Suggestions and guidelines on reverse engineering for beginners

1 Introduction

Generally, there are several steps when cracking shellless software:
1.pe check shell
2.od loading
3. Search string
4. Find the most recent jumps on the key string and modify
5. Save the file

However, for many software, even shellless software, this is useless, and it is always puzzled, why can’t find the string, etc. After long-term exploration, I read many books and video tutorials. Finally, I have summarized some doubts that novices are easy to have. Let me explain them one by one. Let’s get started.

2. Suggestions before formal learning reverse engineering
2.1 Master at least one programming language
The biggest difference between programming language and the language people use in daily communication is: programming language records thinking, while the language used in daily communication is to let others know what you mean. Therefore, the kind of thinking that masters programming languages ​​is It is very important, and no matter what the language, it will not change, like my most proficient language is C++ (I am still just a student), but because of some requirements, I read some C# code, and found it depends It’s not difficult to understand, the same variable declaration method, using. To get objects, you can understand these at a glance, so as long as you have programming thinking, you will find that it is not difficult to look at these things again.

You may disagree with the point here, but it’s okay. This is not the point. The point of this passage is: When you start learning reverse engineering, you must first master a certain programming thinking.

2.2 Be patient
Software cracking is definitely not just a matter of finding a few strings. This is a competition of thinking. You have to use debugging tools to analyze what the author thinks when designing this program and understand his thoughts. It can be easier in the process of cracking.
[Example 1] The way to find a string is a very basic way to crack, please briefly describe its principle
[Analysis] od searched for a string, because this string was quoted in this place, and the software analyzed that your serial number was wrong, so a message box “invalid serial number” pops up, and the message box is initialized. This string is pushed onto the stack, but if it is correct, the window will not be popped, so there must be a place to decide whether to pop the box, that is, you only need to modify the jump so that it does not pop the window. Okay.

2.3 Have a solid assembly language and operating system bottom processing skills
If someone tells you that the software cracking is to find a few strings and modify a few jumps, he will not be a mistake or he will not.
In the process of cracking, whether it is blasting or chasing the code, you need to know what the author means.

3. Things to pay attention to when studying
3.1 There must be systematic learning content (whether you are reading a book or watching a video)
Reverse engineering is not very simple. It is not something that you can learn by reading a few posts. It is best to read books and videos together, and learn systematically to achieve the best results.

3.2 Good at reflection
Why do you want to do this? What are the advantages of the author’s design? Ask yourself a few more questions, this is a good way to progress. It is also more conducive to sum up the general method of cracking.

3.3 Step by Step
Don’t try to crack difficult software at the beginning. Those software generally have superb anti-debugging and anti-cracking techniques. It is more difficult for novices. You might as well start with shellless CrackMe first. Take your time, one day you can reach higher Level.

3.4 Give yourself positive encouragement
Although sometimes you will fail, don’t give up. Give yourself more positive hints and believe that you can succeed.

4. Summary of common problems for novices:
4.1 Why can’t the key string be found without shelling the program
There are many reasons why the key string cannot be found. There are two main reasons for excluding the packing:

1. Language: If the software uses English strings in the process of writing, in order to support internationalization, Chinese language files (ini or dll or db, etc.) are used, you can try to check the original language strings.
2. Simple encryption: Here I give an example: I have a string “registered successfully”, then it can be searched in OD. If there is a program code as follows:

#include<iostream>
#include<cstdio>
#include<string>
#include<windows.h>
using namespace std;
int check(string user,string sn);//This is a symbolic demonstration function
int main(){
        string username,sn;
        cout<<"please enter user name:"<<endl;
        cin>>username;
        cout<<"Please enter the serial number:"<<endl;
        cin>>sn;
        check(username,sn);
        system("pause");
        return 0;
} 
int check(string user,string sn){
        for(int i=0;i<user.length();i++){
                for(int j=0;i<sn.length();j++){
                        if(user[i]-1!=sn[i]){
                                MessageBox(NULL,"Serial number error","failure",MB_OK);
                                return 0;
                        }
                }
        }
        MessageBox(NULL,"The serial number is correct","success",MB_OK);
        return 1;
}

OD can also recognize:

Then we write an auxiliary program:

#include<iostream>
#include<cstdio>
#include<string>
#include<cstring>
#include<windows.h>
using namespace std;
int main(){
        char text[]="The serial number is correct";
        char text2[]="The serial number is correct";
        cout<<"The serial number is correct";
        for(int i=0;i<strlen(text);i++){
                char a=text[i];
                a=a^2;
                text2[i]=a;
        }
        cout<<text2;
        return 0;
}

Get the character string after XOR with 2: D2 F0 C3 D2 B8 C7 D7 FF CA B5 00

The modification procedure is as follows:

#include<iostream>
#include<cstdio>
#include<string>
#include<windows.h>
using namespace std;
int check(string user,string sn);//This is a symbolic demonstration function
char a[]={0xD2,0xF0,0xC3,0xD2,0xB8,0xC7,0xD7,0xFF,0xCA,0xB5,0x00};
char b[]={0xD2,0xF0,0xC3,0xD2,0xB8,0xC7,0xB6,0xEF,0xCC,0xF1,0x00};
int main(){
        string username,sn;
        cout<<"please enter user name:"<<endl;
        cin>>username;
        cout<<"please enter user name:"<<endl;
        cin>>sn;
        for(int i=0;i<strlen(a);i++){
                char t=a[i];
                t=t^2;
                a[i]=t;
        }
        for(int i=0;i<strlen(b);i++){
                char t=b[i];
                t=t^2;
                b[i]=t;
        }
        check(username,sn);
        system("pause");
        return 0;
} 
int check(string user,string sn){
        for(int i=0;i<user.length();i++){
                for(int j=0;i<sn.length();j++){
                        if(user[i]-1!=sn[i]){
                                MessageBox(NULL,b,"",MB_OK);
                                return 0;
                        }
                }
        }
        MessageBox(NULL,a,"",MB_OK);
        return 1;
}

Can operate normally,

But OD has not found the string:

At this point, you can use a more advanced method to crack with the call stack (alt+k), I won’t say much.
4.2 Cannot save to executable file
This is caused by shelling. The shell will change the memory so that the image in the memory cannot directly correspond to the executable file, so it cannot be saved. Please unpack it first.

4.3 The software cannot run after cracking
There are many possibilities for this. There may be self-checking, or the stack balance may be broken. There are many reasons. I will not list them one by one. The solution depends on the situation.

4.4 The assembly code is too messy to grasp the whole
Combined with IDA analysis, this is conducive to learning for beginners, such as the program I just wrote, the picture displayed after loading with ida is easy to analyze:

The relationship between the two message boxes is very clear:

5 Conclusion
This article talks about the points that beginners should pay attention to when learning reverse technology. I hope it can be helpful to beginners.

Reviews

There are no reviews yet.

Be the first to review “Suggestions and guidelines on reverse engineering for beginners”

Your email address will not be published. Required fields are marked *