Professional Documents
Culture Documents
Why
2
Reverse engineering vs malware analysis
• You can use a huge amount of utilities and enterprise solutions, but there will come a day when
they don't help you.
• A reverse engineer can add utilities to his toolkit and use automatic solutions.
• A malware analyst will never be able to understand the malicious capabilities without
a reverse engineering if the sample bypasses analyst's tools.
3
I hope you know
4
Programming cycle
linker
• Source • Executable
code • Object file • Running
code process
compiler OS loader
5
Reverse engineering cycle
decompiler
•55 8B EC •void func {
•Push ebp
•Mov ebp
esp
disassembler
6
The code does not differ from the data
Disassembled code
Disassembled data
7
Constant or offset?
8
Little endian
9
Code or data?
10
Assembler as an instrument for reverse engineering
11
Registers
12
General-Purpose Registers
• Accumulator register (EAX). Used in arithmetic operations, also stored return value.
• Counter register (ECX). Used in shift/rotate instructions and loops.
• Data register (EDX). Used in arithmetic operations and I/O operations.
• Base register (EBX). Used as a pointer to data.
• Stack Pointer register (ESP). Pointer to the top of the stack.
• Stack Base Pointer register (EBP). Used to point to the base of the stack.
• Source Index register (ESI). Used as a pointer to a source in stream operations.
• Destination Index register (EDI). Used as a pointer to a destination in stream operations.
13
Instruction Pointer
• EIP - The EIP register contains the address of the next instruction to be executed if
no branching is done.
14
Stack Pointers
• ESP is the current stack pointer. EBP is the base pointer for the current stack frame.
15
EFLAGS
EFLAGS register holds many single bit flags. You should remember the following:
• Sign Flag (SF) – Set equal to the most-significant bit of the result, which is the
sign bit of a single integer. (0 indicates a positive value and 1 indicates a negative value)
16
Instructions
operation
arguments
• Destination first
17
Operand types
18
Addressing Memory
• There is a difference between address of data and data (like pointers)
• Square brackets mean dereference
[0x00B8F416] = CharUpperW
Mov eax, 0x00B8F416 eax = 0x00B8F416
Mov eax, offset aCharupperw eax = 0x00B8F416
Mov eax, [0x00B8F416] eax = 0x43686172
ASCII
0x43 C
0x68 h
0x61 a
0x72 r
0x55 U
0x79 p
19
Basic instructions
• nop
• mov
• lea
• add, sub
• cmp
• test
• xor
• jmp, jz, jnz, je
• push/pop
• call
• ret
• leave
20
nop
21
mov
22
lea
23
add sub
• Add – add
• Sub – substraction
Add eax, 1
Sub ebx, eax
24
cmp
• This instruction basically subtracts one operand from the other for comparing
whether the operands are equal or not.
• It does not disturb the destination or source operands.
• It is used along with the conditional jump instruction for decision making.
25