Book Image

Mastering Reverse Engineering

By : Wong
Book Image

Mastering Reverse Engineering

By: Wong

Overview of this book

If you want to analyze software in order to exploit its weaknesses and strengthen its defenses, then you should explore reverse engineering. Reverse Engineering is a hackerfriendly tool used to expose security flaws and questionable privacy practices.In this book, you will learn how to analyse software even without having access to its source code or design documents. You will start off by learning the low-level language used to communicate with the computer and then move on to covering reverse engineering techniques. Next, you will explore analysis techniques using real-world tools such as IDA Pro and x86dbg. As you progress through the chapters, you will walk through use cases encountered in reverse engineering, such as encryption and compression, used to obfuscate code, and how to to identify and overcome anti-debugging and anti-analysis tricks. Lastly, you will learn how to analyse other types of files that contain code. By the end of this book, you will have the confidence to perform reverse engineering.
Table of Contents (15 chapters)

Debugging

We will be using x86dbg for our debug session. Remember that we decompressed the file using UPX. It would be wise to open the decompressed version instead of the original whatami.exe file.  Opening the compressed will be fine but we will have to go through debugging the UPX packed code.

Unlike IDA Pro, x86dbg is not able to recognize the WinMain function where the real code starts. In addition, after opening the file, the instruction pointer may still be somewhere in the NTDLL memory space. And to avoid being in an NTDLL region during startup, we may need to make a short configuration change in x86dbg.

Select Options->Preference. Under the Events tab, uncheck System Breakpoint and TLS Callbacks. Click on the Save button and then select Debug->Restart. This should now bring us to the entry point of whatami.exe at the following address: 0x004016B8.

Since we...