Reverse Engineer's Blog (KDSBest)

04/12/2014

Search for:

Search

Reverse Engineering is no Rocket Science 1

Let me make one thing clear. You have to know how to develope Software in a language C/C++, C#, Java or anything like that, before you will fully understand this. If u know how to develope software or if you are just interested how Reverse Engineering works for personal interests go on.

What is Reverse Engineering?

If you create source code like this:

1 2 3 4 5 6 7 8 9 10 11

#include <stdio.h> int main() { printf("TEST\n"); return 1; }

The compiler u use will generate assembler instruction formed in an exe file or similar to execute it on your CPU. The CPU instructions are assembler instructions (in hex format instead of human readable called Opcode). Reconstructing source code from an assembler listing is called reverse engineering. It is used in many ways. Finding Exploits, developing Shellcodes, Hacking Consoles and understanding other software are just some scenarios where this is used.

How do I learn todo this process? Books?

As always start reading about some of your tools u will use. Basicly I recommend IDA (Interactive Debugger). It is by far the best Disassembler in this world. If you want to learn ppc reverse engineering you can read this series. You are free to link to this site.

What CPU do you show your examples?

Since the theory works on alot assembler languages (yeah there are different ones), I will still explain that I will show it on the example PPC 64-bit CPU like in the Cell Broadband Engine.

How do we simplify the understanding first?

In our C code we start using registers of the CPU as global variables defined like this:

register unsigned long long r3 __asm("r3");

How do I start?
I always start with translating every assembler instruction into C code right away, because Im much familiar reading obfuscated C code instead of a wall of assembler code. I will cover examples and the first instruction conversions I find most in code While converting the instructions to C you will notice some things right away, later. Then feel free to optimize the code right away. A simple example is this C code:

http://www.kdsbest.com/?p=268

1/5

Reverse Engineer's Blog (KDSBest)

04/12/2014

r3 = 0x12340000003DCBA9;

This simple assignement works in 4 steps:

1 2 3 4 5 6 7

lis %r3, 0x1234 rldicr %r3, %r3, 32 oris %r3, %r3, 0x3D ori %r3, %r3, 0xCBA9

Going Deeper
First I provide u the first direct translations to C code The bottom format will be used the whole series

lis instruction (Load Immediate Shifted)

This instruction is used to load a value to the bits 16 31 (0 is the lowest bit, 63 is the highest bit). Parameters 1. register, which will be set (The first register is always the destination register) 2. Value, which will be the value (The value only has a limited size. Because of the size limit setting all 64-bit on an register is that complicated) Our example

1
In C

lis %r3, 0x1234

r3 = 0x12340000;

Pretty simple heh? Next instructions

rldicr (Rotate Left Double Word Immediate then Clear Right)

This instruction rotats bitwise to the left direction and fills the right bits with 0. Simple Example You got r3 = 2; (2 is in binary 10). If u rotate left with 2 bits the new value would be 8 (8 is in binary 1000). Parameters 1. Register, like always the destination register 2. Register, the value which will be used for the rotation (src and destination dont have to match, I will give an example later) 3. Value, the bits that get rotated/shifted Other Example r4 has the value 2. r5 should get the value 8. The following code should do the trick. r4 will stay with the value 2 and is not modified.

rldicr %r5, %r4, 2

Our Example

1
In C

rldicr %r3, %r3, 32

r3 = r3 << 32;

Since source and destination register match the shorter way.

r3 <<= 32;

ori (OR Immediate)

A simple or operation on the lower bits 0-15. Parameters
http://www.kdsbest.com/?p=268 2/5

Reverse Engineer's Blog (KDSBest)

04/12/2014

1. Register, like always the destination register 2. Register, the value which will be used for the or operation (src and destination dont have to match) 3. Value which will be used for the or operation Our Example

1
In C

ori %r3, %r3, 0xCBA9

r3 = r3 | 0xCBA9;

Since source and destination register match the shorter way.

r3 |= 0xCBA9;

Note: I showed ori before oris because understanding ori is easier and they are basicly the same.

oris (OR Immediate Shifted)

A simple or operation on the bits 16-31. Parameters 1. Register, like always the destination register 2. Register, the value which will be used for the or operation (src and destination dont have to match) 3. Value which will be used for the or operation (just add 4 0000 to the hex value of an ori and an oris is like an ori, the C code will show it) Our Example

1
In C

oris %r3, %r3, 0x3D

r3 = r3 | 0x3D0000;

Since source and destination register match the shorter way.

r3 |= 0x3D0000;

The Example:
The way we got it.

1 2 3 4 5 6 7

lis %r3, 0x1234 rldicr %r3, %r3, 32 oris %r3, %r3, 0x3D ori %r3, %r3, 0xCBA9

Now just copy the C translation and fill in the right values and registers u will got this. In C

1 2 3 4

r3 r3 r3 r3

= 0x12340000; <<= 32; |= 0x3D0000; |= 0xCBA9;

Simplify the code:

1 2

r3 = 0x12340000; r3 <<= 32;

Since the left shift only adds 4 bytes of 0 bits to the right side of the value the result will be like this:

r3 = 0x1234000000000000;

Next part

1 2

r3 = 0x1234000000000000;

http://www.kdsbest.com/?p=268

3/5

Reverse Engineer's Blog (KDSBest)

04/12/2014

2 3

r3 |= 0x3D0000;

Since u know we OR just with zeros u can simply put the value in there.

r3 = 0x12340000003D0000;

For the next OR it is the same.

1 2

r3 = 0x12340000003D0000; r3 |= 0xCBA9;

Which will become

r3 = 0x12340000003DCBA9;

Last word and the next part

First of all, all instructions can be simply replaced with one liners of C code or two liners. Its just like that and understanding C code or similar is a normal programming language. The big problem while reversing is to gather start information and this will come with experience. Those for lines were a common example, but like in software engineering small examples are easy todo. The big picture is the troublesome. We need to start somewhere or am I wrong. The next part will be showing some stack operations. So if you want to prepare yourself a bit, learn what a stack is and how local function variables are stored in it. Stay tuned, KDSBest

IMPORTANT: If u got any question I will always answer them on twitter (the fastest way to get intouch with me) I
am a nice guy dont fear me ;). There are no dumb questions. I try to answer them all https://twitter.com/KDSBest

Leave a Reply
Your email address will not be published. Required fields are marked * Name *

Email *

Website

ldl7DJ2XJC4Y * Copy This Password *

* Type Or Paste Password Here * Comment

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike>

http://www.kdsbest.com/?p=268

4/5

Reverse Engineer's Blog (KDSBest)

04/12/2014

<strong>

Post Comment

http://www.kdsbest.com/?p=268

5/5