If the
instead of Fadda Command used FIADD then the source parameter first
into ExtendedReal and then gather with ST0.
Revocation - the FPU core Mathematical command that is used
to be confiscated two variables. For example one can take away from ST0
ST1 to ST0 holds the result of subtraction. To use this command:
FSUB destination, source - Withdrawal of REAL variables
FISUB destination, source - Subtract Integer variables [source]
Example usage of this command would be:
FSUB ST (0), ST (1);
which puts the result register ST0 ST0 seizure - ST1. If instead
FSUB used FISUB source parameter is then converted to a type ExtendedReal
then be subtracted from the destination parameter.
Multiply - is the basic mathematical FAA command that is used to
to multiply two variables. For example ST0 and ST1 can multiply
multiplied by ST0 contains. For these commands are used and FMUL
FIMUL.
Example usage of this command would be:
FMUL ST (0), ST (1);
and its result would be ST0 = ST0 * st1; If you instead use FMUL FIMUL
then the second parameter into ExtendedReal first and then multiplied by
ST0.
The Art Of Reversing by Ap0x
Page 27 of 293
Sharing - the basic mathematical FAA command that is used to
would be shared by two variables. For example ST0 and ST1, so we can share
ST0 to get the value quotient. For these commands are used and FDIV FIDIV.
Example usage of this command would be:
FDIV ST (0), ST (1);
and its result would be ST0 = ST0 / st1: if the FDIV used instead FIDIV
then the second parameter into ExtendedReal first and then shared with
ST0.
Square root - a mathematical operation that results in such a number
that multiplying the number of self-giving that is extracted from the root. So if
5 * 5 = 25, the square root of 25 is 5 This operation calls the ASM
with one parameter that is both destination and source. This command is
FSQRT called.
Absolutely - is matetaticka operation who maps sets
negative values in their positive image. This means that after application
this Operations to any that number value the number always have positive
values. So if the number was -1.22 after applying this command to
this number result will be 1.22. This command the called FABS and can the
apply individually to the numbers and the FPU registers.
Change the sign - the equivalent mnozenja any number with a value
-1. Therefore if is some number or register was negative, will become positive and
vice versa. This command the called FCHS and for parameter there are only one
value, or a number or an FPU register.
Sine / Cosine - are basic trigonometric commands in asthma
looks like this:
FSIN ST (0);
FCOS ST (0);
So these commands have only one parameter, which also represents the
source and destination execution command. Therefore sine / cosine the Account to
ST0 register (in this case) and the result is also immediate command in the same
register. There is also a combined command FSINCOS.
More operands
No Operation - is known ASM command who the used for
filling the empty space and called FNOP, a functional equivalent
ASM NOP commands that we already know.
The Art Of Reversing by Ap0x
Page 28 of 293
Test - ASM command is known to be used for logical comparison
value and is commonly used in ASM in the form TEST EAX, EAX where the course
instead of EAX can use any that other register. As result this ASM
Command the gets setting zero Flaga to 1 if is EAX equal 0 and
vice versa. As the equivalent of this command is used for FPU FTST.
Replacement - is known ASM command who the used for exchange
values between two registers. This command has its own equivalent of the FAA and is
FXCH. It will be used as follows:
IF number-of-operands is a
THEN
temp <- ST (0);
ST (0) <- SRC;
SRC <- temp;
ELSE
temp <- ST (0);
ST (0) <- ST (1);
ST (1) <- temp;
Comparison - ASM command is known to be used for comparison
two values or two registers. It has its own equivalent of the FAA when it comes to
compared to integer or real value. If you compare an integer value then
Fico used the command and if we compare the real value then is used Fcom
value.
FPU registers are important for mathematical operations with floating point or
computation values who are know higher of standard integer values.
Although the FPU registers have their strengths and their application they are not applied
often in reverserskoj practice. This short table usually of used FPU
commands are added to the book because it is possible that you will meet some of these
commands in some reversovanja crackmea and / or some encryption.
NOTE: If want that understand all table the is in book understanding
ASM basic commands necessary for further reading books. If you are not all
understand or have missed something I suggest you go back and read this part
books again.
The Art Of Reversing by Ap0x
Page 29 of 293
Reading this table:
Chapter
Intro to Cracking
NAG Screens
Cracking Serials
Making Keygens
CD Checking
Code Hacking
"Getting Caught"
Cracking it
Decrypt Me
Unpacking
Patching
Nightmare
Tricks of Trade
Required Level
newbie
newbie
newbie
advanced newbie
advanced newbie
advanced coder
advanced newbie
newbie
expert coder
advanced newbie
advanced newbie
reverser
newbie
The minimum reading time
4 days
1 day
2 days
1 week
1 day
3 days
3 days
2 days
1 week
1 week
1 day
1 week
1 day
1 week
1 week
1 week
2 weeks
5 days
1 week
1 week
1 week
3 weeks
3 weeks
3 days
4 weeks
1 day
Download links:
Debugger - OllyDbg v1.10 http://www.Ollydbg.de
Disassembler - W32dasm89 http://www.exetools.com
PE identifier - 0.93 peido http://peid.has.it
Hex Editor - Hiew 6.83 http://www.exetools.com
Resource Viewer - Res. Hacker http://rpi.net.au/ ~ ajohnson / resourcehacker
Rekonstrukter Import - Import Reconstructer 1.6 http://www.wasm.ru
Process Dumper - LordPE 1.4 http://y0da.cjb.net
Other tools:
. Ap0x Patch Creator RC3 - http://ap0x.headcoders.net
Olly2Table 0.1alfa - http://ap0x.headcoders.net
HexDecChar 0.4alfa - http://ap0x.headcoders.net
The Ape 0.0.6beta - http://ap0x.headcoders.net
Note: This are only some Tools that will be koriscena in book. Them
I think basic and before than table start with further reading this books
you should get them.
The Art Of Reversing by Ap0x
Page 30 of 293
Tools of Trade
As with any other activity on the computer for the reverse engineering
you need some tools (programs) to be able to Quickly and Easily to come
the information you need. Most of the tools that I am here to recommend you
can be freely downloaded from the Internet as freeware products used
distributed. Before than table pocnem with list program who will have to
downloaded from the Internet in the first few sentences I will explain to us what the tools
needed for what they serve.
Debugger - This is basic tools each reverser but and each
programmers who want to quickly and easily eliminate errors from your code. What
us debugger provides is possibility that monitor execution our or
someone else's code exactly as seen by the processor. Yes, that means you have to
learn the basics of Assembler (machine language) to be able to understand and
control the execution code. Like this text I but wrote and published to
www.EliteSecurity.org site located in this edition of the book on page 9
(This is supplemented edition), whose reading is necessary for ease of reference and
understanding of texts in this book.
Disassembler - This is additional tools for debugger. Namely if you
debugger that is not enough information about the "target" then you can use some of
disassemblera as To easier observed information who you needs. With
time will all less use this tools percent will the used to
asemblerov code so that these tools you will be required.
PE Identifiers - Do not be confused by this title, the PE files
only ordinary exe Files that can that contain some additional code, that is
packer, which usually serves to reduce the size of the exe file. Since there are large
number such packers and enkriptera and required are special Programs for
recognize them. Of course this can work and partly manually, which will give you
also learn.
Hex Editors - are tools that give us the exact appearance of the file to your hard disk and
are used to modify the physical source as opposed to changing the code in the memory table
We allow the debugger.
Resource Viewer - Serve for Review, extraction, change or
exe add resources. Resources are data that are included within the executable file and
can be images, dialogues, multimedia, strings or other data types.
These programs are generally not necessary, but we can make the job easier.
Process dumper - They are served primarily by unpacking packed
PE files and allow us to complete "picture" of an active program
recorded on the hard disk.
Import rekonstrukteri - are Programs that serve for fixing
undefined or erroneous calls to Windows API functions.
The Art Of Reversing by Ap0x
Page 31 of 293
Configuring Tools of Trade
Most of the tools listed above is already configured properly and therefore
we just need to change some little things to make yourself even easier operation
with these tools.
OllyDbg v.1.10
Will set the following options in OllyDbg program. Open and go to Olly
debugger configuration menu [Hint: Options -> Debugging options, or Alt + O ]
We're going to need the Exeptions and exclude all otkaceni options. Further we
to Strings and there shall that log off: Decode Pascal strings and Dump non
printable ASCI codes as dots, of Fashion of string decoding option select
Plain option. In Disasm option as syntax select MASM, and in CPU taboo
select following: underline fixups, show directions of jumps, show jump
path, show grayed path if jump is not taken, show jumps it selected
command.
Next you can adjust the color scheme is what is known to us
to more easily noticeable dissasemblovanom certain commands in the code,
such as jumps and call functions. Let's go to Options -> Appearance and there in
implementation taboo [Hint: General] to exclude and restore window position
appearance. Later in the defaults, you can choose a theme that suits you. I
prefer Black he White as theme, and Christmas tree as highlighting
syntax. You can choose any that but are by my opinion this two
najpreglednija. That's all you need to be configured in Olly.
Note: OllyDbg is just one of many debugger that you can
found on the Internet. Among the more popular you can use Softic,
TRW2000 or some debugger that the used specially for certain types
Compiler (programming languages such as Visual Basic, Delphi,. Net, etc..), but
only is Olly free, universal and simply best debugger for
beginners and for experienced cracker. I recommend using it because it will
later in this book, he very often mentioned and used.
W32Dism + + / W32Dasm 8.93
Schedules the next option W32Dasmu to ensure correct
display dissasemblovanog file. They click to Dissasembler -> Font ->
Select font ... choose in the list of fonts Courier New, after which we will choose
Save Default Font option. Despite this there are plenty of bugs W32Dasm:
1) If you open the file, W32Dasm not move the file to c: \
2) If W32Dasm is found in the file dialog to download any new version
3) If no representations W32Dasm disasemblovan this means that the file is packed
is that some packers and therefore nemoze dissasemblovati (this is not a bug).
The Art Of Reversing by Ap0x
Page 32 of 293
Numega Smart Check v.6.03
Smart Check is a special debugger that is used for debugging
in programs that are written in Visual Basic (versions 5 and 6). It is a useful
in most cases is clearer and easier to process data from Olly's. Therefore
if is program that trying that "Break" written in Visual Basic first
try with Smart Check and then with other tools.
Let's go to Program -> Settings -> Error detection
Tick all the checkboxes except Report errors immediately.
Let's go to the Advanced:
Tick only the following:
- Report errors caused by other errors
- Report errors even if no source code available
- Report error only once each
- Check all heap memory blocks on each function call
Everything else should not be chekirano, press [OK] and move on ...
Let's go on reporting:
Otkaci anything but - Report MouseMove events from OCX, [OK], the close
configuration menu.
We're going to Program -> Event Reporting
Press the green arrow in the toolbar to start the selected program. This
can be any that program written in Visual Basic and then only shall that
otkaci following menus:
View -> Arguments ...
View -> Sequence Numbers ...
View -> Suppresed Errors ...
View -> Show and specific errors ¼
Window -> [2] ... - Program Results
Peido v.0.93
Peido is a program that we use quite often through this book as a
what its name says file its main use is to show us the information
on "Target" by trying that reversujemo. You data include version
compiler and whether the program is packed some packers and which version
if so. This program is by default in the correct mode but will only
a couple of things set in order to facilitate life itself. Start the program and go to
options. There needs to select Scan Hard Core and Shell Extensions Register.
Click Save and the program has been successfully configured.
The Art Of Reversing by Ap0x
Page 33 of 293
My first crack
Since we set up the tools we need now we will go
with their using. Start myCrack.exe that the is in folder
¼ \ Classes \ Cas01. What we see is this message on your screen:
As table the see to
Figure this will be
simple example
where we only
remove first order,
so that the program
to screen throw
only Message who
is currently in
the second row.
This task may beginners seem complicated but with the help of the first
pair tools will not have no problems that successfully and quickly resolve this
problem whose successful resolution we will need only two tools: W32Dasm
and Hiew. But before we start with a cracking I have to explain
the basics of cracking.
Cracking technique is already changing kompajlovanih (final) zip (and
other types) files. Modifying files is the assembly level, which
means that it is desirable to know the basic principles of operation asemblerskih
commands. Of course this is not necessarily because we know what is a
assembler command with a logical understanding of the command. This is the
simplest example of logic means that we can come to the conclusion what
to this Command: MOV EAX, 1 .. Of course guess that is this command
equivalent mathematical funckiji EAX = 1 The main command that we will
need for this first period NOP. It is the basic command and means crackerska
to the order in which it is not just nothing happening. This means that
program go through it just will not do anything. Why is this important?
When cracking There are Command who want that alter or that
contours. Since the cracking is desirable to remove part of the file because it would something like that
below Order that delete could that the disturbed, because use this NOP
command to delete the places that we do not need. Of course, these places will not
be physically removed, but the program simply will not do anything at the place
where the there command by We delete and continue on. Displayed
assembly to look like. If we have the following assembler command:
MOV EAX, 1
INC EAX
ADD EAX, 5
we can assume what is going on. Mathematically it looks like this:
The Art Of Reversing by Ap0x
Page 34 of 293
EAX = 1
EAX = EAX + 1
EAX = EAX + 5
I think that is all clearly that is result EAXa after execution this three
command. Let's say that our result is that we want to EAX the
end of the performance of these three commands is lower than the one now.
Simply we prevent that the EAXu add 1 in other OK and villi
problem. Now it looks like this:
MOV EAX, 1
NOP
ADD EAX, 5
Vidmo we simply NOPovali second row and he gets the time being
as INC EAX than as NOP, for which the result EAXa not changes after
execution of that order.
First, open this "target" in W32Dasmu and look up the text
want that remove. When the program load in W32Dasm then over Find
search for text messaging options we need to remove. Go to Search ->
Find -> This line -> OK.'ll See this:
As table see first order below discovered text is charge for show
message on the screen. What we conclude is that if only the red NOPujemo
then we remove the message from the screen. WRONG! Here arises one
problem, if only NOPujemo that line then we get the bugs and
program will the destroy because him we right modified. Problem lies in
fact that is for show text to screen in charge more lines.
Understand this as a function has more parameters. For example:
prikazi_tekst_na_ekran (parameter1, parameter2, parameter3 ,...)
The Art Of Reversing by Ap0x
Page 35 of 293
this function to display text on the screen has three parameters to it
needed to display text on the screen. What we want to do is
Her subtract one argument why the program crashed. The problem lies
that each function must have a sufficient number of parameters, this number does not
must be no more nor less than required for the function. For convenience in
assembler is that we need to know about the function of the parameters that need.
You'll note pair PUSH Command who precede a CALL commands. These
commands are what I am explaining the example above, where
PUSH Command are parameters features and I CALL a
function. It table is also substantially that remember is that the in assembler
parameters of functions piped in reverse order. The first is forwarded
last parameter, and before the calling features piped the and first
parameter. This means that we must not only NOPujemo CALL, or just to
NOPujemo PUSH function, we took shelter in order to print a message on the screen
NOPujemo all we have to push and in the end I CALL. Notice that the
three Order below Message by want that remove with Screen is CALL that
serves to display the message on the screen. Before him there are not two but three
PUSH, two below the message, and one above. Do not be confused as to
the between PUSH Command are some other ASM Command they us not
interest, we are interested only PUSH and CALL. Before we start with
therefore cracking more I explain window that currently view in
W32Dasmu. What we see is this:
Red framed piece of code means virualne addresses containing the same
lines of code. Posmarajte these numbers as if they were numbers 1,2,3 and may
order execution program. In this example first address of who moves
execution of. OEP (original entry point) is 0,040,100, and all other addresses are
The Art Of Reversing by Ap0x
Page 36 of 293
increase for certain number. This number not must be always one, very
often is not one. This number depends directly on the content of which is framed
blue in the picture. These numbers represent the hex commands are written to the file
in HEX format. That is equivalent to 55 decimal hexa ASM PUSH commands
EBP. You'll note that these numbers HEX write only in pairs of two. Only
digit HEX numbers are Command who are equivalent those
that the picture framed in green. Us for this example is important that
ASM NOP command is in HEX format writes as 90th This means that one 90
equivalent to a NOP command. To NOPovali one line must
replace all digit HEX numbers from the Order with 90th To example if
delete order that the is to at 004012E0 we will have that replace
contents of this address (83EC0C) with three NOP command (909 090) because there are three
pair of two-digit numbers in this line. Notice how it addresses increase,
you will see that for example after an address 004012C0 004012C3 located. It is logical for
expected to be located behind 004012C0 004012C1, but here is 004012C3.
This is because in any two-digit number of asthma is only awarded
one address. So if the address 004012C0 then at that address is
only one-digit number and 83, at 004012C1 is E4 and the
004012C2 at F0. The only reason why these three addresses connected to one
red is because these three addresses are the only one ASM command, and the
more is first next address, to where the is next ASM Command
004012C3. Addresses lines correspond at first double-digit hex number
(Bytes) contained in the "line" code.
Since We learned as that patchujemo (Modify) program
skip to modify itself. You can edit the program and in any Hiew
any other hex editor. Since Hiew best for beginners all the explanations
in first chapter will be related for him. Therefore start Hiew in open
myCrack.exe with him. The original show in Hiew is incomprehensible to us, so
This show will turn into a view that is identical to the W32Dasma.
We do this by pressing F4 and selecting Decode mode. Now we see but ASM
command. If not remember look top image again and rewrite
address who shall that NOPujemo, and address are: 004012DB, 004012E3 and
004012E8 and 004012ED. If you want to go to these addresses should be in Hiew
pressed button F5 and I type first point and address to by want that
leave. When you go to the first address we'll see the same one from the command PUSH
W32Dasma. Since we learned that we should all two-digit numbers NOPujemo
from the order, remembered as two last bytes. Therefore last two bytes who
NOPovati we were 42 and 00th Now press F3 to enter the Edit mode and type
new byte which you want to replace the old, these are the 90th byte We will have to
enter 5x 90 that we NOPovali all order. Set cursor to next
address should NOPujete, that is the next PUSH command and with it
do same. Same procedure repeat and with back PUSH command and with
CALL. When you have finished result should look like the following picture:
The Art Of Reversing by Ap0x
Page 37 of 293
So all the addresses with a PUSH and CALL commands are NOPovane. To capture
changes push F9, and for exit from program press F10. Try
feel free to start a program that you just patchovali and you'll see that on
will not work! Although we have all done well, we all patchovali PUSH and CALL
command program is making a mistake. What we expect, and should, to the
This DOS program, and after writing the message on the screen switches to the program
cursor to the line. This is happening right under the printed message that we
removed, which means that the next Call of mucus just for this. Hiew's open again and
ukucajmo address 004012F2. Immediately below the addresses we'll see a PUSH
and a CALL command.
It is obvious that this CALL and PUSH command to NOPovati because the program does not
can shift the cursor to the next line without printing messages on the screen. Signs
NOPovacemo and address 004012F5 004012F6 and are going to make the file and will try
again to start the program. We will see that we are now managed and that the message
no longer appears. We managed to crackujemo our first program.
The Art Of Reversing by Ap0x
Page 38 of 293
My second crack
Since we set up the tools we need now we will go
to use them. Start myFirstCrack.exe that is in folder
¼ \ Classes \ Cas01. What you see is a plain DOS window that says that it is not
crackovan. This will not change. Let's open this program in W32Dasmu
[Hint: Disassembler -> Open File to disassemble], let us wait a moment to
the appeared disassemblovani program. Since is this other cas I will much
analyze, but we do only what is necessary in order to crackovali
this program. Recall those messages that we launched the program, now
we should find out where she calls. This can be done in two
ways. The first is through find options in the program, while others are of little more useful, the
over Options String Reference in W32dasmu. Signs push penultimate
button in the toolbar that says Pages Ref and new window will open. In this
window, we find the message that the program is launched (I crackovan: P) and
2x they click on it, which will take us to the exact place in this zip code
file from which this message is a call. The program will take us here:
* Referenced by a (U) nconditional or (C) onditional Jump at Address:
|: 0040128C (C)
|
: 004012EF 837DFC00
: 004012F3 754C
: 004012F5 83EC08
: 004012F8 6848284200
: 004012FD 83EC0C
cmp dword ptr [ebp-04], 00000000
jne 00401341
sub esp, 00000008
push 00422848
sub esp, 0000000C
* Possible StringData Ref from Code Obj -> "I crackovan: P"
|
: 00401300 6880124000
: 00401305 6850534300
: 0040130A E84D1E0200
push 00401280 <- We are here
push 00435350
call 0042315C
* Referenced by a (U) nconditional or (C) onditional Jump at Address:
|: 004012A8 (C)
|
: 0040130F 83C414
: 50 00401312
: 00401313 E8D82A0100
: 00401318 83C410
: 0040131B 83EC08
: 0040131E 6848284200
: 00401323 83EC0C
add esp, 00000014
push eax
call 00413DF0
add esp, 00000010
sub esp, 00000008
push 00422848
sub esp, 0000000C
We see the message "I crackovan: P". The signs here are calling this message.
It table is subject this casa is that you learn as that the instead of this
The Art Of Reversing by Ap0x
Page 39 of 293
message is another message that is already in the same zip file. If
look just above this message you will see one conditional jump:
: 004012F3 754C
jne 00401341
This means if something is not equally program will jump to 00,401,341th If
go down a bit to see what is at that address will see the following:
* Referenced by a (U) nconditional or (C) onditional Jump at Address:
|: 004012F3 (C)
|
: 00401341 837DFC01
: 00401345 754C
: 00401347 83EC08
: 0040134A 6848284200
: 0040134F 83EC0C
cmp dword ptr [ebp-04], 00000001
jne 00401393 <-important leap that when you execute
sub esp, 00000008; messages are skipped.
push 00422848
sub esp, 0000000C
* Possible StringData Ref from Code Obj -> "Successfully crackovao me:)"
|
: 00401352 68AE124000
004012AE push
You'll note that this is the message "Successfully crackovao me:)" that
will the show to screen only if the jump with address 004012F3 always
executed. But we must note that the addresses between 00401341 and
00401352 addresses is another leap that needs to change. To
successfully crackovali this program shall that alter that jump to at
004012F3 to JNE (75 hex) JMP (EB hex) to be executed that is still to
progam would always transferred to the address 00401341 and 00401345 jump at the
change so that it never executes, that is to change it in two
NOPA (No Operation). When this finish always will the to screen show
message on successful cracking. If you this part is not clear contact
attention to the hex address to which the water jumps. You will see that they lead us below
over the messages that we want to display on the screen. We need to change
This jumps to the screen always shows the message that we want. This
is perhaps the most important part of the book, the very foundation. To successfully progress
further have that understand as change certain Command affect to
behavior program. Therefore suggest that if the first time encounter with
cracking do this first area thoroughly and not to switch to other
area without prior understanding of the independent resolution without first
exercise which is located at the end of this chapter. Doing the exercises is recommended
because will you help that the osamostalite and that yourself solve problems, who
not previously seen and processed.
To carry out these changes in the program should you copy it to
directory where the Hiew and open it with him.
The Art Of Reversing by Ap0x
Page 40 of 293
Since us this original display is not bass understandable, pressure to F4 2x
Decode the form of cross that is the same as the one we saw in W32Dasmu.
We may have to scroll down to address 004012F3 that we want to change
and we can go to that address with the GoTo command. Press F5 and the first
enter point, and address 004012F3 and then enter. Now when We to the
address, it can be changed by switching to edit mode with F3. Put the cursor on
first byte 75 and EB type. Here's how it should look like:
With F9 save the changes. Now we need to change the other jump. Press
F5 and enter the point, and the address 00401345 and then press enter. Now that
we are here, we can alter it by switching to edit mode with F3. Place
cursor to the first 75 bytes and type 9090th Here's how it should look like:
With F9 save the changes and exit the F10 with a Hiew. Now you can start
this exe file and you will see that he will always show the same message, "Successfully me
crackovao:) "
The Art Of Reversing by Ap0x
Page 41 of 293
You look file ¼ \ Classes \ Cas1 \ main.cpp that view as that program
appears in C + +. As you can see:
# Include <iostream>
using namespace std;
int main (int argc, char * argv [])
{
int i;
i = 0;
if (i == 0) {
court <<"I crackovan: P" <<endl;
court <<"Press ENTER to continue ..." <<endl;
}
if (i == 1) {
court <<"Successfully crackovao me:)" <<endl;
court <<"Press ENTER to continue ..." <<endl;
}
cin.get ();
return 0;
}
There are two conditions. If is I equally zero then the shows message that
crackovan program is, and if just one then I will show
that is program crackovan. Since is I always equally zero it table We we
done is as that We replaced conditions, it is as that is for first Message
I need that just for one second that I just zero. This is a small
complicated example because it is necessary to change two rebounds but when mastered
This will be able to crackujete large number of programs for beginners because it is almost
all based on this or a similar principle.
Exercise:
If you want you can check the knowledge acquired to date on the same example or
similar to those already prepared to file. ¼ \ Classes \ Cas1 \ myFirstTest.exe the file
shall that crackujete alone. I procedure the not different much of
previous example. In this test should be corrected only one jump. For those
who know little or understand C + + there is a ¼ \ Classes \ Cas1 \ test.cpp to see
differences between first examples and this test and file
¼ \ Classes \ Cas1 \ myFirstTest.cracked.exe is an example of how to layout the final
crackovan program. To-do Exercise through this book is recommended as
procedures easier to remember cracking on similar examples.
Solution:
You need to change a jump at 00401391 to JNE (755E) to JMP (EB5E).
The Art Of Reversing by Ap0x
Page 42 of 293
OllyDbg from beginning
Before than table begin with serious reverserskim problems
you'll learn how to work debugger and most importantly how to use Olly.
As table is but said to beginning books debugger are Tools that are
designed so that us enable monitoring execution each ASM
instructions of any program. There is clear advantage Debuger
have over disassemblerima that us allow simple review
"Dead code". Of course the dead is just slang term for static ASM
at whose detailed overview we can see but can not see how the
it acts in its execution, that is, we can not know when and why
carry out jumps that take parameters ¼ CALL For this reason, the
best use of routine monitoring debugger like Olly.
Debugging basics - Breakpoints
It has been said that the debugger has the power to stop all the observed
programs and to carry out their instructions in a row, one by one. But how
actually pauses the program?
For this to happen, or that the program stopped debuggovani bass on
to a specific address, it is necessary that one of the following two conditions is
fulfilled: 1) To set an ordinary software breakpoint at that address, or 2)
That is appointed hardware breakpoint to the address. But what is it in things
break-point?
Logical to any that are thinking on break-point as Command by we
I give our debugger as to he stopped to desired address. But
software break point is not only our internal command in the debugger, it is
actually changing the contents of physical memory in such a way that our debugger
can detect this change and stops just when it happens. Of course
after this pause program original content Memory becomes
recovered due to which we are unaware of the modification of memory although in
things happening. Since each virutualnoj address, or commands, in one
program assigned to exactly one address can be set on the breakpoint
every single byte in memory. But here another problem arises. Namely
percent each byte in file can have only values in range 00h - FFh,
or from 0 to 255, what is being written to a byte in memory so that we
debugger recognize break-point. Reply to this question lies in architecture
processors that is designed so that each byte I by themselves or in group
bytes, makes one whole respectively command. So will processor byte 90
assign command NOP, byte C3 command RET and so on. Just one of these
byte that has such a purpose hardware-ski program execution pauses and
control over process before initiator-owner process. This byte is
marked with the CCH and the assembly has the interpretation as INT3 command. When
it is carried out debug exception handler gets called and all control
further execution of the program is being left to the debugger. Of course all this is
relations only to Software break pointe who set with our
debugger.
The Art Of Reversing by Ap0x
Page 43 of 293
As opposed to to them There are and so-called hardware break-point that are
special possibility each processors. They the for Unlike of softwareskih
breakpoint carry out to direct the hardware level processors
allowing so pause any by program directly, without any
modification of the active memory file. This is possible on this basis that each
process is executed in the manner in which the processor knows exactly which address command
currently running and therefore can, if necessary, to stop at every command.
Since no modifications Memory such break-point not can be
detected as a modification of a program memory.
Debugging basics - User vs kernel mode
More accurate title of this chapter would be ring3 vs ring0. What is actually
user and kernel mode debugging?
® tm
access to all available memory. There are two levels of access
Programs can that have, ring3 and ring0. Main, respectively kernelski, level
approach is called ring0 and it can access only the system programs
that directly make Operating system. All Other Programs have only
limited access to system components forming part of a user mode, or otherwise
ring3. To help you imagine what kind of access they have different file Think
as follows: Internet Explorer has only direct access ring3
while using the system. dll files associated with ring0. These system files
for instance kernel32.dll user32.dll and who have access to native Windows API
calls that are still directly related to processor functions.
This division access system memory is caused division
debugger in user mode and kernel debugger. Although the kernel mode debugger
more powerful from reasons table they have access all parts system in every
time we we the through this book satisfy work with user Fashion
debugger for reasons we shall reversovati applications that have no direct
access to the system.
To determine the differences rapport advantages of a fashion in relation to
others consider the case when we have to set breakpoint on the API
the used for reading text from a window. Problem at setting
such a break-point is that more API functions can read data from
window so you need to correct or isolate the API that is used for reading
data from windows or set breakpoint to all APIs. In such
cases kernel Fashion debugger have advantage over user Fashion
Debuger because they can that set breakpoint to low-level at that the
used for reading data from windows allowing us so that locate
correct API that accesses a window and read the text.
Introduction to OllyDbg
For reverser OllyDbg, that is wrote Oleh Yuschuk, a
basic and unavoidable tool. Although the can happen that is for some specific
reverserski problem required the use of kernel mode debugger, Olly almost
I have Windows
is designed in such a way that not all programs
The Art Of Reversing by Ap0x
Page 44 of 293
always the right choice when we approach a problem. This means that
Olly, although access is limited to ring3 remains more than enough
reversersko tool. But what makes it so good Olly?
Primarily Ollyjeva power lies in his exceptionally powerful
disassembleru with by is analysis ASM code raised to highest
possible level. This means that Olly can detect loops, switches, can
to show us the sites that link jumps, he knows all the parameters that take
any standard Windows API functions. What more can be said that
Olly is one of the best, if not the best debugger ever made. For this
reasons will the author this books when Debugging application primarily
concentrate on its use.
OllyDbg's Key Features
What you first see when you open a program in Olly's next
® tm
This window is the main window that Olly was called the CPU window on this basis
shows ASM Command who processor executes and table is with him
possible to monitor and execute the command by command.
As table the see to Figure above this window is divided to five whole who
together they make a very functional unit. The picture of the whole but
marked and now we cross over one by one entity.
CPU window is main window in Olly and his purpose is monitoring,
respectively gradually execution code debugovane targets. This the achieved
with Command Step over and Step into. These two Command allow
The Art Of Reversing by Ap0x
Page 45 of 293
ASM code execution on command, so that when you step over the execution
or step into Command execute true one ASM command from CPU window.
Of course, the commands are executed in a linear fashion, one after another, making
only together one functional whole. Commands step over and step into the
functionally differ only in the execution of ASM command CALL. When this
ASM command executes step over an invisible breakpoint immediately after
CALL, or at the following commands, and step into the set breakpoint
the first command within CALL. This means that if a program and debugujemo
we get to the command CALL, next ASM command to where We will finish
depends of election traceovanja through code. If choose step over (F8)
finish to Command who the is immediately after CALL, with team table will
CALL contents be made without our oversight, if we choose a step into
(F7) will finish in the Call and will be able to monitor its implementation.
[01] Reset the currently open targets
[02] Close the currently open targets
[03] Run (F9), start and target its enforcement until the first break-point
[04] Pause, pause command to execute the program
[05] Step into (F7)
[06] Step over (F8)
[07] Trace into
[08] Trace over
[09] Execute till return (CTRL + F9)
[10] Go to address (CTRL + G)
Command step into and step over the picture above are numbered 5 and 6 and
should be differentiated from the trace commands into the water over one percent have a similar
but not and same use. By this this Command we that use and
shortcut F7 and F8.
In addition to the functions described step over and step into Olly has a few more
traceing basic functions that are designed to facilitate our analysis
excellent files. One such option is to execute an option till retun to us
you to execute any code CALL where we are and that after
find the execution of his commands that ASM is located just below
CALL.
It has been said to trace into the trace over the commands are different from them
similar Command step over and step into. These Command the used for
traceing automated through code. This type allows us to quickly traceinga
transition over code respectively HIS execution all while some condition not
be executed. In order to set a condition for traceovanje must go to menu
Debug -> Set condition (CTRL + T) where we adjust different types
logical conditions that will represent pause in traceingu if any that of these
conditions is met. Three main menu options related to the EIP and
The Art Of Reversing by Ap0x
Page 46 of 293
custom requirements that we can ask. EIP is a register where we do not have
direct access, or approach it in read only mode. This means
it is impossible to directly access the commands with ASM because the EIP register
he directly adjusts at commission ASM code so that gets value
ASM addresses the following command to be executed. The only possible manipulation
EIP register is through the stack. Just because of this we can set conditions
traceovanje the EIP register. So we can "say" pause Ollyju
execution program to first Command who the is in or out a
range. Of course extent we base to EIP Register because us he always
says that will execute the following command, and points to the byte
last executed. Therefore, if the conditions as set in the following picture:
we that choose mod execution traceovanja and so the for longer or less
find the time to address 004012C0 or 00401000 between an address and
00,402,000th Depending on whether we choose water over or into water Olly will
follow the code that is executed but the trace over the case will not go into CALL.
This means that the trace over the command will always be carried out quickly but will not be
reliable as a trace into the command. This is especially noted if the scope
for which we look very small.
The last command that enables us to manipulate addresses
Go to the options that we can address that we use whenever we know where
the address is a command that we are interested. Shortcut you can use to
you have activated this option is Ctrl + G.
The Art Of Reversing by Ap0x
Page 47 of 293
NAG 02 Screens
In the first chapter We have mastered the basic techniques finding a date
exe file information and altering the same, and in another we will learn how to
deal with basic problems in reversovanju.
The Art Of Reversing by Ap0x
Page 48 of 293
Killing NAGS - MsgBoxes
NAG screens are they boring Message who the appear before entry in
a program or at the exit from it, and their main function is to
remind you that you have not paid for the program you use. There are many types of inducements
but they are usually represented two standard types, message boxes and dialozi. In
this example I you show as that the solve ordinary message box
Naga. He looks just like this:
located in the file ¼ \ Classes \ Cas2 \ NAG.exe. For this example we will use
same tools (W32Dasm and Hiew) as well as the first example.
In W32Dasmu open the exe file and wait until disassembluje.
The easiest way for killing this NAGA is search text that the in him
appears. Open again String Reference and Find text from this message
box. Double click on the text will end up here:
* Reference To: user32.SetWindowTextA, Ord: 0000H
|
: 00407F05 E8F6C6FFFF
: 00407F0A 891D50A84000
: 00407F10 6A40
Call 00404600
mov dword ptr [0040A850], ebx
push 00000040
* Possible StringData Ref from Code Obj -> "NAG"
|
: 00407F12 68407F4000
00407F40 push
* Possible StringData Ref from Code Obj -> "This is a NAG screen, which should"
-> "Kill!" <- We are here
|
: 00407F17 68487F4000
: 00407F1C 53
00407F48 push
push ebx
* Reference To: user32.MessageBoxA, Ord: 0000H
|
: 00407F1D E8C6C6FFFF
: 00407F22 EB05
Call 004045E8
jmp 00407F29
What is specific to the message box is to persuade those in any
any programming language called the same way:
MessageBox (handle [hwnd], Text, Title, MB_TIPMESSAGEBOXA);
The Art Of Reversing by Ap0x
Page 49 of 293
table means that the CALL function who generates this message box piped
four parameters. This forwarding is going in reverse order so that before
CALL features to at 00404F1D are four PUSH features who
forwarded to the parameters in reverse order. If this is not clear
I suggest you read the part about the eighth STACK As you can imagine
this function should not be executed because it never should NOPovati. Contact
attention only to one thing and that is that if you just CALL NOPujete then there will be
errors in the program. The real way to kill these NAG screen is that you need
PUSH NOPovati all functions that precede the CALL and then I CALL. In
Hiew should look like this:
All of the addresses to the address 00407F10 00407F21 should be a NOP. Now
You can start and you'll see that NAG.exe NAGA gone.
Exercise:
If you want you can check the knowledge acquired to date on the same example
So what will kill the text that appears when the user clicks the button?.
when it occurs About the dialog box.
Solution:
All of address 00407EA0 and to address 00407EB3 shall that be
NOPovano.
The Art Of Reversing by Ap0x
Page 50 of 293
Killing NAGS - Dialogs
In the last example explains how to remove the messagebox Nagovori
and this will be explained how to remove Nagovori dialog. This dialog can
look just like this:
The difference is probably unnoticeable but unlike messagebox persuaded, the NAG
is made in the same manner as other dialogues in the program. Why has this
important? Ordinary users and it does not matter but this tells us is in any way
generates this NAG and as we that him the resolve. Us open program
¼ \ Classes \ Cas2 \ NagWindow.exe in W32Dasmu. Since this dialogue will seek
all dialogue in this exe file. Let's look little down of beginning
disassemblovanog file and you see the following:
+++++++++++++++++ DIALOG INFORMATION +++++++++++++++++++
Number of Dialogs = 1 (decimal) <- Why?
Name: DialogID_0064, # of Controls = 008, Caption: "F ½", className: ""
001 - ControlID: 0000, Control Class: "EDIT" Text Control ""
002 - ControlID: 0000, Control Class: "EDIT" Text Control ""
003 - ControlID: 0000, Control Class: "BUTTON" Control Text: "& Check"
004 - ControlID: 0000, Control Class: "BUTTON" Control Text: "& Exit"
005 - ControlID: 0000, Control Class: "BUTTON" Control Text :"&?"
006 - ControlID: 0000, Control Class: "STATIC" Control Text "Name:"
007 - ControlID: 0000, Control Class: "STATIC" Control Text: "Serial"
008 - ControlID: 0001, Control Class, "" Control Text: ""
There is something wrong! The dialogue, which here is the other one is a dialogue that
appears after you click OK in the NAG window. But where is that first, NAG
window? 'll Reveal it. For now only remember that is name this dialogue
(DialogID_0064) Since W32Dasm DialogID_ really adds a prefix of the name
Dialogue is the number 64H in hex format and the same is 100 in decimal. This was
CALL important because that is responsible for displaying the dialogue that is needed
ID in order to know which dialog to display. To find out where the call
this dialogue go up in me to button DLG Ref (Dialog References) and
double-click on the dialogue will end up here:
: 00407FCF E8DCC5FFFF
: 00407FD4 6A00
: 00407FD6 68647E4000
: 00407FDB 6A00
: 00407FDD 6A64
: 00407FDF FF354C984000
: 00407FE5 E8C6C5FFFF
: 00407FEA E8D5B4FFFF
Call 004045B0
push 00000000
00407E64 push
push 00000000
push 00000064 <- We are here
push dword ptr [0040984C]
Call 004045B0
Call 004034C4
The Art Of Reversing by Ap0x
Page 51 of 293
If we count parameters preceding the first CALL at the next
00407FE5 we'll see how much parameters there are function for call dialogue.
We concluded that it takes 5 parameters for this function and that the penultimate
respectively other dialog ID. Since the NAG appears before appearance this
dialogue we conclude that the same function must be located and where we are beyond this
Now, just a difference in IDs in the dialogue that call. And we were right.
: 00407FBE 6A00
: 00407FC0 68647E4000
: 00407FC5 6A00
: 00407FC7 6A65
: 00407FC9 FF354C984000
push 00000000
00407E64 push
push 00000000
push 00000065 <- Another dialogue ID
push dword ptr [0040984C]
* Reference To: user32.DialogBoxParamA, Ord: 0000H
|
: 00407FCF E8DCC5FFFF
Call 004045B0
The same number of parameters preceded by CALL at 00407FCF. The signs are certainly
CALL to at 00407FCF used for show Naga. These Nagovori the
removed in the same way as the message box Nagovori. All trademarks and PUSH commands
CALL ultimately must be NOPovane, and that means all of the addresses 00407FBE
00407FCF address. This is how it looks:
Not give that you numbers with the confused, 73BE is exact position virtual
00407FBE addresses that correspond to the real 73BE only in memory. These real
positions bytes will appear to you only when you press F3 and enter the Edit
mode.
NOTE: In most cases all appear in the dialogues but now W32Dasmu
although the occurred a error in W32Dasmu managed We that we find all
dialogue and to eliminate NAG screen.
The Art Of Reversing by Ap0x
Page 52 of 293
Killing NAGS - MsgBoxes & Olly
Since we have already demonstrated almost everything that was important to show in relation to
W32Dasm, now we will learn how to look Nagovori with Olly and how
NAG to all be removed. The target we will reversovati located in the folder
Cas1 vct_crackme1.exe and called on its OEPu is the following code.
00401000 . 6A 00
00401002 . 6A 03
00401004 . 6A 00
00401006 . 6A 00
00401008 . 6A 00
0040100A . 6A 00
0040100C . 68 9C314000
00401011 . E8 24020000
00401016 . 83F8 FF
00401019 . 74 06
0040101B . 50
0040101C . E8 1F020000
PUSH 0
PUSH 3
PUSH 0
PUSH 0
PUSH 0
PUSH 0
PUSH 0040319C
CALL 0040123A
CMP EAX, -1
THE SHORT dmp.00401021
PUSH EAX
CALL <ExitProcess>
; / HTemplateFile = NULL
; | = ReadOnly Attributes
; | Mode = 0
; | PSecurity = NULL
; | ShareMode = 0
; | Access = 0
; | Filename = "\ \. \ Sice"
\ CreateFileA
; / ExitCode
\ ExitProcess
This at not a nothing specifically, this is only standard
way to detect
By vxd references
Softić debugger with CreateFileA command.
to SotfICEu \ \. \ Sice also the appears and
reference \ \. \ NTIC if the case of NT systems. To make this detection
work around, of course if use Softic enough is patchujete that the jump
with address 00401019 in JMP. A if look little below these pair
commands you'll notice that this is the first NAG. This piece of code looks like this:
00401021 > \ 6A 00
00401023 . 68 20304000
00401028 . 68 00304000
0040102D . 6A 00
0040102F . E8 E2010000
PUSH 0
PUSH 00403020
PUSH 00403000
PUSH 0
CALL <MessageBoxA>
; / Style = MB_OK
; | Title = "... naked ..."
; | Text = "..."
; | HOwner = NULL
\ MessageBox
Of course killing NAG screen is very easy, in fact it is necessary to
only NOPovati all PUSH Command who precede CALL that the used
to show NAGA and finally I CALL. Operation NOPovanja the
to double click on the selected command and entering words in the NOP
newly opened window. After clicking to OK or <ENTER> Olly will be the selected
change in the NOP command after which it would no longer execute. Therefore
NOPovanja after all these commands will have the following situation:
00401021
00401022
...
0040102F
00401030
00401031
00401032
00401033
90
90
90
90
90
90
90
NOP
NOP
NOP
NOP
NOP
NOP
NOP
Since there is another NAG in the program will seek it traceovanjem
throughout the code, that is, pressing F8 until you get to the next CALL:
The Art Of Reversing by Ap0x
Page 53 of 293
0040104A . 0A 6A
PUSH 0A
0040104C . FF35 AC314000 PUSH DWORD PTR DS: [4031AC]
00401052 . 6A 00 PUSH 0
00401054 . FF35 A8314000 PUSH DWORD PTR DS: [4031A8]
0040105A . E8 0B000000 CALL 0040106A
After execution this CALL main window targets will appear on
screen. Since know that the NAG executes after exit from the target
assign an ordinary break-point (press F2) to the following address
who the is immediately CALL below who was in charge of this show
window, assign a break-point at the address 0040105F.
0040105F |. E8 61010000
00401064 |. 50
00401065 \. E8 D6010000
CALL 004011C5
PUSH EAX
CALL <ExitProcess>
; / ExitCode
\ ExitProcess
Of course After closing the main window to finish our targets
our break-point. This time we press the F7 in order to enter in the CALL
at 0040105F. Why? Because table the after this CALL is more
only kernel32.ExitProcess CALL that mucus for shutdown our targets. From
this reasons conclude that the other NAG is in CALL with address
0040105F. When we enter the CALL will see the following:
004011C5 / $ 6A 00
004011C7 |. 68 66304000
004011CC |. 68 40304000
004011D1 |. 6A 00
004011D3 |. E8 3E000000
004011D8 \. C3
PUSH 0
PUSH 00403066
PUSH 00403040
PUSH 0
CALL <MessageBoxA>
RET
; / Style = MB_OK
; | Title = "..."
; | Text = "... naked ..."
; | HOwner = NULL
\ MessageBox
I as table see were We in right! Sought NAG the really is in
This CALL and him we as and first NAG removed in the same way, and after
patchovanja our target will be as follows:
004011C5
004011C6
004011C7
004011C8
004011C9
004011CA
...
004011D1
004011D2
004011D3
004011D4
004011D5
004011D6
004011D7
90
90
90
90
90
90
90
90
90
90
90
90
90
004011D8 \. C3
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
RET
By this ways patchovanja Inducements there and other way
patchovanja. This other way the used in case that program counts
NOPove contained in his code. This patcherski trick is reflected in
patchovanju desired Command in new series Command who make two ASM
EAX commands INC, DEC EAX ... The first command increases the value EAXa
and the second one reduces the value for one. Here, just make sure that
The Art Of Reversing by Ap0x
Page 54 of 293
if EAX has an impact on further execution Command be same number DEC
EAX and EAX commands INC. Applied in this instance it looks exactly like this:
004011C5
004011C6
004011C7
004011C8
004011C9
004011CA
004011CB
004011CC
004011CD
004011CE
004011CF
004011D0
004011D1
004011D2
004011D3
004011D4
004011D5
004011D6
004011D7
40
48
40
48
40
48
40
48
40
48
40
48
40
48
40
48
40
48
40
004011D8 \. C3
INC EAX
DEC EAX
INC EAX
DEC EAX
INC EAX
DEC EAX
INC EAX
DEC EAX
INC EAX
DEC EAX
INC EAX
DEC EAX
INC EAX
DEC EAX
INC EAX
DEC EAX
INC EAX
DEC EAX
INC EAX
RET
By this there and more one way patchovanja that will you
allow you to remove the NAG to change only one byte! This method is
can always apply and that change would look like this:
004011C5 / $ 6A FF
004011C7 |. 68 66304000
004011CC |. 68 40304000
004011D1 |. 6A 00
004011D3 |. E8 3E000000
004011D8 \. C3
or
004011C5 / $ 6A 00
004011C7 |. 68 66304000
004011CC |. 68 40304000
004011D1 |. 6A FF
004011D3 |. E8 3E000000
004011D8 \. C3
PUSH FF
PUSH 00403066
PUSH 00403040
PUSH 0
CALL <MessageBoxA>
RET
; / Style = MB_OK
; | Title = "..."
; | Text = "... naked ..."
; | HOwner = NULL
\ MessageBox
00 PUSH
PUSH 00403066
PUSH 00403040
PUSH FF
CALL <MessageBoxA>
RET
; / Style = MB_OK
; | Title = "..."
; | Text = "... naked ..."
; | HOwner = NULL
\ MessageBox
As you can see, you just change the MessageBox type in a number
for which there is no real type of MessageBox or alternatively you can program
forward HWND that not there. This other way, patchovanje only
one byte, is much more cost effective if you work inline patching a packer!
Finally when we finish making the changes with a simple click in the CPU
Olly window to Right button -> Copy to executable -> All modifications -
> Copy All -> Right click -> Save file ... lowest total all changes directly
with Olly. This technique patchovanja abolished need for some Hex
Editor with which to directly change file!
The Art Of Reversing by Ap0x
Page 55 of 293
Killing NAGS - Dialogs & Olly
Of course ordinary MessageBox NAG is very easy to "kill", but what if
instead MessageBox calls to NAG is used as a dialogue? In this case not
we look for characteristic strings that appear in the window because
This text is a dialogue in the form of resources. But knowing that the dialog resource
program calls tells us two things: 1) to be found in the file
using the resource editor and 2) that is static or that a resource can
represent only one window (or some other type of data).
Our target who the behave bass to up described way the is in
folder Cas02 and is called editor.exe. This target will open with Olly and
Thanks to him we will remove this NAG.
We have already said they will be targeted by NAG in this show as a separate window,
which means it probably uses a separate part of the resource (. res) located in
this. exe file. Because of this we iskorsititi Olly to look at all the resources
contained in this file by clicking ALT + M, to see that all. dll
Call us files. exe file, still the main selection. exe file and the final
clicking the right button and the View all resources, after which we will see this:
We will see that the file is an exact dialogue, whose name and ID 384h-NAG
SCREEN. Things here are very obvious, but now the question is how
find a place from which to call this dialogue? If you remember the previous example
and dialogues with W32Dasmom mean that we have used the ID of dialogue in order to
NAG found the dialogue. This will be used here, except it will here as opposed to
examples from the last search will be much easier.
Pritisnucemo ALT + C to go back to the main CPU window, after
which we press CTRL + F in order to command that displays sought
the NAG screen. It remains only to consider carefully what command should
to look in the file. This is very easy (if they remember the previous dialog
examples) percent the API function must forward ID Object over which the
executes a command need is only seek PUSH 384 command
with Olly. Our search will lead us to file here:
00401416 |. 6A 00
00401418 |. 68 2B124000
0040141D |. 53
0040141E |. 68 84030000
00401423 |. 6A 00
00401425 |. E8 F28B0000
0040142A |. 50
0040142B |. E8 C68C0000
As table see to
PUSH 0
PUSH editor.0040122B
PUSH EBX
PUSH 384
PUSH 0
/ LParam = NULL
| DlgProc = 0040122B
| HOwner
| PTemplate = 384
| / PModule = NULL
CALL <JMP.&KERNEL32.GetModuleHandleA>
PUSH EAX | Hinšt
CALL <JMP.&USER32.DialogBoxParamA> \ DialogBoxParamA
at 0040141E the ID dialogue piped
DialogBoxParam APIs for which conclude that the in this part code
shows NAG. Since the and GetModuleHandleA API relations to show
NAGA (On determined value Register EAX) we and him that remove
together DialogBoxParamA API call. Therefore that we remove this NAG
NOPujemo need to address all of the address 00401416 and 0040142B,
conclusive with latest command to at 0040142B, respectively with
Call to DialogBoxParam-in.
The Art Of Reversing by Ap0x
Page 56 of 293
03 Cracking Serials
The next chapter deals with the problem usually happy when reversing.
Very often the going that is whole application or that are some its Parts
locked for use and that the can unlock only right serial
number. Here will be speech on more types check serial numbers and on
ways of solving these problems. It is important to note that from this
chapter uses only the most important reverserski tool, OllyDbg. Unfortunately this
chapter is specifically because the when "Phishing" serial numbers must
monitor working memory and not content disassemblovanog File to disk.
For ease of getting used to all this is the first I will explain one example of
W32Dasmu.
The Art Of Reversing by Ap0x
Page 57 of 293
The Serials - Jumps
By NAG Screen one of obstacle related for cracking is and
registration or unlock certain functions of the program with routine
check serial numbers. This is very often a happy problem when reversing
therefore the this chapter can consider one of key. First part this
Chapters will you learn as the such Programs crackuju, other as that
find the real serial number for your name, and the next chapter how to write
keygenerator for this example. This example the is in folder
¼ \ Classes \ CAS3 \ Serial.exe Initially we will start the program and we'll see what
happens. This is a required step that allows us to collect what is
much information as possible about the "target", that would be easier reversovali. Start
"Target" and enter as a name and a serial ap0x 111111, click Check. Will appear
this:
What we learn from this test is that when you enter the wrong serial number,
program throw Message "Bad Cracker. " This will help when search for
place where the checks accuracy serial number. Open this "Target" in
W32Dasmu and find the string "Bad Cracker". You'll note that in addition to the string
"Bad Cracker" is this:
"About ..."
"AMPM"
"Bad Cracker"
"Cracked ok"
"Eeee"
"Enter name!"
"Error"
This is very interestingly because as seems maybe is message who will be
displayed if the serial number of the correct "Cracked ok". Nevertheless we will
2x click on the "Bad Cracker" message and ends here:
: 00407DE9 E806BBFFFF
: 00407DEE 7517
004038F4 call
jne 00407E07
* Possible StringData Ref from Code Obj -> "Cracked ok"
|
: 00407DF0 684C7E4000
: 00407DF5 68B90B0000
push 00407E4C
push 00000BB9
The Art Of Reversing by Ap0x
Page 58 of 293
: 00407DFA A150984000
: 00407DFF 50
mov eax, dword ptr [00409850]
push eax
* Reference To: user32.SetDlgItemTextA, Ord: 0000H
|
: 00407E00 E8F3C7FFFF
: 00407E05 EB15
Call 004045F8
jmp 00407E1C
* Referenced by a (U) nconditional or (C) onditional Jump at Address:
|: 00407DEE (C)
|
* Possible StringData Ref from Code Obj -> "Bad Cracker"
|
: 00407E07 68587E4000
: 00407E0C 68B90B0000
: 00407E11 A150984000
: 00407E16 50
push 00407E58 <- We are here
push 00000BB9
mov eax, dword ptr [00409850]
push eax
Let us attention to this line just above the message the wrong serial
number:
* Referenced by a (U) nconditional or (C) onditional Jump at Address:
|: 00407DEE (C)
This means that there is a conditional (because of C, that is to be the unconditional
jump) jump to at 00407DEE that water to address 00407E07. If
look at what is at that address will see the following:
: 00407DEE 7517
jne 00407E07
* Possible StringData Ref from Code Obj -> "Cracked ok"
|
: 00407DF0 684C7E4000
push 00407E4C
This means that if something, in this case serial number is not correct to jump
Message on wrong serial number. If this order delete (Read:
NOPujemo) then will program always show Message on exact serial
number regardless of the name entered or serial number. It is one and also the easiest
The way to solve this problem.
Exercise:
As we did with this example W32Dasma it would be good that this
also do and