flat assembler
Message board for the users of flat assembler.

Index > Heap > Reverse Engineering

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
kohlrak wrote:

f0dder wrote:

Have one you want to put to the test? =p

I'm aware, but it has one on board.

Well, not really... every debugger has a disassembly engine to be able to show instructions, but I wouldn't call it a disassembler per se - although olly does go a few steps beyond what a debugger normally does.
Post 22 Jun 2007, 00:50
View user's profile Send private message Visit poster's website Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf
ssp wrote:
DustWolf wrote:
What are you trying to make?

I am not trying to make anything.

I want to Reverse Engineer mostly to achieve the following:
* Try to learn about hard to find driver softwares.
* May be learn from a malicious code.
* For trying to run an Evaluation Version of a Software after the trial
period is over.
* Besides, may be, it can help me learn about any program, that I
found useful/clever/obscure, especially when it's source is not available.


As was recommended, a combination of IDA dissasembler and Olly debugger should help the most here as far as software is concerned. You load up a victim in IDA and try to see where the big decisions are being made. Then load the victim into Olly and mark the same lines as breakpoints, run the program via Olly and follow it trough. Even follow some procedures line by line, so you have a better idea what's going on.

Learning FASM will no doubt help. Try making small simple sample programs, assemble and load them into Olly, so you have an idea of how things work.

People in cracker teams out there may be willing to teach you how to identifiy various mechanisms in code. Making cracks is mostly just patchworks, you infiltrate a program, overcome it's protection mechanims and invert the action it preforms when the problematic behaviour occurs. Or follow the code and see where it calculates a serial to compare to the one entered, and make it display it in a message box instead. Train on crackmes.

Malicious code is mostly written in C because scriptkiddies do not know Assembly. You have a pre-assembled shellcode which the remainder of the program then injects as a string into whatever it is supposed to be hacking. No malicious code writer actually knows what the shellcode does, usually, but they know how to write the injection routines. Pretty boring stuff and pointless to reverse, since you can almost always get source code for everything (just check exploit sites, it's all copy-paste from there anyway in just about any virus or worm on Earth).

Reversing drivers might be tricky without learning the theory first.
Post 22 Jun 2007, 00:51
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
Quote:
Well, not really... every debugger has a disassembly engine to be able to show instructions, but I wouldn't call it a disassembler per se - although olly does go a few steps beyond what a debugger normally does.


Good enough for me. As long as i can see what the program's doing i'm happy.

Quote:
Pretty boring stuff and pointless to reverse, since you can almost always get source code for everything (just check exploit sites, it's all copy-paste from there anyway in just about any virus or worm on Earth).


Have fun finding the site that has your favorite virus on it, though.
Post 22 Jun 2007, 00:57
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf
kohlrak wrote:
Quote:
Pretty boring stuff and pointless to reverse, since you can almost always get source code for everything (just check exploit sites, it's all copy-paste from there anyway in just about any virus or worm on Earth).


Have fun finding the site that has your favorite virus on it, though.


I disassembled (as in: took appart) several and I have not exactly found anything new. Some levels of encryptions, usually obscure EXE packers or script encryptors that you can find online + a jumble of exploit code combined with methods for the viruses self-replication. It's all very copy-paste without even the comments removed from the code and typically some terrorist revolution text appended. I could find the same exploit code online any time.
Post 22 Jun 2007, 01:33
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
Works for most but not all. I wouldn't be surprised if some assembly guys out there came up with some exploits. And simple things like MessageBoxW(0, "/??/", 0, 0); isn't too difficult but is still interesting.
Post 22 Jun 2007, 01:38
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf
kohlrak wrote:
Works for most but not all. I wouldn't be surprised if some assembly guys out there came up with some exploits. And simple things like MessageBoxW(0, "/??/", 0, 0); isn't too difficult but is still interesting.


Sure, exploits. But I was writing specifically of malicious code.

We all make exploits for fun. We don't write viruses that go off in a rampage destroying the net we all use every day and sending us spam we hate.

Not saying all Assembly coders are saints but they are usually a bit more evolved that the typical guy that writes malicious software. I have seen a lot of source code for viruses and I have NEVER EVER seen one contain the sources for it's shellcode in inline ASM or included sources.

In other words, the guys that come up with original exploits don't write the malicious code that ends up destroying other people's computers. Or at least not now that people can make money out of malicious code.
Post 22 Jun 2007, 01:52
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
It's a shame though that exploits like that are often used in viruses. Some of those you can come across accidentaly, and it'd be nice to get a nice list of them publically. Problem is, if you post a public list, then you end up having those exploits taken out on you. For instance, if i wanted to have an IM client that accepts custom messages from other clients, i might have been lazy and just let the person specify whatever they wanted and made sure the buffer wasn't too big the function would crash. Next thing i know, some one would exploit the custom messages with /??/ and there goes my program. New bug to fix, now i have to tell all those who got my program to update, otherwise their program won't with the new version. Not so easily telling a bunch of annonymous people that they need to update.
Post 22 Jun 2007, 03:34
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.