Book Image

Mastering Reverse Engineering

By : Reginald Wong
Book Image

Mastering Reverse Engineering

By: Reginald Wong

Overview of this book

If you want to analyze software in order to exploit its weaknesses and strengthen its defenses, then you should explore reverse engineering. Reverse Engineering is a hackerfriendly tool used to expose security flaws and questionable privacy practices.In this book, you will learn how to analyse software even without having access to its source code or design documents. You will start off by learning the low-level language used to communicate with the computer and then move on to covering reverse engineering techniques. Next, you will explore analysis techniques using real-world tools such as IDA Pro and x86dbg. As you progress through the chapters, you will walk through use cases encountered in reverse engineering, such as encryption and compression, used to obfuscate code, and how to to identify and overcome anti-debugging and anti-analysis tricks. Lastly, you will learn how to analyse other types of files that contain code. By the end of this book, you will have the confidence to perform reverse engineering.
Table of Contents (20 chapters)
Title Page
Copyright and Credits
Packt Upsell
Contributors
Preface
Index

Decrypting with x86dbg


The preceding code snippet came from the HeapDemo.exe file. You can download this file from https://github.com/PacktPublishing/Mastering-Reverse-Engineering/tree/master/ch9. Go ahead and start debugging the file using x86dbg. This screenshot shows the disassembly code at the WinMain function right after loading the file in x86dbg:

From the executable's code entry point, we encounter heap allocation with the GetProcessHeap and RtlAllocateHeap APIs. This is followed by using a _memcpy function, which copies 0x1BE bytes of data from the address denoted by heapdemo.enc. Let's take a look at the memory dump from heapdemo.enc. To do that, right-click on push <heapdemo.enc>, then select Follow in Dump. Click on the given address, not the Selected Address. This should change the contents in the currently focused Dump window:

This should be the data that will be decrypted by the next lines of code that run in a loop. We should also see the same encrypted data at the allocated...