Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mastering Reverse Engineering

You're reading from   Mastering Reverse Engineering Re-engineer your ethical hacking skills

Arrow left icon
Product type Paperback
Published in Oct 2018
Publisher Packt
ISBN-13 9781788838849
Length 436 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Reginald Wong Reginald Wong
Author Profile Icon Reginald Wong
Reginald Wong
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Preparing to Reverse FREE CHAPTER 2. Identification and Extraction of Hidden Components 3. The Low-Level Language 4. Static and Dynamic Reversing 5. Tools of the Trade 6. RE in Linux Platforms 7. RE for Windows Platforms 8. Sandboxing - Virtualization as a Component for RE 9. Binary Obfuscation Techniques 10. Packing and Encryption 11. Anti-analysis Tricks 12. Practical Reverse Engineering of a Windows Executable 13. Reversing Various File Types 14. Other Books You May Enjoy

Tools

Doing reverse code engineering starts off with understanding the meaning of every bit and byte. Simply viewing the bytes contained requires developing tools that aid in the reading of files and objects. Parsing and adding meaning to every byte would require another tool. Reverse engineering has evolved with tools that are continuously updated when encountering new software technology. Here, we have categorized these tools into binary analysis tools, disassemblers, decompilers, debuggers, and monitoring tools.

Binary analysis tools

Binary analysis tools are used to parse binary files and extract information about the file. An analyst would be able to identify which applications are able to read or execute the binary. File types are generally identified from their magic header bytes. These Magic Header bytes are usually located at the beginning of a file. For example, a Microsoft executable file, an EXE file, begin with the MZ header (MZ is believed to be the initials of Mark Zbikowski, a developer from Microsoft during the DOS days). Microsoft Office Word documents, on the other hand, have these first four bytes as their Magic Header: 


The hexadecimal bytes in the preceding screenshot read as DOCFILE Other information such as text string also give hints. The following screenshot shows information indicating that the program was most likely built using Window Forms:


Disassemblers

Disassemblers are used to view the low-level code of a program. Reading low-level code requires knowledge of assembly language. Analysis done with a disassembler gives information about the execution conditions and system interactions that a program will carry out when executed. However, the highlights when reading low-level code are when the program uses Application Program Interface (API) functions. The following screenshot shows a code snippet of a program module that uses the GetJob() API. This API is used to get information about the printer job, as shown here:

Debuggers

Disassemblers can show the code tree, but the analyst can verify which branch the code flows to by using a debugger. A debugger does actual execution per line of code. The analyst can trace through codes such as loops, conditional statements, and API execution. Since debuggers are categorized under dynamic analysis and perform a step-wise execution of code, debugging is done in an enclosed environment. Various file types have different disassemblers. In a .NET compiled executable, it is best to instead disassemble the p-code and work out what each operator means.

Monitoring tools

Monitoring tools are used to monitor system behaviors regarding file, registry, memory, and network. These tools usually tap or hook on APIs or system calls, then log information such as newly created processes, updated files, new registry entries, and incoming SMB packets are generated by reporting tools.

Decompilers

Decompilers are similar to disassemblers. They are tools that attempt to restore the high-level source code of program unlike disassemblers that attempt to restore the low-level (assembly language) source code of a program.

These tools work hand in hand with each other. The logs generated from monitoring tools can be used to trace the actual code from the disassembled program. The same applies when debugging, where the analyst can see the overview of the low-level code from the disassembly, while being able to predict where to place breakpoints based on the monitoring tools' logs.

You have been reading a chapter from
Mastering Reverse Engineering
Published in: Oct 2018
Publisher: Packt
ISBN-13: 9781788838849
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image