How to Reverse the Code?

Although revealing the secret is always an appealing topic for any audience, Reverse Engineering is a critical skill for programmers. Very few information security professionals, incident response analysts and vulnerability researchers have the ability to reverse binaries efficiently. You will undoubtedly be at the top of your professional field (Infosec Institute).

It is like finding a needle in a dark night. Not everyone can be good at decompiling or reversing the code. I can show a roadmap to successfully reverse the code with tools but reverse engineering requires more skills and techniques. Software reverse engineering means different things to different people. Reversing the software actually depends on the software itself. It can be defined as unpacking the packed, disassembling the assembled or decompiling the complied piece of code termed as software. Some people have also named it as Auditing the Binary or Malware Analysis. This depends on the motive. Before we jump into more details, let’s highlight some pre-requisites of software reverse engineering.

Pre-requisite in Software Reverse Engineering

Most importantly, you should be a programmer who understands the basic concepts of how the software world works. It is like driving your car in reverse gear and reaching home without accidents! So yes, it’s not an easy job and it requires practice. Understanding following requirements is fundamental in reversing any piece of code.

001 – You should be good in at least one programming language so it could be C++.

002 – Understanding assembly language is the key to success in reversing the code and reaching the target. Understanding of stack and memory works, types of registers and pointers are the important factors.

003 – Which DLL is mapped to which statement is very important.

004 – Try identifying the algorithms used and drawing the map of them.

005 – Performing crash analysis to identify bugs, understanding the functionally of the software code by applying the hit and miss rule.

006 – Identifying files used.

007 – Identify variables used in the code, this is very important.

008 – Most importantly is Vulnerability Analysis, this is applicable when you are trying to modify the normal behaviour of the code.

Approach: Different Reversing Approaches. There are many different approaches for reversing, and choosing the right one depends on the target program, the platform on which it runs and on which it was developed, and what kind of information you’re looking to extract. Generally speaking, there are two fundamental reversing methodologies: offline analysis andlive analysis.

Offline Code Analysis (Dead-Listing)

Offline analysis of code means that you take a binary executable and use a disassembler or a decompiler to convert it into a human-readable form. Reversing is then performed by manually reading and analysing parts of that output. Offline code analysis is a powerful approach because it provides a good outline of the program and makes it easy to search for specific functions that are of interest. The downside of offline code analysis is usually that a better understanding of the code is required (compared to live analysis) because you can’t see the data that the program deals with and how it flows. You must guess what type of data the code deals with and how it flows based on the code. Offline analysis is typically a more advanced approach to reversing.

There are some cases (particularly crackingrelated) where offline code analysis is not possible. This typically happens when programs are “packed”, so that the code is encrypted or compressed and is only unpacked in runtime. In such cases only live code analysis is possible.

Live Code Analysis

Live Analysis involves the same conversion of code into a human-readable form, but here you don’t just statically read the converted code but instead run it in a debugger and observe its behaviour on a live system. This provides far more information because you can observe the program’s internal data and how it affects the flow of the code. You can see what individual variables contain and what happens when the program reads or modifies that data. Generally, it is said that live analysis is the better approach for beginners because it provides a lot more data to work with. The section on “Need for Tools” discusses tools that can be used for live code analysis.

Need for Tools: which tool to select is based on the piece of software code you’re trying to reverse. There are many tools available on internet but key tools are IDA Pro & OllyDbg. IDA Pro is a wonderfu tool with a number of functionalities; it can be used as debugger as well as disassembler. On the other side OllyDbg is an assembler level analysing debugger for Microsoft® Windows ®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.

Highlights of IDA Pro Functionalities

In my opinion IDA Pro is most powerfull tool and is mostly used in reverse engineering, its functionalities are vast in number, however, I should highlight the key one:

Adding Dynamic Analysis to IDA

In addition to being a disassembler, IDA is also a powerful and versatile debugger. It supports multiple debugging targets and can handle remote applications, via a “remote debugging server”. Power Cross-platform Debugging:

  • Instant debugging, no need to wait for the analysis to be complete to start a debug session.
  • Easy connection to both local and remote processes.
  • Support for 64 bits systems and new connection possibilities.

Highlights of OllyDbg Functionalities

  • It debugs multithread applications.
  • Attaches to running programs
  • Configurable disassembler supports both MASM and IDEAL formats
  • MMX, 3DNow! And SSE data types and instructions, including Athlon extensions.
  • It recognizes complex code constructs, like call to jump to procedure.
  • Decodes calls to more than 1900 standard API and 400 C functions.