° » Ê |ÀÆ» - Beginners · other skill, one should learn whole lifetime, so this book is...
Transcript of ° » Ê |ÀÆ» - Beginners · other skill, one should learn whole lifetime, so this book is...
-
:
-
: Yurichev, Dennis
: /. : : 1395. : 1266 .. :
: :978-600-8201-24-3 850000 :
: : Reverse engineering for beginners : : Reverse engineering
: 1365 - : TA168/5/ 9 9 1395 : 620/00420285
: 4473995
: : :
: : 95 :500 : : :85000 : 3-24-6529-600-978
* *
: 14 16 www.pendarepars.com
: 66572335 - :66926578 :09122452348 [email protected]
-
( ) :
" I was very happy to work with Iranian publisher PPendarePars, because of so smooth process. I would recommend them to other technical writers. I also obligor of MMohsen Mostafa Jokar, who was translator to PPersian language. Reverse engineering may be critical skill not in very near future, but right now, if we would keep focus on notorious attacks on nuclear facilities and other well-known organizations. As it seems, cyberwar is real and we are fighting right now. It's not possible to analyze malware, backdoors, vulnerabilities and so on without Reverse engineering knowledge. Reverse engineering is also may be applied to more peaceful activities like learning how things are done and how to hack and improve them. I personally started as curios hacker and I got to know a huge part of my knowledge in this way. I hope my humble introduction will help you to start learning it. Like any other skill, one should learn whole lifetime, so this book is only start of never ending journey. Hope, you'll like it!" -- Dennis Yurichev
-
.
.
.
.
. .
95
-
.............................................................................................................................................. 2 ....................................................................................... 7 1 CPU ............................................................................ 9
.................................................................................................................................... 9 1-1 ISA ........................................................................................ 10
2 .......................................................................................... 11 1-2 x86 ......................................................................................................................................... 11 2-2 ARM ...................................................................................................................................... 11 3-2 MIPS ..................................................................................................................................... 12
3 ! ............................................................................................. 13 1-3 x86 ...................................................................................................................................... 13 2-3 x86-64 .............................................................................................................................. 18 3-3 GCC – ........................................................................................................ 20 4-3 ARM ................................................................................................................................... 22
thunk ............................................................................................ 28 5-3 MIPS ..................................................................................................................................... 31 6-3 ........................................................................................................................................ 38 7-3 .................................................................................................................................... 38
4 ........................................................................................ 39 1-4 .................................................................................................................................. 39
5 .................................................................................................... 41 1-5 ...................................................................................... 41 2-5 ..................................................................................... 42 3-5 ....................................................................................................................... 48 4-5 .......................................................................................................................... 48 5-5 .................................................................................................................................... 51
6 Printf() ......................................................................... 55 1-6 x86 ......................................................................................................................................... 55 2-6 ARM ...................................................................................................................................... 67 3-6 MIPS ..................................................................................................................................... 75 4-6 ................................................................................................................................. 83 5-6 .............................................................................................................................. 84
7 Scanf() .............................................................................................. 87 1-7 ............................................................................................................................ 87
MSVC ............................................................................................................................................. 88 2-7 .................................................................................................................... 98
-
................................................................................................................. 107 3-7 scanf() .............................................................................................. 109 4-7 ................................................................................................................................... 122
8 .......................................................... 123 1- 8x86 ........................................................................................................................................ 123 2-8 x64 ....................................................................................................................................... 126 3-8 ARM ..................................................................................................................................... 130 4-8 MIPS .................................................................................................................................... 134
9 .............................................................. 137 1-9 void ......................................... 137 2-9 ....................................................................... 138 3-9 ............................................................................................................... 139
10 ............................................................................................ 141 1-10 ...................................................................................... 141 2-10 ........................................................................................... 144 3-10 ..................................................................................................................................... 147
11 GOTO ..................................................................................... 149 1-11 ................................................................................................................................. 151 2-11 .................................................................................................................................... 151
12 .................................................................................... 153 1-12 ......................................................................................................................... 153
x86 + MSVC + OllyDbg .................................................................................................... 156 x86 + MSVC + Hiew ........................................................................................................... 159
2-12 ........................................................................................... 170 3-12 .......................................................................................................... 173 4-12 ................................................................................................ 177 5-12 ............................................................................................................................ 183 6-12 .................................................................................................................................... 185
13 SWITCH()/CASE/DEFAULT ............................................................................................... 187 1-13 case ......................................................................................................... 187
OllyDbg ...................................................................................................................................... 190 13-13 ARM :Keil 6/2013 ) Thumb( ......................................... 195 2-13 case ............................................................................................................ 199 3-13 case .................................................. 211 4-13 ............................................................................................................................... 217 5-13 .................................................................................................................................... 219
14 ................................................................................................................................................. 221 1-14 .................................................................................................................. 221 2-14 ................................................................................................ 233 3-14 ..................................................................................................................................... 237 4-14 ................................................................................................................................. 239
-
15 C ............................................................................................................. 245 1-15 strlen() ............................................................................................................................. 245
ARM64 ........................................................................................................................................ 253 2-15 ................................................................................................................................. 255
16 ....................................................................... 259 1-16 ..................................................................................................................................... 259 2-16 .................................................................................................................................... 265 3-16 ................................................................................................................................. 267
17 .......................................................................................................................... 269 1-17 IEEE 754 .......................................................................................................................... 269 2-17 x86 ...................................................................................................................................... 269 3-17 ARM, MIPS, x86/x64 SIMD ............................................................................... 269 4-17 C\C++ ................................................................................................................................ 270 5-17 ......................................................................................................................... 270 6-17 ................................................................. 281 7-17 ...................................................................................................... 285 8-17 .......................................................... 314 9-17 x64 ...................................................................................................................................... 314
10-17 .............................................................................................................................. 314 18 ................................................................................................................................................. 317
1-18 ......................................................................................................................... 317 2-18 .............................................................................................................................. 326 3-18 ............................................................................................ 333 4-18 ............................................................................................ 337 5-18 ................................................................................................ 338 6-18 ............................................................................................................... 347 7-18 ............................................................... 356 8-18 ............................................................................................................................ 361 9-18 ................................................................................................................................. 361
19 ...................................................................................................................... 379 1-19 .................................................................................................................... 379 2-19 ........................................................................................... 384 3-19 ................................................................................................................................... 392 4-19 : FPU .................................................................. 392 5-19 ......................................................................... 399
GCC 4.8.2 ...................................................................................................... 406 6-19 ..................................................................................................................................... 414 7-19 ................................................................................................................................. 416
20 ...................................................... 425 1-20 x86 ................................................................................................................................... 426 2-20 x64 .................................................................................................................................... 427
-
3-20 ARM32 ................................................................................................................... 428 4-20 MIPS ................................................................................................................................. 429 5-20 .................................................................................... 431
21 ................................................................................................................................................. 433 1-21 MSVC : SYSTEMTIME ...................................................................................... 433 2-21 malloc() ..................................................................... 437 3-21UNIX : struct tm .......................................................................................................... 440 4-21 Field packing ............................................................................................... 453
OllyDbg+ 1 ....................................................................... 457 5-21 ................................................................................................................. 461 6-21 ................................................................................................. 464
MSVC ........................................................................................................................................... 465 MSVC + OllyDbg ................................................................................................................... 467
GCC ............................................................................................................................................... 468 7-21 ............................................................................................................................... 473
22 .................................................................................................................................................... 479 1-22 ...................................................................... 479 1-1-22 x86 .............................................................................................................................. 481 2-22 .......................................................................................................... 485 3-22 ................................................................................................ 488
23 .................................................................................................................................... 489 1-23 MSVC ................................................................................................................................ 490 2-23 GCC .................................................................................................................................... 496
24 64 32 ...................................................................................................... 503 1-24 64 .......................................................................................................... 503 2-24 ......................................................................................... 504 3-24 ......................................................................................................................... 509 4-24 ...................................................................................................................... 513 5-24 32 64 ..................................................................................... 515
25 SIMD ............................................................................................................................................... 517 1-25 .............................................................................................................................. 518
Intel C++ .................................................................................................................................... 519 2-25 strlen() SIMD ................................................................................. 530
26 64 ................................................................................................................................................ 535 1-26 x86-64 .......................................................................................................................... 535 2-26 ARM ............................................................................................................................... 544 3-26 .................................................................................................................... 544
27 SIMD .......................................................................... 545 1-27 ......................................................................................................................... 545 2-27 ................................................................... 550 3-27 ...................................................................................................... 552
-
4-27 x64 SIMD .............................................................................. 554 5-27 ..................................... 555 6-27 ................................................................................................................................... 556
28 ARM ..................................................................................................................... 557 1-28 )# ( ............................................................................................ 557 2-28 .................................................................................................................. 557 3-28 ......................................................................................... 558 4-28 Relocs ARM64 ...................................................................................................... 560
29 MIPS ................................................................................................................ 563 1-29 ...................................................................................................... 563 2-29 MIPS .......................................................................................... 563
2 ............................................................................................................................................ 565 30 ......................................................................................................................... 567 31 ENDIANNESS ............................................................................................................................. 569
1-31 Big-endian ..................................................................................................................... 569 2-31 Little-endian ............................................................................................................. 569 3-31 ....................................................................................................................................... 569 4-31 Bi-endian .................................................................................................................. 570 5-31 ......................................................................................................................... 570
32 .................................................................................................................................................. 571 33 CPU .................................................................................................................................................. 573
1-33 ...................................................................................................................... 573 2-33 ....................................................................................................................... 573
34 ............................................................................................................................................ 575 1-34 ......................................................................................... 575
3 ............................................................................................................................. 577 35 ............................................................................................................................................. 579
1-35 ...................................................................................................... 579 2-35 ..................................................................................................................... 582
36 ..................................................................................................................................... 585 1-36 1 ................................................................................................................................... 585 2-36 2 .................................................................................................................................. 588 3-36 ................................................................................................................................. 591
37 CRC32 ................................................................................................................ 593 38 ......................................................................................................... 599
1-38 calc_network_address() ..................................................................................... 601 2-38 form_IP() ........................................................................................................................ 602 3-38 print_as_IP() ............................................................................................................. 604 4-38 form_netmask() set_bit() ............................................................................. 605 5-38 ................................................................................................................................... 606
39 : ............................................................................................................................. 607
-
1-39 ....................................................................................................................... 607 2-39 ........................................................................................................................ 608 3-39 Intel C++ 2011 ............................................................................................................ 610
40 DUFF’S ............................................................................................................................. 613 41 9 .......................................................................................................................................... 617
1-41 x86 ................................................................................................................................... 617 2-41 ARM ................................................................................................................................... 618 3-41 MIPS ............................................................................................................................... 620 4-41 ............................................................................................................. 621 5-41 ............................................................................................................. 623 6-41 1 .............................................................................................................................. 624
42 (ATOI()) ........................................................................................................ 627 1-42 ....................................................................................................................... 627 1-1-42 MSVC 2013 x64 ........................................................................ 628 2-42 ............................................................................................................. 631 3-42 .................................................................................................................................... 635
43 ............................................................................................................................ 637 1-43 ........................................................................................................... 638
44 C99 ........................................................................................................................... 649 45 ABS() ................................................................................................................... 653
1-45 GCC 4.9.1 x64 ................................................................................. 653 2-45 GCC 4.9 ARM64 ............................................................................. 654
46 VARIADIC ........................................................................................................................... 655 1-46 ................................................................................................. 655 2-46 vprintf() ................................................................................................................. 659
47 ........................................................................................................................................ 661 1-47 x64: MSVC 2013 ........................................................................... 662 2-47 x64: GCC 4.9.1 .............................................................................. 664 3-47 x64: GCC 4.9.1 ................................................................................ 666 4-47 ARM64: GCC (Linaro) 4.9 .................................................... 667 5-47 ARM64: GCC (Linaro) 4.9 ....................................................... 669 6-47 ARM :Keil 6/2013 ) ARM( .............................................. 670 7-47 ARM: Keil 6/2013 ) Thumb( ......................................... 670 8-47 MIPS ............................................................................................................................... 671
48 TOUPPER() ......................................................................................................................... 673 1-48 x64 ................................................................................................................................... 673 2-48 ARM ................................................................................................................................ 675 3-48 ............................................................................................................................... 676
49 DISASSEMBLE .............................................................................................. 677 1-49 disassemble )x86( ......................................................... 677 2-49 disassemble ................................ 678
-
50 ........................................................................................................................................... 683 1-50 ...................................................................................................................... 683 2-50 ........................................................................................................................... 684 3-50 / ...................................................................................................... 686 4-50 ................................................................................................ 686 5-50 .............................................................................................................................. 686
51 C++ ................................................................................................................................................... 687 1-51 ............................................................................................................................ 687
MSVC—x86 ............................................................................................................................. 688 MSVC—x86-64 ..................................................................................................................... 691
2-51 ostream ..................................................................................................................... 709 3-51 .................................................................................................................................... 710 4-51 STL .................................................................................................................................. 711
52 ....................................................................................................................... 757 53 16 ................................................................................................................................... 761
1-53 1 .................................................................................................................................. 761 2-53 2 ................................................................................................................................... 762 3-53 3 .................................................................................................................................. 763 4-53 4 .................................................................................................................................. 764 5-53 5 .................................................................................................................................. 767 6-53 6 .................................................................................................................................. 772
4 JAVA ................................................................................................................................................ 777 54 ...................................................................................................................................................... 779
1-54 ................................................................................................................................... 779 2-54 .................................................................................................................... 780 3-54 ........................................................................................................... 785 4-54 JVM ............................................................................................................... 788 5-54 ................................................................................................................ 789 6-54 beep() ............................................................................................................. 791 7-54 ............................................................... 792 8-54 .................................................................................................................. 793 9-54 ............................................................................................................. 796
10-54 Bitfields ................................................................................................................... 797 11-54 ................................................................................................................................ 799 12-54 switch() .................................................................................................................... 802 13-54 ................................................................................................................................ 803 14-54 .............................................................................................................................. 814 15-54 ............................................................................................................................... 817 16-54 .......................................................................................................................... 822 17-54 .................................................................................................................... 824 18-54 ............................................................................................................................... 830
-
5 / .................................................................................................. 831 55 ................................................................................................................... 833
1-55 Microsoft Visual C++ ..................................................................................... 833 1-1-55 ........................................................................................................................ 834 2-2-55 Cygwin .................................................................................................................... 834 3-2-55 MinGW ................................................................................................................... 834 3-55 Intel FORTRAN ...................................................................................................... 834 4-55 Watcom, OpenWatcom ................................................................................ 834 1-4-55 ........................................................................................................................ 834
55.5 Borland ....................................................................................................................... 834 1-5-55 Delphi ....................................................................................................................... 835 6-55 DLL ................................................................................................ 837
56 (WIN32) ..................................................................................................... 839 1-56 Windows API .................................................. 839 2-56 tracer : ........................................................... 840
57 ................................................................................................................................................. 843 1-57 ................................................................................................................... 843 1-1-57 C\C++ .................................................................................................................... 843 2-1-57 Borland Delphi .................................................................................................. 844 3-1-57 Unicode ................................................................................................................... 844
UTF-8 ........................................................................................................................................... 844 UTF-16LE ................................................................................................................................... 845
4-1-57 Base64 ....................................................................................................................... 847 2-57 / .................................................................................................... 848 3-57 ................................................................................................. 848
58 ASSERT() ...................................................................................................................... 849 59 ................................................................................................................................................. 851
1-59 ......................................................................................................................... 852 1-1-59 DHCP ......................................................................................................................... 852 2-59 .......................................................................................................... 853
60 ................................................................................................................. 855 61 .......................................................................................................................... 857
1-61 XOR .................................................................................................................. 857 2-61 ............................................................................................ 857
62 ............................................................................................ 859 63 ...................................................................................................................................... 861
1-63 ............................................................................................................................ 861 2-63 C++ ..................................................................................................................................... 861 3-63 ............................................................................................. 861 4-63 ” ” ........................................................................................ 862 1-4-63 ............................................................................................................. 863
-
2-4-63 Blink-comparator .............................................................................................. 863 6 ........................................................................................................................... 865 64 ) ( .......................................................................... 867
1- 64 cdecl ....................................................................................................................... 867 2-64 stdcall ............................................................................................................................ 867 1-2-64 ....................................................................................... 868 3-64 fastcall ............................................................................................................................ 869 1-3-64 GCC regparm ....................................................................................................... 870 2-3-64 Watcom/OpenWatcom ............................................................................... 870 4-4-64 thiscall ..................................................................................................................... 870 5-64 x86-64 ............................................................................................................................. 871 1-5-64 Windows x64 ..................................................................................................... 871
Windows x64: this ) C\C++( ........................................................................ 873 2-5-64 Linux x64 ................................................................................................................ 874 6-64 float double .......................................................................... 874 7-64 .................................................................................................................. 875 8-64 .................................................................................... 876
65 ..................................................................................................................... 879 1-65 .................................................................................... 879 1-1-65 Win32 ....................................................................................................................... 880 2-1-65 ............................................................................................................................. 885
66 (SYSCALL-S) .................................................................................................... 887 1-66 ................................................................................................................................. 887 2-66 .................................................................................................................................... 888
67 ............................................................................................................................................... 889 1-67 ........................................................................................................... 889 1-1-67 ............................................................................................................................. 892 2-67 LD_PRELOAD ................................................................................. 893
68 WINDOWS NT .......................................................................................................................... 897 1-68 CRT (win32) .......................................................................................................... 897 2-68 Win32 PE ................................................................................................................... 901 3-68 Windows SEH ................................................................................................... 911 4-68: Windows NT Critical ................................................................................. 939
7 .................................................................................................................................................... 943 69 DISASSEMBLER ...................................................................................................................... 945
1-69 IDA .............................................................................................................................. 945 70 .................................................................................................................................................. 947
1-70 OllyDbg ......................................................................................................................... 947 2-70 GDB ................................................................................................................................ 947 3-70 tracer ............................................................................................................................ 947
71 SYSTEM CALL ............................................................................................................... 949
-
1-71 strace / dtruss ......................................................................................................... 949 72 DECOMPILER ............................................................................................................................ 951 73 ...................................................................................................................................... 953 8 ................................................................ 955 74 TASK MANAGER (WINDOWS VISTA) ............................................ 957
1-74 LEA ............................................................................... 961 75 COLOR LINES ......................................................................................... 963 76 MINESWEEPER (WINDOWS XP) .................................................................................. 967
1-76 ............................................................................................................................. 973 77 DECOMPILE + Z3 SMT ............................................................................. 975
1-77 decompile ........................................................................................................ 975 2-77 Z3 SMT ...................................................................................... 980
78 ............................................................................................................................................... 987 1-78 1 :MacOS Classic PowerPC .................................................................. 987 2-78 2 :SCO OpenServer ........................................................................................ 996 3-78 3 :MS-DOS ....................................................................................................... 1010
79 “QR9 :” ........................................... 1019 80 SAP ................................................................................................................................................ 1059
1-80 SAP .......................................... 1059 2-80 SAP 6.0 ................................................................................. 1074
81 ORACLE RDBMS ................................................................................................................... 1081 1-81 V$VERSION Oracle RDBMS ......................................................... 1081 2-81 X$KSMLRU Oracle RDBMS ......................................................... 1091 3-81 V$TIMER Oracle RDBMS .............................................................. 1094
82 ............................................................................................ 1099 1-82 EICAR .................................................................................................... 1099
83 DEMOS ....................................................................................................................................... 1101 1-83 10 PRINT CHR$(205.5+RND(1)); : GOTO 10 ..................................... 1101 2-83 ............................................................................................................. 1105
9 .................................................................... 1117 84 XOR .................................................................................................................. 1119
1-84 XOR ............................... 1119 2-84 4 XOR ............................................................. 1121
85 MILLENIUM .................................................................... 1125 86 ORACLE RDBMS : .SYM ................................................................................. 1131 87 ORACLE RDBMS : .MSB .................................................................................. 1141
1-87 ................................................................................................................................ 1145 10 .................................................................................................................................... 1147 88 NPAD ........................................................................................................................................... 1149 89 .......................................................................................................... 1151
1-89 .................................................................................................................. 1151
-
2-89 x86 .......................................................................................................................... 1151 90 .................................................................................................................................. 1153 91 ............................................................................................................................ 1155 92 OPENMP ................................................................................................................................... 1157
1-92 MSVC ...................................................................................................................... 1159 2-92 GCC ........................................................................................................................... 1162
93 ITANIUM ................................................................................................................................... 1165 94 8086 .................................................................................................................... 1169 95 ........................................................................................... 1171
1-95 Profile-guided ..................................................................................... 1171 11 / ......................................................................................... 1173 96 ............................................................................................................................................. 1175
1-96 ............................................................................................................................ 1175 2-96 C\C++ ............................................................................................................................. 1175 3-96 x86 / x86-64 .......................................................................................................... 1175 4-96 ARM ............................................................................................................................. 1175 5-96 ........................................................................................................................ 1176
97 ............................................................................................................................................. 1177 1-97 ................................................................................................................................. 1177
98 ....................................................................................................................................... 1179 99 .............................................................................................................................................. 1181
A X86 ............................................................................................................................................. 1183 A-1 ........................................................................................................................... 1183 A-2 ....................................................................................................... 1183
A-2-1 RAX/EAX/AX/AL .................................................................................................. 1184 A-2-2 RBX/EBX/BX/BL .................................................................................... 1184 A-2-3 RCX/ECX/CX/CL ................................................................................................... 1184
R8/R8D/R8W/R8L A.2.7 ........................................................................................... 1185 R9/R9D/R9W/R9L A.2.8 ........................................................................................... 1186
R10/R10D/R10W/R10L A.2.9 ............................................................................... 1186 R11/R11D/R11W/R11L A.2.10 ............................................................................ 1186 R14/R14D/R14W/R14L A.2.13 ............................................................................ 1187
RIP/EIP/IP A.2.17 ............................................................................................................. 1188 A.2.19 ................................................................................................................... 1188
A.3 FPU ......................................................................................................................... 1190 A.3.1 .............................................................................................................. 1190 A.3.2 ................................................................................................................... 1191 A.3.3 ................................................................................................................... 1192
A.4 SIMD ............................................................................................................... 1193 A.4.1 MMX .......................................................................................................... 1193 A.4.2 SSE AVX ............................................................................................... 1193
-
A.5 ......................................................................................................... 1193 A.5.1 DR6 ............................................................................................................................. 1194 A.5.2 DR7 ............................................................................................................................. 1194
A.6 ............................................................................................................................... 1196 A.6.1 ........................................................................................................................ 1196 A.6.2 ........................................................................... 1197 A.6.3 ............................................................................ 1205 A.6.4 FPU ................................................................................................................ 1212 A.6.5 ASCII ........................................................... 1215
B ARM ........................................................................................................................................... 1217 B.1 ......................................................................................................................... 1217 B.2 .............................................................................................................................. 1217 B.3 32-bit ARM (AArch32) ..................................................................................... 1218 B.4 64-bit ARM (AArch64) ..................................................................................... 1220 B.5 ............................................................................................................................ 1221
C MIPS .......................................................................................................................................... 1223 C.1 ................................................................................................................................. 1223 C.2 ............................................................................................................................ 1224
D GCC ..................................................................................................... 1227 E MSVC ................................................................................................. 1229
F CHEATSHEET ......................................................................................................................... 1231 F.2 OllyDbg ....................................................................................................................... 1232 F.3 MSVC ........................................................................................................................... 1232 F.4 GCC ............................................................................................................................... 1233 F.5 GDB ............................................................................................................................... 1233
................................................................................ 1237 ....................................................................................................... 1243
-
:
.Ltext0: .section .rodata .LC0: 0000 546F206D .string "To my Papa and Mama" 79205061 70612061 6E64204D 616D6100 .text .globl main main: .LFB0: .cfi_startproc 0000 55 pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 0001 4889E5 movq %rsp, %rbp .cfi_def_cfa_register 6 0004 BF000000 movl $.LC0, %edi 00 0009 B8000000 movl $0, %eax 00 000e E8000000 call printf 00 0013 90 nop 0014 5D popq %rbp .cfi_def_cfa 7, 8 0015 C3 ret .cfi_endproc .LFE0: .Letext0:
-
2 /
» « :
1( : 2( 3D 3( )DBMS .(
. : x86/x64, ARM/ARM64, MIPS, Java/JVM.
: Oracle RDBMItanium LD_PRELOAD ELF 10
win32 x86-64 TLS 11 (PIC 12) C++ STLOpenMP .SEH
: http://challenges.re
(Dennis Yurichev) . [email protected] dennis.yurichev
.
-
/ 3
: “herm1t” “Avid” . : “Beaver”
. : ) rtp #debian-arm
IRC ( . : . : . : “Lstar” “Logxen”
. “ ” .
: . github.com .
LATEX .
. (LaTeX) .
. :
Objective-C Visual Basic Windows NT NET Oracle RDBMS
.
-
4 /
beginners.re . . .
25 * anonymous, 2 * Oleg Vygovsky (50+100 UAH), Daniel Bilar ($50), James Truscott
($4.5), Luis Rocha ($63), Joris van de Vis ($127), Richard S Shultz ($20), Jang Minchang ($20), Shade Atlas (5 AUD), Yao Xiao ($10), Pawel Szczur (40 CHF), Justin Simms ($20),
Shawn the R0ck ($27), Ki Chan Ahn ($50), Triop AB (100 SEK), Ange Albertini (e10+50),
Sergey Lukianov (300 RUR),Ludvig Gislason (200 SEK), Gn Ahn ($50), Triop AB (100 SEK),
Ange Albertini (e10+50), Sergey Lukianov (), Philippe Teuwen ($4), Martin Haeberli ($10), Victor Cazacov (e5), Tobias Sturzenegger (10 CHF), Sonny Thai ($15), Bayna AlZaabi ($75),
Redfive B.V. (e25), Joona Oskari Heikkilzacov (e5), Tobias Sturzenegger (10 CHF), Sonny Thai ($15), Bayna AlZaabi ($exandre Borges ($25), Vladimir Dikovski (e50), Jiarui Hong
(100.00 SEK), Jim_Di (500 RUR), Tan Vincent ($30), Sri Harsha Kandrakota (10 AUD), Pillay Harish (10 SGD), Timur Valiev (230 RUR), Carlos Garcia Prado (e10), Salikov Alexander (500
RUR), Oliver Whitehouse (30 GBP), Katy Moe ($14), Maxim Dyakonov ($3), Sebastian Aguilera (e20), Hans-Martin Malikov Alexander (500 RUR), Ol NOK), Vitaly Osipov ($100),
Yuri Romanov (1000 RUR), Aliaksandr Autayeu (e10), Tudor Azoitei ($40), Z0vsky (e10).
: : .
. .
: / .
.
.
: PDF
-
/ 5
: Adobe Acrobat Reader Alt+Left Arrow . : ! : )( http://beginners.re/#lite .
: : .
: : ! .( )
Creative Commons . . :
https://github.com/dennis714/RE-for-beginners/blob/master/HACKING.md
: : https://github.com/dennis714/RE-for-beginners/blob/master/Translation.md .
: : reddit
) http://go.yurichev.com/17333 http://go.yurichev.com/17334 ( . netsec reddit :
http://go.yurichev.com/17335 :
forum.yurichev.com
" ... ". Siege
Technologies, LLC. " ". Oracle RDBMS.
-
6 /
" ". : Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.
" ...". Vrije Modern Operating Systems (4th Edition).
" ". CISSP / ISSAP Verizon.
" ." SAP Netweaver . " ".
. " !
". .
" ) !( ". Oracle RDBMS.
2015 Acorn) ((www.acornpub.co.kr)
. (http://www.acornpub.co.kr/book/reversing-for-beginners) .
Byungho Min )(https://twitter.com/tais9. Andy Nechaevsky (https://www.facebook.com/andydinka). .
.
-
C C++
. . . C\C++
. C . .
) ( . C
. .
. . . .
(Source code) .
. .
) ( . ) (.
-
8 /
.
.
.
.
.
-
1
CPU
CPU .
)Instruction:( CPU . :
. CPU )ISA ( .
)Machine code :( CPU . . )Assembly language :(
. CPU (CPU register) : )GPR ( . x86 8 x86-64 16 ARM 16 .
. 32 ) 64 ( . !
. C/C++ Java Python CPU . CPU .
-
10 /
. .
1-1 ISA x86 ISA )opcode (
64 x64 ISA . x86 ISA 16 8086
. ARM )RISC ( .
ARM 4 . " ARM" . .
. ISA Thumb 2 .
" Thumb" . ARM Thumb . ARM
Thumb . ARM Thumb Thumb-2
ARMv7 .Thumb-2 2 4 . Thumb-2 ARM Thumb .
Thumb-2 ARM . iPod/iPhone/iPad
Thumb-2 ) Xcode .( 64 ARM . ISA 4 Thumb . 64 ISA
ARM : ARM Thumb ) Thumb-2 ( ARM64 . ISA ISA . ARM ISA . ISA RISC 32 PowerPC MIPS
Alpha AXP.
-
2
. :
1-2 : C\C++ int f() { return 123; };
!
1-2 x86 x86 GCC MSVC :
2-2 :GCC/MSVC ) ( f: mov eax, 123 ret
: 123 EAX RET .
2-2 ARM ARM :
3-2 : Keil 6/2013 ) ARM( f PROC MOV r0,#0x7b ; 123 BX lr ENDP
-
12 /
ARM R0 123 R0 . ARM ISA . BX LR - . MOV ISA x86 ARM .
.
3-2 MIPS MIPS : ) $0 $31 (
)$V0, $A0 .( GCC : 4-2 :GCC 4.4.5 ) (
j $31 li $2,123 # 0x7b
IDA (Interactive Disassembler and debugger) : 5-2 :GCC 4.4.5 )IDA(
jr $ra li $v0, 0x7B
$2 ) $V0 ( .LI " " MIPS MOV . )J JR ( -
$31 ) $RA ( . LR ARM . )LI ( )J JR (
RISC " " .delay slot . ISA RISC
. MIPS )brunch ( / .
.
1-3-2 / MIPS MIPS .
ISA .
-
3
! " C" :
#include int main () { printf("hello, world\n"); return 0; }
1-3 x86
1-1-3 MSVC MSVC 2010 :
C1 1.cpp /Fa1.asm ) /Fa .(
1-3 : MSVC 2010 CONST SEGMENT $SG3830 DB 'hello, world', 0AH, 00H CONST ENDS PUBLIC _main EXTRN _printf:PROC ;Function compile flags: /Odtp _TEXT SEGMENT _main PROC push ebp mov ebp, esp push OFFSET $SG3830 call _printf add esp, 4 xor eax, eax pop ebp ret 0 _main ENDP _TEXT ENDS
-
14 /
MSVC . AT&T )3-1-3( .
1.obj 1.exe . : CONST ) ( _TEXT ) .(
hello, world C\C++ const char[] . $SG3830 . :
#include const char $SG3830[]="hello, world\n;" int main () { printf($SG3830); return 0; }
. C\C++ . )1-1-57 ( C
. _TEXT : main() . main()
) (. printf() :CALL _printf. )
( PUSH . printf() main() ) (
. ) ESP( .ADD ESP, 4 4 ESP . 4 32
4 . x64 8 . ADD ESP, 4 POP .
) Intel C++ Compiler( POP ECX ADD ) Oracle RDBMS Intel C++
.( ECX .
-
3- ! /15
ADD ESP, x )1 POP 3 ADD ( Intel C++ POP ECX .
POP ADD Oracle RDBMS : 2-3: Oracle RDBMS 10.2 Linux ) app.o(
.text:0800029A push ebx
.text:0800029B call qksfroChild
.text:080002A0 pop ecx printf() C\C++ return 0 . return 0
main() . XOR EAX, EAX . XOR "OR " MOV EAX, 0 .
)2 XOR 5 MOV.( SUB EAX, EAX EAX EAX . RET . C/C++
.
2-1-3 GCC C\C++ GCC 4.4.1 : gcc 1.c -o 1
IDA disassembler main() . IDA MSVC .
3-3: IDA main proc near var_10 = dword ptr -10h push ebp mov ebp, esp
and esp, 0FFFFFFF0h sub esp, 10h mov eax, offset aHelloWorld ; "hello, world\n" mov [esp+10h+var_10], eax call _printf mov eax, 0 leave retn main endp
-
16 /
. hello, world ) ( EAX . AND ESP,
0FFFFFFF0h . ESP 16 . ) 4 16 CPU .(
SUB ESP, 10h 16 . 4 . 16 . ) ( PUSH
. Var_10 – printf() . . printf() .
MSVC GCC MOV EAX, 0 .
LEAVE MOV ESP, EBP POP EBP . (ESP) EBP .
)ESP EBP( ) MOV EBP, ESP AND ESP, 0FFFFFFF0h( .
3-1-3:GCC AT&T AT&T . UNIX . 4-3 : GCC 4.7.3
gcc -s 1_1.c :
5-3 : GCC 4.7.3 .file "1_1.c" .section .rodata .LC0: .string "hello, world\n" .text .globl main .type main, @function main:
-
3- ! /17
.LFB0: .cfi_startproc pushl %ebp .cfi_def_cfa_offset 8 .cfi_offset 5, -8 movl %esp, %ebp .cfi_def_cfa_register 5 andl $-16, %esp subl $16, %esp movl $.LC0, (%esp) call printf movl $0, %eax leave .cfi_restore 5 .cfi_def_cfa 4, 4 ret .cfi_endproc .LFE0: .size main, .-main .ident "GCC: (Ubuntu/Linaro 4.7.3-1ubuntu1) 4.7.3" .section .note.GNU-stack,"",@progbits
) .( ) string C
(null) .( : 6-3 : GCC 4.7.3
.LC0: .string "hello, world\n" main: pushl %ebp movl %esp, %ebp andl $-16, %esp subl $16, %esp movl $.LC0, (%esp) call printf movl $0, %eax leave ret
Intel AT&T : :
Intel >> < > < < AT&T >> < > < <
-
18 /
: (=) AT&T
) ( . AT&T : (%) ($) .
. AT&T : :
q – )64 .( L – )32 .( W – )16 .( B – )8 .(
: IDA : 0FFFFFFF0h $-16 . 16
0x10 . -0X10 0xFFFFFFF0 ) 32 ( . MOV XOR 0 .
MOV . ) .( “LOAD” “STORE” .
2-3 x86-64
1-2-3 MSVC—x86-64 MSVC 64-bit : 7-3 : MSVC 2012 x64
$SG2989 DB 'hello, world', 0AH, 00H main PROC sub rsp, 40 lea rcx, OFFSET FLAT:$SG2989 call printf xor eax, eax add rsp, 40 ret 0 main ENDP
-
3- ! /19
x86-64 64 R . ) / ( )fastcall 3-64.(
. 64 RCX RDX R8 R9 . . printf() RCX .
64 64 ) R ( . 32 E .
RAX/EAX/AX/AL x86-64 : 0th 1st 2nd 3rd 4th 5th 6th 7th ) (
x64RAX EAX
AX AL AH
main() C\C++ 32 EAX ) 32 ( RAX
. 40 . " " 1-2-8 .
2-2-3 GCC—x86-64 GCC 64 : 8-3 : GCC 4.4.6 x64
.string "hello, world\n" main: sub rsp, 8 mov edi, OFFSET FLAT:.LC0 ; "hello, world\n" xor eax, eax ; number of vector registers passed call printf xor eax, eax add rsp, 8 ret
-
20 /
Linux *BSD Mac OS X . RDI RSI RDX RCX R8 R9
. EDI ) 32 ( . 64 RDI
MOV 64 32 32 . MOV EAX, 011223344h
RAX . (.o) : 9-3 : GCC 4.4.6 x64
.text:00000000004004D0 main proc near .text:00000000004004D0 48 83 EC 08 sub rsp, 8 .text:00000000004004D4 BF E8 05 40 00 mov edi, offset format ; "hello, world\n" .text:00000000004004D9 31 C0 xor eax, eax .text:00000000004004DB E8 D8 FE FF FF call _printf .text:00000000004004E0 31 C0 xor eax, eax .text:00000000004004E2 48 83 C4 08 add rsp, 8 .text:00000000004004E6 C3 retn .text:00000000004004E6 main endp
EDI 0x4004D4 5 . 64 RDI 7 . GCC . 4 .
EAX printf() . EAX : "
".
3-3 GCC – C
C : . :
-
3- ! /21
#include int f1() { printf ("world\n"); } int f2() { printf ("hello world\n"); } int main() { f1;() f2;() }
C\C++ ) MSVC( GCC 4.8.1 :
10-3: + GCC 4.8.1 IDA f1 proc near s = dword ptr -1Ch sub esp, 1Ch
mov [esp+1Ch+s], offset s ; "world\n" call _puts add esp, 1Ch retn f1 endp f2 proc near s = dword ptr -1Ch sub esp, 1Ch
mov [esp+1Ch+s], offset aHello ; "hello " call _puts add esp, 1Ch retn f2 endp aHello db 'hello ' s db 'world',0xa,0
“hello world” puts() f2() "" .
-
22 /
puts() f1() “world” .puts() !
GCC .
4-3 ARM ARM :
(embedded) Keil 6/2013 . Apple Xcode 4.6.3 ) LLVM-GCC 4.2 .( GCC 4.9 (Linaro) ARM64
http://go.yurichev.com/17325 . 32 ARM ) Thumb Thumb-2(
32 64 ARM ARM64 .
1-4-3 Keil 6/2013 ) ARM( Keil :
Armcc.exe --arm --c90 -00 1.c armcc ARM
" " . IDA .
11-3: Keil 6/2013 ) ARM( IDA .text:00000000 main .text:00000000 10 40 2D E9 STMFD SP!, {R4,LR} .text:00000004 1E 0E 8F E2 ADR R0, aHelloWorld ; "hello, world" .text:00000008 15 19 00 EB BL __2printf .text:0000000C 00 00 A0 E3 MOV R0, #0 .text:00000010 10 80 BD E8 LDMFD SP!, {R4,PC} .text:000001EC 68 65 6C 6C+aHelloWorld DCB "hello, world",0 ; DATA XREF: main+4
-
3- ! /23
4 . ARM .Thumb
STMFD SP!, {R4,LR} PUSH x86 )R4LR( . armcc PUSH {r4,lr}
. PUSH Thumb IDA . SP ) (
. R4 LR ) ( SP .
) PUSH Thumb ( . x86 . STMFD PUSH ) (
SP . STMFD .
ADR R0, aHelloWorld PC ) ( hello,world . PC
" " . . PC . ADR
. )( . C ) PC( .
BL __2printf printf() . : BL (0xC) LR ) ( . PC printf() .
printf() . LR .
-
24 /
RISC “” ARM CISC x86 .
32 32 BL 24 . ARM 4 )32 ( . 4 2
) ( . 26 . PC ± 32M . (Current_PC ± 32M) MOV R0, #0 0 R0. C 0
R0 . LDMFD SP!, R4,PC STMFD R4 PC ) ( SP . POP
. STMFD R4 LR R4 PC LDMFD .
LR . printf() main() . PC
. main() C/C++ CRT
) C( . BX LR .
DCB )( ASCII DB x86 .
2-4-3 Keil 6/2013 ) Thumb( Keil Thumb :
Armcc.exe --thumb --c90 -00 1.c IDA :
12-3: Keil 6/2013 ) Thumb( + IDA .text:00000000 main