Reverse Code Engineering
As I spent the whole holiday sick at home, and I got no chance whatsoever to go outside (except for the last couple of days maybe), I had enough time to finish off all the work and the things I was planning to do on my computer. Many projects from the old days, each in a separate folder, were waiting on my desktop for me to have enough time to resume digging into.
Out of boredom, I decided to dig up something I barely got into previously: Reverse Code Engineering; the art of breaking into executable files and modifying their machine code to obtain different execution behavior.
If you have ever installed or used unlicensed computer software before then you, probably, have used reverse-engineered programs at some point; the illegal ones of them ... Cracks!
Software Cracks are modified software executables that have been reverse-engineered by crackers to deactivate product registration, activation, limitations, and nagging screen routines. The cracked or “patched” program works as good as a full/registered version. It has been altered at the machine language level to do so.
Long before, I made a very basic, yet interesting, experiment in this regard. I coded and compiled a simple C++ program, then started analyzing and messing with its machine code using disassemblers and hex editors. The first program was actually something like this:
These four lines of C++ were compiled into some hundred lines of assembly. I used a disassembler to trace down the string “Password Correct” and look up the instructions that reference the memory location it was being held in.
I came up with the following machine code and assembly listing:
The CMP instruction was comparing a certain value in memory with 7Bh (which is equal to 123 in decimal). The second JNE (Jump if Not Equal) instruction made the program branch at that point to one of two paths, depending on the result of the previous comparison.
Using a hex editor, I replaced 75 (op-code for JNE) with 74 (op-code for JE) which is the opposite instruction. The program (now cracked :P) started to output “Password Correct” for any user-entered password EXCEPT 123 :D
That was the very first experiment, and I was really glad it worked!
In the previous days, I made more tests and came out with much complicated tricks. Instead of reversing IF statements, I tried jumping (using the JMP instruction) to the code right inside the IF statement, trying to bypass the evaluation of the condition, and it worked! :D
My friend Zeid had an interesting argument over jumping and bypassing sections of code. He said that jumping can’t always be the solution because sometimes you skip code that is essential for the proper execution of the program. That was definitely correct, but I actually found a way to do the jump safely!
The “dangerous” jump was tried on the following program:
My target was to make this program call the function secret() with x=17 immediately at startup, i.e. not to even request user input. I wanted to wipe out the user-input section and remove the limitation of x having to be less than 5.
What I did was overwriting the cout and cin assembly code sections with NOP (No Operation) instructions (a cool way I came up with to “comment-out” those sections :P) then replace some of those NOPs with the following assembly instructions:
Carefully tried that, and yup … it WORKED! :D
That was a “dangerous” code jump of my side, but I did good I guess! :P
Coding my own assembly into that EXE and observing how it worked was one of the most enjoyable things I’ve ever done in my life!
Next am trying to crack, e7m … “Reverse Engineer” some old DOS shareware, wait for the results ;)
Out of boredom, I decided to dig up something I barely got into previously: Reverse Code Engineering; the art of breaking into executable files and modifying their machine code to obtain different execution behavior.
If you have ever installed or used unlicensed computer software before then you, probably, have used reverse-engineered programs at some point; the illegal ones of them ... Cracks!
Software Cracks are modified software executables that have been reverse-engineered by crackers to deactivate product registration, activation, limitations, and nagging screen routines. The cracked or “patched” program works as good as a full/registered version. It has been altered at the machine language level to do so.
Long before, I made a very basic, yet interesting, experiment in this regard. I coded and compiled a simple C++ program, then started analyzing and messing with its machine code using disassemblers and hex editors. The first program was actually something like this:
These four lines of C++ were compiled into some hundred lines of assembly. I used a disassembler to trace down the string “Password Correct” and look up the instructions that reference the memory location it was being held in.
I came up with the following machine code and assembly listing:
The CMP instruction was comparing a certain value in memory with 7Bh (which is equal to 123 in decimal). The second JNE (Jump if Not Equal) instruction made the program branch at that point to one of two paths, depending on the result of the previous comparison.
Using a hex editor, I replaced 75 (op-code for JNE) with 74 (op-code for JE) which is the opposite instruction. The program (now cracked :P) started to output “Password Correct” for any user-entered password EXCEPT 123 :D
That was the very first experiment, and I was really glad it worked!
In the previous days, I made more tests and came out with much complicated tricks. Instead of reversing IF statements, I tried jumping (using the JMP instruction) to the code right inside the IF statement, trying to bypass the evaluation of the condition, and it worked! :D
My friend Zeid had an interesting argument over jumping and bypassing sections of code. He said that jumping can’t always be the solution because sometimes you skip code that is essential for the proper execution of the program. That was definitely correct, but I actually found a way to do the jump safely!
The “dangerous” jump was tried on the following program:
My target was to make this program call the function secret() with x=17 immediately at startup, i.e. not to even request user input. I wanted to wipe out the user-input section and remove the limitation of x having to be less than 5.
What I did was overwriting the cout and cin assembly code sections with NOP (No Operation) instructions (a cool way I came up with to “comment-out” those sections :P) then replace some of those NOPs with the following assembly instructions:
Carefully tried that, and yup … it WORKED! :D
That was a “dangerous” code jump of my side, but I did good I guess! :P
Coding my own assembly into that EXE and observing how it worked was one of the most enjoyable things I’ve ever done in my life!
Next am trying to crack, e7m … “Reverse Engineer” some old DOS shareware, wait for the results ;)
33 Response(s) to "Reverse Code Engineering"
Devil's Mind said:
Really interesting stuff, although very simplistic in nature... Anyways, the title says: "reverse code engineering", while it really should say: "reverse engineering code"!
Ghaith said:
Yup, very primitive yet fascinating :)
Anyways man, it's called Reverse Code Engineering (RCE)! It's a term, nothing I came up with actually!
Devil's Mind said:
Emm, yeah, right... I checked and its really a term "RCE"!! I withdraw my previous remark although the wording of that term doesnt sound right!!
Anonymous said:
u work on windows or other os ?
Qwaider قويدر said:
LOL man ... you remind me of my self 15 years ago :)
Well done
Can I give you couple of hints?
Enable debugging in windows and user the bundled NTSD to attach to applications in memory and visually inspect or alter stuff the way you like them ...
To enable windows wide Kernel debugging add /Debug in you Boot.Ini file (next to the windows boot you like to debug) and you will need a Null Modem connection (hooked up to another PC) to debug even kernel mode applications running in memory
You may also use things like BlackIce and other cool debugging tools do do things...
Happy hunting :)
Qwaider قويدر said:
I could swear that I left a comment here for you ...
Oh well ... :)
Keep up the good work
naturalblu said:
ana ma ele 3ala hal osas but anyway salamaat hada sheklo bedak sho7net mansaf :P
Ghaith said:
Anonymous
It’s Windows XP.
Qwaider
Your comment is here! Blogger was down for sometime I guess. Am glad you didn’t lose it :)
Ba3deen yalla 3ad? 15 years ago? manta lessa hadeek el marra 7aketelle 3omrak 16 ;)
Just kidding :P, many thanks for the advices man! I actually found a couple of amazing tools for inspecting and modifying memory and even code assembly on the fly. They work in user-level mode (by setting up interrupts) and are thus much more comfortable to use than kernel-level debuggers like SoftIce (You did mean SoftIce, sa7?).
Naturalblu
Allah ysalmek :)
Bedde sho7net 7aliva ana :P
naturalblu said:
umm sho hay el ta7t allah yesalmek? mo 2adreh aqra2ha :P
Ghaith said:
la t7awli tetharrabe, ettefa2na wade7! :P
Amer said:
7aliva ?? Yer7am Jiddak :D
ya3ni karaki and u prefer 7aliva over mansaf ?
Lah Lah Lah
Bs law yesma3ak Jameed.
Ghaith said:
Lah ya Amer, fesh eshe ba3d el mansaf!
Sakker 3al mawdoo3 oo elak kam 7abbet 7aliva hdeyyeh ;)
Amer said:
5alas e3tabro tsakkar :P LOL
Man eimta ra7 aseer a3raf bil reverse ba6ee5 wil gusas el 6arma ??
Willa i have to learn them on my own ? Iza heik fokkak LOL
Ghaith said:
You'll start to take these courses in your 2nd or 3rd year inshalla. However, it does greatly depend on whether you have interests in these kinds of stuff or not! It needs a lot of out-of-curriculum research and effort man.
The assembly course will be a good start for this. You'll know then whether you're into these stuff or not :)
Lubna said:
I was lost in the second code! But nice job (Y). w 7ata w inta offline bteshta'3el mnee7:P
ps. someone's comment is provoking (hahaha)
ma3en said:
great job man :) anywayz and a great term u used to legalize this processes, anywayz i have a nice game but needs registration :), maybe u can reverse engineer it for me, legally 6ab3an ;)
ps.(same as lubna) ;)
Amer said:
Is it my comment ?? :P
Amer said:
Gusas 6arma means something good bil 2ara2i :P
Amer said:
sorry for the double post, it didnt show up at first
Lubna said:
lol Amer no it's not your comment that Ma3en and I are referring to haha... nice thinking though :P
ghaith....bte3raf sho lazem t3mal!
Ghaith said:
Lubna
Shokran 3al tashjee3 :D
Ma3en
Sure man, ay game 3ajbeetak 5alas e3taberha 9aret full version, walaw ;)
Amer
lol man, they didn't mean you, they meant somebody else :P
And anyway, enta gool elle beddak eyyah, ma 7ada beje feek oo ana mawjood ;)
Amer said:
3a rasi Abu Tarawneh :D Walla innak betjannen
naturalblu said:
eh! i missed all that :S
gaith hayak bte3raf tsawi 7aliva o bedak te3zem amer :P
o amer khalas ilak mene ana kaman 3azoomet 7aliva balki ghaith njatal :P bas tell me 1st inta kaman men el karak? ;o)
Amer said:
Yeah ana Karaki, Halaseh.
yalla hay ksebna 3uzoomtein :D meen kaman bedo ye3zimni ?? :p bs 3a mansaf
Lubna said:
Amer
ma 3ala asas karaki w karaki,,, w nazel bedak 3azayem min il nas? 3ala asas ahel il karak, ahel il 3azayem... badal ma te3zem inta 3a mansaf karaki.. nazel to6lob 3azayem!! (H)
Ghaith
Sorry 3al moda5aleh (H)
Amer said:
Lubna
Tab3an ahel el Karak ahel el 3azayem, wu tab3an nothing is compared lal mansaf el karaki, willa shoo ya Ghaith ?
Bs you're right 5alas, today kulkom ma3zoomeen 3a mansaf karaki bi jameed karaki asli, mish f7aisi :P
Seriously, i'm having mansaf today :D
naturalblu said:
Amer neyalaaaaaaaaak :o( ana ma bakol ela el mansaf el men el jameed el karaki :D Amer inta wain saken? ;o)
o btw 2awal mara basma3 be jameed f7aisi :S
Amer said:
Inti betda2ri 3ala kul kilmeh :P 5alas masheeha! ana bi sara7a ma ba3raf iza fee jameed f7aisi willa la2 bas akeed fee!
And ana saken bi Safout, check Saf de Safoute lol. bs e3tabreeha 3amman. lol
Amer said:
Ahla wu sahla, ur welcomed :D
And u too aniseh Lubna :P and u too Mr. Tarawneh.
Ghaith said:
WALKOM ESH HAD!! WEEN MFAKREEN 7ALKOM!! :@
Nazleen tet3azamo 3al blog taba3e? the title of the post is “Reverse Code Engineering”, mesh “Manasef oo 3azayem”!
Side comments are tolerated on my blog but that doesn't make it a space for chit chat. Please stick to the subject of the post guys.
Thank you!
Amer said:
LOOOOOOOOOOL
5alas then write about "mansaf wu 3azayem" in ur next post 3ashan nkammel
LOL
naturalblu said:
heh! ya3ne la khalaitna nkamel 7aki wala katabet post jdeed
AWSALAK!!
;op
Amer said:
Shayfeh!!
sa7 innak frerawy!!
Write a Comment