PART 1 OF 2 ARTICLES
Like a time machine, reversing the process of trying to uncover what lies behind the creation of a program.
We get an application form of executable files, meaning you telahmendapatkan result of work of an individual or a team of developers, who build the applications from a series of codes program.Dengan just run the application, you will find it hard to know with accuracy and detail, about what actually serve targeted applications. Except if you have the source code before compiling the application on, or do the reverse code engineering (RCE).
Low Level Software
Computers and software layer built from different layers. Akstrem comparison is to look at the outer layer, ie graphical display desktop pad, while the innermost layer is the millions of transistors on the CPU. on programming languages, is the lowest level assembly language. Opersasi anything done a software can be seen in assembly code. To understand the RCE with a good, low-level must be understood first.
Therefore, we will look at the process from the lowest level, when an executable file is run. CPU will work with membacasekumpulan bit contains a set of instructions. This form of machine code instructions (machine code, or often called a binary code), which you can see when you open the file in a HEX editor.
Assembly language represents a collection of bits in the form of human readable text. so, rather than seeing a row of hexadecimal digits, it would be easier for you to read the text instructions such as MOV (Move), XCHG (Exchange), and so on.
Reversing
RCE general understanding is a process on an object to know deconstruction details. In connection with computer software, reverse engineering software mendekontruksi, it returns to the analysis process by:
1. Analisismelalui observation of exchange of information, such as taking the data traffic on a computer network tertentu.pengamatan generated by the software is expected to represent the behavior of software used tersebut.Tool include a bus analyzer or packet sniffers. Generally, this method is used to perform a reversing device drivers on embedded systems.
2. Decompile, by Decompiler. Decompiler attempted reinventing the source code in a high-level programming (eg Visual Basic, FoxPro) from the machine code. The success of decompilation process depends on how much information tekandung in the code that has been compiled, and how well the level of analysis used Decompiler. If there are metadata or debug data on the machine code will simplify the process of decompilation.
3. Through the process of disassembly, using Disassembler tool. That is, translating the machine code into assembly language. Disassembler tool, such as IDA Pro, ILDASM, PVDasm, and that will be the topic of this article, namely OllyDbg.
Pros and cons reversing habisnyakarena probably will not be there always can be seen from two viewpoints. For example, perhaps reversing regarded as a savior if used for purposes of analysis applications suspected of harming a time bomb, but reviled when it was used for the cracking process, such as making modifications to a trial period for paid applications are ignored.
For things that are positive, reversing usability are:
1. Found the malicious code. For example Pasa applications suspected of violating the provisions of the secret code, like a time bomb that could disrupt the company's operational processes.
2. Find the error code. Say an application no longer has the cource code for or in another, but it has a bug that mengganggu.Proses reversing can help find these errors.
3. Find the usefulness of the code. There are certain cases dimanaanda workings require an application in detail, perhaps to understand the logic and flow, which is not obtainable because of the unavailability of source code.
4. Analyze the workings of malware. Several techniques and reversing the damaging effects malwarememerlukan process, so that action can be taken and appropriate response.
OllyDbg
OllyDbg is a tool Disassembler / debugger for windows operating system. its creator is by Yuschuk or known by Olly. OllyDbg is one of the favorite tool of many used by people who wrestled on the http://www.ollydbg.de RCE.Beralamatkan world, until this article was written after reaching version 2.0, written ualng from scratch and does not yet support the use of plugins like the previous version . however, you can still download the old version which has implemented the use of plugins, or you can get the DVD of PC Media edition.
OllyDbg is a shareware, but the author did not request a fee for commercial use or permanent. Simply fill out the registration form and send via e-mail.
Some of the features and usability OllyDbg is:
1. Can recognize the procedure, API calls, and most of the function C.
2. Find Feature Reference for memory and string.
3. Able to debug the DLL file.
4. Every program that is running can be summoned and to debug.
5. And there are many 3rd party plugins (not currently supported by OllyDbg version 2.0).
6. Be updated and patched.
OllyDbg is one of convenience does not require installation. you simply download, unpack, and run it. Example 2.0 OllyDbg display shown in the pictures.
For the first time using OllyDbg and try to open an executable file, it may display a screen that looks pretty "scary". do not worry, note the red numbers (numbers 1 to 8) at each window OllyDbg a picture id. explanation of each window is represented figures are as follows:
1. The first column of the main screen contains the address or offset.
2. This column is the opcode, as shown you're open filemelalui HEX editor. Some symbols may be found at the beginning of the opcode, for example, the symbol ^ (or v) that shows the code jumps to the top or bottom. The jump instruction will be discussed later. , yang menunjukan kode jump ke lokasi spesifik.Kemudian juga ada simbol $, yang mengindikasikan awal function." onmouseover="this.style.backgroundColor='#ebeff9'" onmouseout="this.style.backgroundColor='#fff'">Another symbol is>, which shows the code jumps to the location spesifik.Kemudian there is also the symbol $, which indicates the beginning of function.
3. Text that represents the opcode, instruction-intruksidalam contains assembly language.
4. Is the space to make comments, whether comments are generated by OllyDbg araupun written by users (with a right click, select "add comment ...."). ASCll text referenced by the opcode is also shown in this section.
5. This section shows information about the instructions being to debug. Say if you have come to the command "MOVEBP, ESP" then this section will include content from the EBP and ESP. Also indicates whether a jump condition will be executed or not (jump is taken / jump is not taken).
6. This window shows the register information such as Standard registers, flag registers, segment registers, or registers debug/FPU/MMX/3DNow. The content of this register can be capricious, when you debug the code step by step.
7. ASCII atau Unicode )." onmouseover="this.style.backgroundColor='#ebeff9'" onmouseout="this.style.backgroundColor='#fff'">is an area of memory addresses tertentu.anda dump can change the appearance of this area, such as ASCII text / Unicode (right click on your area, select the text-> ASCII or Unicode). Or even do Disassembler in this area (right click, Disassembler).
8. Is a window that displays information on the stack.
Still, there are several other windows that can be accessed via the toolbar menu (the log window, memory map window, the CPU window, and so on).
For example, Alt + E will open a window executeble modules.
You can also change the values that appear for instance in the window register, the contents of the register can be changed by right-clicking the register value and select Modify (or double-click that value).
Important Shortcut
One of the main functions OllyDbg is a debugger, there are shortcuts to the shortcut that can simplify the job. For those of you who have been accustomed to using high level programming languages such as Visual Basic / Delphi, would also never use the same debugging features.
For debugging or executing code per line in OllyDbg, you can use the shortcut F7 (Step Into), or the F8 (step over), and be careful in debug malware because F9 shortcut will run the application (Run). To restart (start again from the beginning of the program), use the shortcut Ctrl + F2. Another important shortcut to debug is to create or mebghapus F2 breakpoint. You can make more than one breakpoint.
Basic Assembly
Because OllyDbg translate into machine code assembly language then we must understand the basics of assembly language. could even be said, this is the core using OllyDbg.Semakin much you know about the assembly, the easier you memahamiaalur courses that appear on OllyDbg, coupled with features that simplify the process of reversing OllyDbg.
Discusses in detail the assembly language can be a separate topic that is vast, but here given the basic concept that you do not look too upset with OllyDbg. At the assembly, we will banayak associated with the register. Storage registers on the CPU is the fastest access. Example 32-bit registers for general purposes (arithmetic operations, indicates the offset address), among others, are EAX, EBX, ecx. Another example is a segment register (SS) is paired with a stack pointer register (SP). The contents of registers accessible through the assembly instructions, including MOV (Move), PUSH, POP, CMP (Compare), INC (Increase) and so on.
For example, the command MOV EAX, 0 means to fill in the EAX register with a value of 0.
In doing debugging with OllyDbg, you will find a lot of the jump command, used to jump to specific areas of program.Terdapat many orders jump, jump without conditions with JMP apapunditulis followed by a goal, for example:
7C901011 JMP
Each command will be executed JMPyang encountered. There is also a jump command that has the condition, which is assessed through the CMP command, TEST, or other commands. Some examples of the jump command that will evaluate the previous command is JA (Jump if Above), JNE (Jump if Not Equal), JL (Jump if Less), and many lagi.Terlihat complicated? Actually not really because each of these commands has a catchy acronym, namely:
J = Jump
E = Equal
N = Not
S = Sign
Z = Zero
P = Parity
O = Overflow
C = Carry
G = Greater Than
A = Above
L = Less
B = Below
CMP Printah ecx, 0FFFF will compare operand1 and operand2, followed by JBE orders are fulfilled. See the table above are obtained JBE Jump if Below Equal means, or if operand1 <= operand2 (operand1 if below or equal to operand2). Opening and bereksperimendengan some files contohakan make your environment OllyDbg.Pada terbiasabekerja on the next article, will dibahaas more in-depth example of using OllyDbg again.
Like a time machine, reversing the process of trying to uncover what lies behind the creation of a program.
We get an application form of executable files, meaning you telahmendapatkan result of work of an individual or a team of developers, who build the applications from a series of codes program.Dengan just run the application, you will find it hard to know with accuracy and detail, about what actually serve targeted applications. Except if you have the source code before compiling the application on, or do the reverse code engineering (RCE).
Low Level Software
Computers and software layer built from different layers. Akstrem comparison is to look at the outer layer, ie graphical display desktop pad, while the innermost layer is the millions of transistors on the CPU. on programming languages, is the lowest level assembly language. Opersasi anything done a software can be seen in assembly code. To understand the RCE with a good, low-level must be understood first.
Therefore, we will look at the process from the lowest level, when an executable file is run. CPU will work with membacasekumpulan bit contains a set of instructions. This form of machine code instructions (machine code, or often called a binary code), which you can see when you open the file in a HEX editor.
Assembly language represents a collection of bits in the form of human readable text. so, rather than seeing a row of hexadecimal digits, it would be easier for you to read the text instructions such as MOV (Move), XCHG (Exchange), and so on.
Reversing
RCE general understanding is a process on an object to know deconstruction details. In connection with computer software, reverse engineering software mendekontruksi, it returns to the analysis process by:
1. Analisismelalui observation of exchange of information, such as taking the data traffic on a computer network tertentu.pengamatan generated by the software is expected to represent the behavior of software used tersebut.Tool include a bus analyzer or packet sniffers. Generally, this method is used to perform a reversing device drivers on embedded systems.
2. Decompile, by Decompiler. Decompiler attempted reinventing the source code in a high-level programming (eg Visual Basic, FoxPro) from the machine code. The success of decompilation process depends on how much information tekandung in the code that has been compiled, and how well the level of analysis used Decompiler. If there are metadata or debug data on the machine code will simplify the process of decompilation.
3. Through the process of disassembly, using Disassembler tool. That is, translating the machine code into assembly language. Disassembler tool, such as IDA Pro, ILDASM, PVDasm, and that will be the topic of this article, namely OllyDbg.
Pros and cons reversing habisnyakarena probably will not be there always can be seen from two viewpoints. For example, perhaps reversing regarded as a savior if used for purposes of analysis applications suspected of harming a time bomb, but reviled when it was used for the cracking process, such as making modifications to a trial period for paid applications are ignored.
For things that are positive, reversing usability are:
1. Found the malicious code. For example Pasa applications suspected of violating the provisions of the secret code, like a time bomb that could disrupt the company's operational processes.
2. Find the error code. Say an application no longer has the cource code for or in another, but it has a bug that mengganggu.Proses reversing can help find these errors.
3. Find the usefulness of the code. There are certain cases dimanaanda workings require an application in detail, perhaps to understand the logic and flow, which is not obtainable because of the unavailability of source code.
4. Analyze the workings of malware. Several techniques and reversing the damaging effects malwarememerlukan process, so that action can be taken and appropriate response.
OllyDbg
OllyDbg is a tool Disassembler / debugger for windows operating system. its creator is by Yuschuk or known by Olly. OllyDbg is one of the favorite tool of many used by people who wrestled on the http://www.ollydbg.de RCE.Beralamatkan world, until this article was written after reaching version 2.0, written ualng from scratch and does not yet support the use of plugins like the previous version . however, you can still download the old version which has implemented the use of plugins, or you can get the DVD of PC Media edition.
OllyDbg is a shareware, but the author did not request a fee for commercial use or permanent. Simply fill out the registration form and send via e-mail.
Some of the features and usability OllyDbg is:
1. Can recognize the procedure, API calls, and most of the function C.
2. Find Feature Reference for memory and string.
3. Able to debug the DLL file.
4. Every program that is running can be summoned and to debug.
5. And there are many 3rd party plugins (not currently supported by OllyDbg version 2.0).
6. Be updated and patched.
OllyDbg is one of convenience does not require installation. you simply download, unpack, and run it. Example 2.0 OllyDbg display shown in the pictures.
For the first time using OllyDbg and try to open an executable file, it may display a screen that looks pretty "scary". do not worry, note the red numbers (numbers 1 to 8) at each window OllyDbg a picture id. explanation of each window is represented figures are as follows:
1. The first column of the main screen contains the address or offset.
2. This column is the opcode, as shown you're open filemelalui HEX editor. Some symbols may be found at the beginning of the opcode, for example, the symbol ^ (or v) that shows the code jumps to the top or bottom. The jump instruction will be discussed later. , yang menunjukan kode jump ke lokasi spesifik.Kemudian juga ada simbol $, yang mengindikasikan awal function." onmouseover="this.style.backgroundColor='#ebeff9'" onmouseout="this.style.backgroundColor='#fff'">Another symbol is>, which shows the code jumps to the location spesifik.Kemudian there is also the symbol $, which indicates the beginning of function.
3. Text that represents the opcode, instruction-intruksidalam contains assembly language.
4. Is the space to make comments, whether comments are generated by OllyDbg araupun written by users (with a right click, select "add comment ...."). ASCll text referenced by the opcode is also shown in this section.
5. This section shows information about the instructions being to debug. Say if you have come to the command "MOVEBP, ESP" then this section will include content from the EBP and ESP. Also indicates whether a jump condition will be executed or not (jump is taken / jump is not taken).
6. This window shows the register information such as Standard registers, flag registers, segment registers, or registers debug/FPU/MMX/3DNow. The content of this register can be capricious, when you debug the code step by step.
7. ASCII atau Unicode )." onmouseover="this.style.backgroundColor='#ebeff9'" onmouseout="this.style.backgroundColor='#fff'">is an area of memory addresses tertentu.anda dump can change the appearance of this area, such as ASCII text / Unicode (right click on your area, select the text-> ASCII or Unicode). Or even do Disassembler in this area (right click, Disassembler).
8. Is a window that displays information on the stack.
Still, there are several other windows that can be accessed via the toolbar menu (the log window, memory map window, the CPU window, and so on).
For example, Alt + E will open a window executeble modules.
You can also change the values that appear for instance in the window register, the contents of the register can be changed by right-clicking the register value and select Modify (or double-click that value).
Important Shortcut
One of the main functions OllyDbg is a debugger, there are shortcuts to the shortcut that can simplify the job. For those of you who have been accustomed to using high level programming languages such as Visual Basic / Delphi, would also never use the same debugging features.
For debugging or executing code per line in OllyDbg, you can use the shortcut F7 (Step Into), or the F8 (step over), and be careful in debug malware because F9 shortcut will run the application (Run). To restart (start again from the beginning of the program), use the shortcut Ctrl + F2. Another important shortcut to debug is to create or mebghapus F2 breakpoint. You can make more than one breakpoint.
Basic Assembly
Because OllyDbg translate into machine code assembly language then we must understand the basics of assembly language. could even be said, this is the core using OllyDbg.Semakin much you know about the assembly, the easier you memahamiaalur courses that appear on OllyDbg, coupled with features that simplify the process of reversing OllyDbg.
Discusses in detail the assembly language can be a separate topic that is vast, but here given the basic concept that you do not look too upset with OllyDbg. At the assembly, we will banayak associated with the register. Storage registers on the CPU is the fastest access. Example 32-bit registers for general purposes (arithmetic operations, indicates the offset address), among others, are EAX, EBX, ecx. Another example is a segment register (SS) is paired with a stack pointer register (SP). The contents of registers accessible through the assembly instructions, including MOV (Move), PUSH, POP, CMP (Compare), INC (Increase) and so on.
For example, the command MOV EAX, 0 means to fill in the EAX register with a value of 0.
In doing debugging with OllyDbg, you will find a lot of the jump command, used to jump to specific areas of program.Terdapat many orders jump, jump without conditions with JMP apapunditulis followed by a goal, for example:
7C901011 JMP
Each command will be executed JMPyang encountered. There is also a jump command that has the condition, which is assessed through the CMP command, TEST, or other commands. Some examples of the jump command that will evaluate the previous command is JA (Jump if Above), JNE (Jump if Not Equal), JL (Jump if Less), and many lagi.Terlihat complicated? Actually not really because each of these commands has a catchy acronym, namely:
J = Jump
E = Equal
N = Not
S = Sign
Z = Zero
P = Parity
O = Overflow
C = Carry
G = Greater Than
A = Above
L = Less
B = Below
CMP Printah ecx, 0FFFF will compare operand1 and operand2, followed by JBE orders are fulfilled. See the table above are obtained JBE Jump if Below Equal means, or if operand1 <= operand2 (operand1 if below or equal to operand2). Opening and bereksperimendengan some files contohakan make your environment OllyDbg.Pada terbiasabekerja on the next article, will dibahaas more in-depth example of using OllyDbg again.
Comments
Post a Comment