A name is simply an alias for a certain virtual address. Once the debugger is set, the green debugging arrow should be activated. Usually, each referenced location in the executable will have a name. If you don't know the api functionality then in this case you can search on msdn win api reference guide. We can switch between different locations in listing view or within the graph view; both of the views will represent the same code at any given time.
A program displays some string to carry on the execution ahead or to assist the user to control the execution. Any file loader that can recognize the analyzed file will be presented and we will be able to choose any of them. Also, take a look at the same memory location in the disassembly view; we can see that the start name is indeed located at the specified location as can be seen on the picture below: We also need to mention different colors and letters present in each line in the Names window. Generally speaking, there is one fundamental reversing methodology: offline analysis, which is all about taking a binary executable and using a disassembler to convert the machine code into a human-readable form. The functions window is used solely to display the name of the functions.
Then we have to move ahead manually by pressing the step into F7 and we step forward to the jump instruction. In this post, we will learn how to use the to disassemble, debug, and crack a simple crackMe software. Enums The enums window lists all the enum data types found in the executable. Now we can say that the aHardcoded contain our hardcoded password because application is matching this string with the user entered string. The arrays are of different colors and can be solid or dashed. If we look at the graph and the listings view more carefully, we can see that the listings view also presents the virtual addresses where certain instructions are located, while the graph view hides those.
Then we will enter into a simple computation and we have to reverse that logic. It will also recognize the architecture the executable was compiled against. In Python, we can replicate this decryption as such: 'urlmon. This is normally the case for every executable, since each executable must contain its share of strings. Imports The Imports window lists all of the functions that the executable calls that are not contained in the executable itself.
After unzipping the target binary and running it In our scenario, we have a piece of software that is asking for a passphrase or key to unlock it. To learn more, see our. Fortunately for us, this particular decryption function is quite simple. Cracking Reversing the Target So, the eax register value would be the key interest for the reverser to subvert the password mechanism. The processor type specifies the processor module that will be used to disassemble the executable. If user enters the correct information, then he would be able to proceed; otherwise it echoes the wrong password message over the screen.
The solid lines represent unconditional jumps, while the dashed lines represent conditional jumps. The following code can be used to identify the addresses of the references to the decryption function. It will also recognize the architecture the executable was compiled against. Now we can easily identify where particular strings are being referenced. For this purpose, we can move the dashed rectangle in the graph overview by dragging it to reach a specific segment as follows: Figure 1.
A shortcut for various actions is the toolbar area that provides shortcuts for the same actions we could find in the Menu itself. For several years, he has been researching Reverse Engineering, Secure Source Coding, Advance Software Debugging, Vulnerability Assessment, System Programming and Exploit Development. In our case, we pick Local Win32 debugger as follows: Figure 1. This saves us time and money when analyzing malicious files. We will discuss byte patching in detail in the next article.
So we will have to deal with this common anti-debugging technique. On the right, we can see the overview graph presenting the same beginning of the program. The disassembler merely decodes each instruction and creates a textual representation for the code. However, place a breackpoint at eax instruction by using F2. In our case, it was the pe. The instruction would be submerged in red box as follows: Figure 1. We can also see that different colors are used for different parts of the memory; this depends on the type of data or code being loaded into that area.