Van's House : Reverse Engineeringhttp://blogs.msdn.com/xiangfan/archive/tags/Reverse+Engineering/default.aspxTags: Reverse Engineeringen-USCommunityServer 2.1 SP1 (Build: 61025.2)IDA Pro 5.3 Demo is releasedhttp://blogs.msdn.com/xiangfan/archive/2008/10/05/ida-pro-5-3-demo-is-released.aspxSun, 05 Oct 2008 18:20:28 GMT91d46819-8472-40ad-a661-2c78acb4018c:8977076xiangfan1http://blogs.msdn.com/xiangfan/comments/8977076.aspxhttp://blogs.msdn.com/xiangfan/commentrss.aspx?PostID=8977076<p><a href="http://www.hex-rays.com/idapro/" target="_blank">IDA Pro</a> is the world-class disassembler. It's a very useful reverse engineering tool.</p> <p>Now the demo of the newest version 5.3 is available: <a title="IDA Pro 5.3 demo download" href="http://www.hex-rays.com/idapro/idadowndemo.htm" target="_blank">IDA Pro 5.3 demo download</a></p> <p>You can also try the freeware version (a little out of date): <a title="IDA Pro 4.9 Freeware" href="http://www.hex-rays.com/idapro/idadownfreeware.htm" target="_blank">IDA Pro 4.9 Freeware</a></p><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8977076" width="1" height="1">Reverse EngineeringObfuscate your codehttp://blogs.msdn.com/xiangfan/archive/2008/09/16/obfuscate-your-code.aspxWed, 17 Sep 2008 01:49:24 GMT91d46819-8472-40ad-a661-2c78acb4018c:8954499xiangfan1http://blogs.msdn.com/xiangfan/comments/8954499.aspxhttp://blogs.msdn.com/xiangfan/commentrss.aspx?PostID=8954499<p>Obfuscation is widely used to protect your code from reverse engineering.<br>Here is one example which takes advantage of indirected call and opcode overlap in X86: <p><span style="color: rgb(0,0,255)">__declspec</span>(<span style="color: rgb(0,0,255)">naked</span>)<br><span style="color: rgb(0,0,255)">void</span> Fun1()<br>{<br>&nbsp;&nbsp;&nbsp;&nbsp; <span style="color: rgb(0,0,255)">__asm </span>{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="color: rgb(0,128,0)">//obfuscation chunk</span><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call LABEL1<br>LABEL1:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pop eax<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add eax, 6<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jmp eax<br>&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="color: rgb(0,128,0)">//real function body</span><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret<br>&nbsp;&nbsp;&nbsp;&nbsp; }<br>}<br>&nbsp;<br><span style="color: rgb(0,0,255)">__declspec</span>(<span style="color: rgb(0,0,255)">naked</span>)<br><span style="color: rgb(0,0,255)">void</span> Fun2()<br>{<br>&nbsp;&nbsp;&nbsp;&nbsp; <span style="color: rgb(0,0,255)">__asm</span> {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="color: rgb(0,128,0)">//obfuscation chunk</span><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call LABEL1<br>LABEL1:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pop eax<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add eax, 7<br><span style="color: rgb(0,128,0)">/*</span><br><span style="color: rgb(0,128,0)">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jmp -1</span><br><span style="color: rgb(0,128,0)">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jmp eax (merged with the previous instruction) 0xEB 0xFF 0xFF 0xE0 -&gt; 0xEB 0xFF 0xE0</span><br><span style="color: rgb(0,128,0)">*/</span><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; __emit 0xEB<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; __emit 0xFF<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; __emit 0xE0<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="color: rgb(0,128,0)">//real function body</span><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret <br>&nbsp;&nbsp;&nbsp;&nbsp; }<br>}<br><br><span style="color: rgb(0,0,255)">int</span> main()<br>{<br><span style="color: rgb(0,0,255)">#if</span> 0<br><span style="color: rgb(128,128,128)">&nbsp;&nbsp;&nbsp;&nbsp; Fun1();</span><br><span style="color: rgb(0,0,255)">#else</span><br>&nbsp;&nbsp;&nbsp;&nbsp; Fun2();<br><span style="color: rgb(0,0,255)">#endif</span><br>}<br> <p>In Fun1, the obfuscation chunk do the following work:</p> <ul> <li>Get the current EIP (LABEL1) <li>Adjust the EIP to the target function <li>Jump to the target</li></ul> <p>In Fun2, it merges the two jump instructions which will confuse the disassembler. To make the analysis even harder, we can rely on the fact that “add eax, 7” (assume the real function body is after our obfuscation chunk) will never overflow, and replace “jmp –1” with “jno -1”. Or we can use more complicated arithmetic to compute the target address.</p> <p>Other kinds of obfuscations include:</p> <ul> <li>API Call Obfuscation (LoadLibrary+Encrypted Parameter)</li> <li>Data Encryption (String Literal)</li> <li>Code CheckSum + AntiDebugger</li> <li>Dynamic Data Extraction</li></ul><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8954499" width="1" height="1">C++Reverse Engineering