13 hours 15 minutes
Hello, This is Dr Miller, and this is Episode 13.3 of Assembly.
Today we're gonna talk about methods to reverse engineer programs, and we'll do two different standards styles. There's an online method, and then there's a local method
so online reversing.
So there are a couple of different examples of online reverses, so there's the online dis assembler dot com. And then there's Compiler Explorer, and these are just a couple of examples.
Um, one thing to keep in mind is, if you're going to do this type of reverse engineering, you are taking the code that you are trying to reverse engineer or understand,
and you're uploading it website. So that may or may not be good for,
um, you, your project or your organization, and so that you have to take that and make that into your decision of what type of
a disassembly. And we'll look at one of these in a little bit,
and then we have local reversing. So if you have code that you can't,
um, upload to a website because of agreements like nondisclosure agreements, then you might want to set up a local one. And it's actually usually a lot faster in order to set that up and you end up with pretty good results.
And so what you would do is you determine your target operating system. So whatever operating system you want to write code and understand, you need to pick that. You need to also install a compiler. So the compiler that either you think that they're using or a compiler that you want to learn about
and then you need to install some sort of dis assembler and we're just going to use some free open source tools for
So the process is you go in, you write some code
in your editor of choice. You then compile it,
and then either be able to bring it to your dis assembler or just run the dis assembler locally, and then you go back to step one. So as you modify the code,
you'll get some understanding of how the different parts interact with the compiler and the assembly that gets generated for that.
So let's just have an example, and we're going to use the two different styles with this example.
So here I have the God bolt dis assembler pulled up
and So in this window over here, I go ahead and type my code. So the code for this example,
um, was a hello world program will pull this up
So it just prints off hello world and then doesn't return zero. And so this provides a really nice interface toe understanding how all the different pieces work.
And so every line that I highlight here, it's going to show me the disassembly for that line of code. So when I enter into my function, we see a couple of
I'm standard things. So it's loading into East TX a variable, and then it's Andy E S P in order to make it on a even bite boundary,
and then we can see it's pushing some stuff onto the stack. So we're pushing this pointer the GC X minus four, and then we have our standard prologue.
Pushing E. C X is that looks like it might be used and then allocating for some local variable.
And then we can see when we go to do the print statement, it's this yellow right here and again. It's subtracting some more from E S P, and then it's pushing on this. Um dot loc zero. And so that's a pointer to our string, which has the letters hello world inside of it.
And then it calls the puts function, which is gonna print that string off.
Um, and then it's correcting back to the stack.
And so a lot of functions in Lenox require stack to be on even bite boundaries. And so,
um, the reason why we have this subtracting here is because the compiler is trying to make it an even 16 bytes. So subtracts 12.
Here it's end up subtracting another four that gets a 16 calls a function and then corrects the stack back to 16
and then we can see here are returned zero. Well, yea. Exes are return value and then are closing. Statement is going to do the function epilogue for that. So correcting all the stack doing a leave
and during an l. E a.
The other example I'm gonna do is inside of just standard Lennox.
So I have my program here again, typed in, and it's going to call the,
um puts and print off. Hello, world.
I can go ahead and compile it,
and I'm again going to use the minus M 32 in order to make sure that I get a 32 bit version,
right? So the process was edit my file. I then compile it and then I can run it through a dis assembler.
So I'm just going to use object dump for this example, and,
um, I end up running it through grab so we'll run it before we not in grip the first time so you can see how that looks.
So object dump and then minus D means disassemble. And then I would like to disassemble it as intel Syntex. It's either Intel A T and T
Intel's what we've been learning for the x 86 portion of class, and then the the binary is called a dot out. So when you do GCC and you don't give it an output file, ate out out is the default output file.
And so when you say disassemble all, it's going to disassemble every single function that exists in there. So we got some in the B s s.
We have, you know, a function called dynamic. So there's a lot of functions in here,
and what I'm really concerned about is the main function, right? So this is my text that I'm looking for in Maine.
And so what I generally do is just run this through a grip, command to search for a pattern and the pattern I'm gonna look for his main bracket, Colon.
what I'm going to do is I'm gonna search for that pattern, and this is where the function is defined. And then the minus a 30 means give me 30 lines after you find that match
and 30 just an approximate number. And I eat issues after adjusted to get to the correct point.
So now I can see where my main function is, Right? So here is my main. And again, this isn't gonna be as nice as the,
um, online dis assembler. But it is a way that I can reverse engineer code and sort of understand how something works just by building it inside the compiler and then disassembly so I can see my functions. But some of the things they're going to be a little bit different. So, for example, here
before it said dot lok zero for that string. Right here I get the actual raw address so you could look through that raw address and see OK, what does that?
What string does that point us to? And you could run this into the bugger. You could put a break point on this line here and then go and look and see what that function is.
But as you go through and you change, you can compare what you see in this disassembly versus what you see in another one after you've modified something inside your file.
So today we just briefly discussed a couple different ways to reverse programs both online and local. And
what we'll do in the future if we want to look at them as well, open them in a professional,
um, dis assembler. And then you can see the sort of power that we get with with those type of dis assemblers. But the important part of the online ones is that we're gonna be ableto have instant feedback. As soon as I type some code in there,
it will automatically show us what that is and weaken directly correlate a line of code with a line of code that's in the dis assembler
in a very quick and efficient way.
So in the forward in the future. We're going toe, look at the different, see constructs and then be able to take those and disassemble them so that we can understand how we could do those
directly in assembly without having to do them and use them in the high level languages so we can deconstruct it. So if there's something that we don't know how to do, we can figure out how it works at the lowest level and then be able to recognize that in, um different assembly programs and write it into new ones.
If you have questions, you can email me Miller MJ at you and Katya, you and Kate. I e D U. And you can find me on Twitter at Milhouse 30.