Book Image

Mastering Reverse Engineering

By : Reginald Wong
Book Image

Mastering Reverse Engineering

By: Reginald Wong

Overview of this book

If you want to analyze software in order to exploit its weaknesses and strengthen its defenses, then you should explore reverse engineering. Reverse Engineering is a hackerfriendly tool used to expose security flaws and questionable privacy practices.In this book, you will learn how to analyse software even without having access to its source code or design documents. You will start off by learning the low-level language used to communicate with the computer and then move on to covering reverse engineering techniques. Next, you will explore analysis techniques using real-world tools such as IDA Pro and x86dbg. As you progress through the chapters, you will walk through use cases encountered in reverse engineering, such as encryption and compression, used to obfuscate code, and how to to identify and overcome anti-debugging and anti-analysis tricks. Lastly, you will learn how to analyse other types of files that contain code. By the end of this book, you will have the confidence to perform reverse engineering.
Table of Contents (20 chapters)
Title Page
Copyright and Credits
Packt Upsell
Contributors
Preface
Index

Data assembly on the stack


The stack is a memory space in which any data can be stored. The stack can be accessed using the stack pointer register (for 32-bit address space, the ESP register is used). Let's consider the example of the following code snippet:

push 0
push 21646c72h
push 6f57206fh
push 6c6c6548h
mov eax, esp
push 74h
push 6B636150h
mov edx, esp
push 0
push eax
push edx
push 0
mov eax, <user32.MessageBoxA>
call eax

This will eventually display the following message box:

How did that happen when no visible text strings were referenced? Before calling for the MessageBoxA function, the stack would look like this:

These push instructions assembled the null terminated message text at the stack.

push 0
push 21646c72h
push 6f57206fh
push 6c6c6548h

While the other string was assembled with these push instructions:

push 74h
push 6B636150h

In effect, the stack dump would look like this.

Every after string assembly, the value of register ESP is stored in EAX and then EDX.  That is, EAX points...