Reverse Engineering for Beginner

Code Patterns
	The method
	Some basics
		A short introduction to the CPU
		Numeral Systems
		Converting From One Radix To Another
	An Empty Function
		x86
		ARM
		MIPS
		Empty Functions in Practice
	Returning Values
		x86
		ARM
		MIPS
	Hello, world!
		x86
		x86-64
		ARM
		MIPS
		Conclusion
		Exercises
	Function prologue and epilogue
		Recursion
	An Empty Function: redux
	Returning Values: redux
	Stack
		Why does the stack grow backwards?
		What is the stack used for?
		A typical stack layout
		Noise in stack
		Exercises
	Almost empty function
	printf() with several arguments
		x86
		ARM
		MIPS
		Conclusion
		By the way
	scanf()
		Simple example
		The classic mistake
		Global variables
		scanf()
		Exercise
	Worth noting: global vs. local variables
	Accessing passed arguments
		x86
		x64
		ARM
		MIPS
	More about results returning
		Attempt to use the result of a function returning void
		What if we do not use the function result?
		Returning a structure
	Pointers
		Returning values
		Swap input values
	GOTO operator
		Dead code
		Exercise
	Conditional jumps
		Simple example
		Calculating absolute value
		Ternary conditional operator
		Getting minimal and maximal values
		Conclusion
		Exercise
	Software cracking
	Impossible shutdown practical joke (Windows 7)
	switch()/case/default
		Small number of cases
		A lot of cases
		When there are several case statements in one block
		Fall-through
		Exercises
	Loops
		Simple example
		Memory blocks copying routine
		Condition check
		Conclusion
		Exercises
	More about strings
		strlen()
		Boundaries of strings
	Replacing arithmetic instructions to other ones
		Multiplication
		Division
		Exercise
	Floating-point unit
		IEEE 754
		x86
		ARM, MIPS, x86/x64 SIMD
		C/C++
		Simple example
		Passing floating point numbers via arguments
		Comparison example
		Some constants
		Copying
		Stack, calculators and reverse Polish notation
		80 bits?
		x64
		Exercises
	Arrays
		Simple example
		Buffer overflow
		Buffer overflow protection methods
		One more word about arrays
		Array of pointers to strings
		Multidimensional arrays
		Pack of strings as a two-dimensional array
		Conclusion
		Exercises
	Example: a bug in Angband
	Manipulating specific bit(s)
		Specific bit checking
		Setting and clearing specific bits
		Shifts
		Setting and clearing specific bits: FPU example
		Counting bits set to 1
		Conclusion
		Exercises
	Linear congruential generator
		x86
		x64
		32-bit ARM
		MIPS
		Thread-safe version of the example
	Structures
		MSVC: SYSTEMTIME example
		Let's allocate space for a structure using malloc()
		UNIX: struct tm
		Fields packing in structure
		Nested structures
		Bit fields in a structure
		Exercises
	The classic struct bug
	Unions
		Pseudo-random number generator example
		Calculating machine epsilon
		FSCALE instruction replacement
		Fast square root calculation
	Pointers to functions
		MSVC
		GCC
		Danger of pointers to functions
	64-bit values in 32-bit environment
		Returning of 64-bit value
		Arguments passing, addition, subtraction
		Multiplication, division
		Shifting right
		Converting 32-bit value into 64-bit one
	LARGE_INTEGER structure case
	SIMD
		Vectorization
		SIMD strlen() implementation
	64 bits
		x86-64
		ARM
		Float point numbers
		64-bit architecture criticism
	Working with floating point numbers using SIMD
		Simple example
		Passing floating point number via arguments
		Comparison example
		Calculating machine epsilon: x64 and SIMD
		Pseudo-random number generator example revisited
		Summary
	ARM-specific details
		Number sign (#) before number
		Addressing modes
		Loading a constant into a register
		Relocs in ARM64
	MIPS-specific details
		Loading a 32-bit constant into register
		Further reading about MIPS
Important fundamentals
	Integral datatypes
		Bit
		Nibble AKA nybble
		Byte
		Wide char
		Signed integer vs unsigned
		Word
		Address register
		Numbers
		AND/OR/XOR as MOV
	Endianness
		Big-endian
		Little-endian
		Example
		Bi-endian
		Converting data
	Memory
	CPU
		Branch predictors
		Data dependencies
	Hash functions
		How do one-way functions work?
Slightly more advanced examples
	Zero register
	Double negation
	const correctness
		Overlapping const strings
	strstr() example
	qsort() revisited
	Temperature converting
		Integer values
		Floating-point values
	Fibonacci numbers
		Example #1
		Example #2
		Summary
	CRC32 calculation example
	Network address calculation example
		calc_network_address()
		form_IP()
		print_as_IP()
		form_netmask() and set_bit()
		Summary
	Loops: several iterators
		Three iterators
		Two iterators
		Intel C++ 2011 case
	Duff's device
		Should one use unrolled loops?
	Division using multiplication
		x86
		How it works
		ARM
		MIPS
		Exercise
	String to number conversion (atoi())
		Simple example
		A slightly advanced example
		Exercise
	Inline functions
		Strings and memory functions
	C99 restrict
	Branchless abs() function
		Optimizing GCC 4.9.1 x64
		Optimizing GCC 4.9 ARM64
	Variadic functions
		Computing arithmetic mean
		vprintf() function case
		Pin case
		Format string exploit
	Strings trimming
		x64: Optimizing MSVC 2013
		x64: Non-optimizing GCC 4.9.1
		x64: Optimizing GCC 4.9.1
		ARM64: Non-optimizing GCC (Linaro) 4.9
		ARM64: Optimizing GCC (Linaro) 4.9
		ARM: Optimizing Keil 6/2013 (ARM mode)
		ARM: Optimizing Keil 6/2013 (Thumb mode)
		MIPS
	toupper() function
		x64
		ARM
		Using bit operations
		Summary
	Obfuscation
		Text strings
		Executable code
		Virtual machine / pseudo-code
		Other things to mention
		Exercise
	C++
		Classes
		ostream
		References
		STL
		Memory
	Negative array indices
		Addressing string from the end
		Addressing some kind of block from the end
		Arrays started at 1
	More about pointers
		Working with addresses instead of pointers
		Passing values as pointers; tagged unions
		Pointers abuse in Windows kernel
		Null pointers
		Array as function argument
		Pointer to a function
		Pointer to a function: copy protection
		Pointer to a function: a common bug (or typo)
		Pointer as object identificator
		Oracle RDBMS and a simple garbage collector for C/C++
	Loop optimizations
		Weird loop optimization
		Another loop optimization
	More about structures
		Sometimes a C structure can be used instead of array
		Unsized array in C structure
		Version of C structure
		High-score file in "Block out" game and primitive serialization
	memmove() and memcpy()
		Anti-debugging trick
	setjmp/longjmp
	Other weird stack hacks
		Accessing arguments/local variables of caller
		Returning string
	OpenMP
		MSVC
		GCC
	Signed division using shifts
	Another heisenbug
	The case of forgotten return
	Homework: more about function pointers and unions
	Windows 16-bit
		Example#1
		Example #2
		Example #3
		Example #4
		Example #5
		Example #6
Java
	Java
		Introduction
		Returning a value
		Simple calculating functions
		JVM memory model
		Simple function calling
		Calling beep()
		Linear congruential PRNG
		Conditional jumps
		Passing arguments
		Bitfields
		Loops
		switch()
		Arrays
		Strings
		Exceptions
		Classes
		Simple patching
		Summary
Finding important/interesting stuff in the code
	Identification of executable files
		Microsoft Visual C++
		GCC
		Intel Fortran
		Watcom, OpenWatcom
		Borland
		Other known DLLs
	Communication with outer world (function level)
	Communication with the outer world (win32)
		Often used functions in the Windows API
		Extending trial period
		Removing nag dialog box
		tracer: Intercepting all functions in specific module
	Strings
		Text strings
		Finding strings in binary
		Error/debug messages
		Suspicious magic strings
	Calls to assert()
	Constants
		Magic numbers
		Specific constants
		Searching for constants
	Finding the right instructions
	Suspicious code patterns
		XOR instructions
		Hand-written assembly code
	Using magic numbers while tracing
	Loops
		Some binary file patterns
		Memory "snapshots" comparing
	ISA detection
		Incorrectly disassembled code
		Correctly disassembled code
	Other things
		General idea
		Order of functions in binary code
		Tiny functions
		C++
		Crash on purpose
OS-specific
	Arguments passing methods (calling conventions)
		cdecl
		stdcall
		fastcall
		thiscall
		x86-64
		Return values of float and double type
		Modifying arguments
		Taking a pointer to function argument
		Python ctypes problem (x86 assembly homework)
		Cdecl example: a DLL
	Thread Local Storage
		Linear congruential generator revisited
	System calls (syscall-s)
		Linux
		Windows
	Linux
		Position-independent code
		LD_PRELOAD hack in Linux
	Windows NT
		CRT (win32)
		Win32 PE
		Windows SEH
		Windows NT: Critical section
Tools
	Binary analysis
		Disassemblers
		Decompilers
		Patch comparison/diffing
	Live analysis
		Debuggers
		Library calls tracing
		System calls tracing
		Network sniffing
		Sysinternals
		Valgrind
		Emulators
	Other tools
		SMT solvers
		Calculators
	Do You Think Something Is Missing Here?
Case studies
	Mahjong solitaire prank (Windows 7)
	Task manager practical joke (Windows Vista)
		Using LEA to load values
	Color Lines game practical joke
	Minesweeper (Windows XP)
		Finding grid automatically
		Exercises
	Hacking Windows clock
	(Windows 7) Solitaire: practical jokes
		51 cards
		53 cards
	FreeCell prank (Windows 7)
		Part I
		Part II: breaking the Select Game submenu
	Dongles
		Example #1: MacOS Classic and PowerPC
		Example #2: SCO OpenServer
		Example #3: MS-DOS
	Encrypted database case #1
		Base64 and entropy
		Is data compressed?
		Is data encrypted?
		CryptoPP
		Cipher Feedback mode
		Initializing Vector
		Structure of the buffer
		Noise at the end
		Conclusion
		Post Scriptum: brute-forcing IV
	Overclocking Cointerra Bitcoin miner
	Breaking simple executable code encryptor
		Other ideas to consider
	SAP
		About SAP client network traffic compression
		SAP 6.0 password checking functions
	Oracle RDBMS
		V$VERSION table in the Oracle RDBMS
		X$KSMLRU table in Oracle RDBMS
		V$TIMER table in Oracle RDBMS
	Handwritten assembly code
		EICAR test file
	Demos
		10 PRINT CHR$(205.5+RND(1)); : GOTO 10
		Mandelbrot set
	A nasty bug in MSVCRT.DLL
	Other examples
Examples of reversing proprietary file formats
	Primitive XOR-encryption
		Simplest ever XOR encryption
		Norton Guide: simplest possible 1-byte XOR encryption
		Simplest possible 4-byte XOR encryption
		Simple encryption using XOR mask
		Simple encryption using XOR mask, case II
		Homework
	Information entropy
		Analyzing entropy in Mathematica
		Conclusion
		Tools
		A word about primitive encryption like XORing
		More about entropy of executable code
		PRNG
		More examples
		Entropy of various files
		Making lower level of entropy
	Millenium game save file
	fortune program indexing file
		Hacking
		The files
	Oracle RDBMS: .SYM-files
	Oracle RDBMS: .MSB-files
		Summary
	Exercises
	Further reading
Dynamic binary instrumentation
	Using PIN DBI for XOR interception
	Cracking Minesweeper with PIN
		Intercepting all rand() calls
		Replacing rand() calls with our function
		Peeking into placement of mines
		Exercise
	Building Intel Pin
	Why ``instrumentation''?
Other things
	Using IMUL over MUL
		MulDiv() function in Windows
	Executable files patching
		x86 code
	Function arguments number statistics
	Compiler intrinsic
	Compiler's anomalies
		Oracle RDBMS 11.2 and Intel C++ 10.1
		MSVC 6.0
		ftol2() in MSVC 2012
		Summary
	Itanium
	8086 memory model
	Basic blocks reordering
		Profile-guided optimization
	My experience with Hex-Rays 2.2.0
		Bugs
		Odd peculiarities
		Silence
		Comma
		Data types
		Long and messed expressions
		De Morgan's laws and decompilation
		My plan
		Summary
	Cyclomatic complexity
Books/blogs worth reading
	Books and other materials
		Reverse Engineering
		Windows
		C/C++
		x86 / x86-64
		ARM
		Assembly language
		Java
		UNIX
		Programming in general
		Cryptography
		Something even easier
Communities
Afterword
	Questions?
Appendix
	x86
		Terminology
		General purpose registers
		FPU registers
		SIMD registers
		Debugging registers
		Instructions
		npad
	ARM
		Terminology
		Versions
		32-bit ARM (AArch32)
		64-bit ARM (AArch64)
		Instructions
	MIPS
		Registers
		Instructions
	Some GCC library functions
	Some MSVC library functions
	Cheatsheets
		IDA
		OllyDbg
		MSVC
		GCC
		GDB
Acronyms Used
Glossary
Index