Notes/src/Security/Technical Papers and Notes/Reverse Engineering Guide/index.html

<HTML
><HEAD
><TITLE
>Introduction to Reverse Engineering Software in Linux</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="NEXT"
TITLE="The Linux Compilation Process"
HREF="x24.htm"/></HEAD
><BODY
CLASS="article"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="ARTICLE"
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="title"
><A
NAME="AEN2"/>Introduction to Reverse Engineering Software in Linux</H1
><DIV
CLASS="revhistory"
><TABLE
WIDTH="100%"
BORDER="0"
><TR
><TH
ALIGN="LEFT"
VALIGN="TOP"
COLSPAN="3"
><B
>Revision History</B
></TH
></TR
><TR
><TD
ALIGN="LEFT"
>Revision $Revision: 1.26 $</TD
><TD
ALIGN="LEFT"
>$Date: 2002/09/18 06:54:57 $</TD
><TD
ALIGN="LEFT"
></TD
></TR
><TR
><TD
ALIGN="LEFT"
COLSPAN="3"
></TD
></TR
></TABLE
></DIV
><DIV
><DIV
CLASS="abstract"
><A
NAME="AEN8"/><P
><B
>Abstract</B
></P
><P
>&#13;       This document is an attempt to provide an introduction to reverse
       engineering software in Linux. Since reverse engineering is rapidly coming
       under legal fire, this author figures the best response is to make the
       knowledge widespread. The idea is that since discussing specific 
       reverse engineering feats is illegal, we should then discuss general
       approaches, so that rather than downloading cracks or
       describing weaknesses for programs (yes, BOTH are now illegal),
       it is within every Linux user's ability to make them.
       Also, closed source programs piss me off. Resistance 
       is futile. You will be Open Sourced.
      </P
></DIV
></DIV
><HR/></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="t1.htm#AEN11"
>Introdution</A
></DT
><DD
><DL
><DT
>1.1. <A
HREF="t1.htm#AEN13"
>What is reverse engineering?</A
></DT
><DT
>1.2. <A
HREF="t1.htm#AEN16"
>Why reverse engineer?</A
></DT
><DT
>1.3. <A
HREF="t1.htm#AEN21"
>Legal issues</A
></DT
></DL
></DD
><DT
>2. <A
HREF="x24.htm"
>The Linux Compilation Process</A
></DT
><DD
><DL
><DT
>2.1. <A
HREF="x24.htm#AEN26"
>Intro</A
></DT
><DT
>2.2. <A
HREF="x24.htm#AEN29"
>gcc</A
></DT
><DT
>2.3. <A
HREF="x24.htm#AEN32"
>gcc -E (Preprocessor Stage)</A
></DT
><DT
>2.4. <A
HREF="x24.htm#AEN35"
>gcc -S (Parsing+Translation Stages)</A
></DT
><DT
>2.5. <A
HREF="x24.htm#AEN41"
>as (Assembly Stage)</A
></DT
><DT
>2.6. <A
HREF="x24.htm#AEN44"
>ld/collect2 (Linking Stage)</A
></DT
></DL
></DD
><DT
>3. <A
HREF="x47.htm"
>Gathering Info</A
></DT
><DD
><DL
><DT
>3.1. <A
HREF="x47.htm#AEN50"
>ldd</A
></DT
><DT
>3.2. <A
HREF="x47.htm#AEN53"
>nm</A
></DT
><DT
>3.3. <A
HREF="x47.htm#AEN56"
>/proc</A
></DT
><DT
>3.4. <A
HREF="x47.htm#AEN60"
>netstat</A
></DT
><DT
>3.5. <A
HREF="x47.htm#AEN70"
>lsof</A
></DT
><DT
>3.6. <A
HREF="x47.htm#AEN76"
>fuser</A
></DT
></DL
></DD
><DT
>4. <A
HREF="x79.htm"
>Determining Program Behavior</A
></DT
><DD
><DL
><DT
>4.1. <A
HREF="x79.htm#AEN82"
>strace/truss(Solaris)</A
></DT
><DT
>4.2. <A
HREF="x79.htm#AEN93"
>ltrace</A
></DT
><DT
>4.3. <A
HREF="x79.htm#AEN112"
>LD_PRELOAD</A
></DT
><DT
>4.4. <A
HREF="x79.htm#AEN119"
>gdb</A
></DT
></DL
></DD
><DT
>5. <A
HREF="x125.htm"
>Determining Interesting Functions</A
></DT
><DD
><DL
><DT
>5.1. <A
HREF="x125.htm#AEN128"
>Reconstructing function &amp; control information</A
></DT
><DT
>5.2. <A
HREF="x125.htm#AEN144"
>Consider the objective</A
></DT
><DT
>5.3. <A
HREF="x125.htm#AEN147"
>Finding key functions</A
></DT
><DT
>5.4. <A
HREF="x125.htm#AEN173"
>Plotting out program flow</A
></DT
></DL
></DD
><DT
>6. <A
HREF="x177.htm"
>Understanding Assembly</A
></DT
><DD
><DL
><DT
>6.1. <A
HREF="x177.htm#AEN182"
>Registers</A
></DT
><DT
>6.2. <A
HREF="x177.htm#AEN186"
>The stack</A
></DT
><DT
>6.3. <A
HREF="x177.htm#AEN207"
>Two's complement</A
></DT
><DT
>6.4. <A
HREF="x177.htm#AEN242"
>Reading Assembly</A
></DT
><DT
>6.5. <A
HREF="x177.htm#AEN258"
>Know Your Compiler</A
></DT
></DL
></DD
><DT
>7. <A
HREF="x407.htm"
>Writing Standalone Assembly</A
></DT
><DD
><DL
><DT
>7.1. <A
HREF="x407.htm#AEN410"
>Instructions with side-effects</A
></DT
><DT
>7.2. <A
HREF="x407.htm#AEN413"
>Opcode Tables</A
></DT
><DT
>7.3. <A
HREF="x407.htm#AEN418"
>Using GNU as</A
></DT
><DT
>7.4. <A
HREF="x407.htm#AEN424"
>Conventions on saving registers</A
></DT
><DT
>7.5. <A
HREF="x407.htm#AEN427"
>Using Library Functions</A
></DT
></DL
></DD
><DT
>8. <A
HREF="x430.htm"
>Working with the ELF Program Format</A
></DT
><DD
><DL
><DT
>8.1. <A
HREF="x430.htm#AEN437"
>ELF Layout</A
></DT
><DT
>8.2. <A
HREF="x430.htm#AEN461"
>Editing ELF</A
></DT
></DL
></DD
><DT
>9. <A
HREF="x467.htm"
>Understanding Copy Protection</A
></DT
><DT
>10. <A
HREF="x470.htm"
>Code Modification</A
></DT
><DD
><DL
><DT
>10.1. <A
HREF="x470.htm#AEN473"
>Reasons for Code Modification</A
></DT
><DT
>10.2. <A
HREF="x470.htm#AEN476"
>Instruction Modification</A
></DT
><DT
>10.3. <A
HREF="x470.htm#AEN487"
>Single Instruction Insertion</A
></DT
><DT
>10.4. <A
HREF="x470.htm#AEN490"
>Single Function Insertion</A
></DT
><DT
>10.5. <A
HREF="x470.htm#AEN493"
>Multiple Function Insertion</A
></DT
><DT
>10.6. <A
HREF="x470.htm#AEN496"
>Attacking copy protection</A
></DT
></DL
></DD
><DT
>11. <A
HREF="x499.htm"
>Buffer Overflows</A
></DT
><DD
><DL
><DT
>11.1. <A
HREF="x499.htm#AEN502"
>Stack Overflows</A
></DT
><DT
>11.2. <A
HREF="x499.htm#AEN505"
>1-Byte Overflows</A
></DT
><DT
>11.3. <A
HREF="x499.htm#AEN508"
>Returning to Libc</A
></DT
><DT
>11.4. <A
HREF="x499.htm#AEN511"
>Attacking Countermeasures</A
></DT
><DT
>11.5. <A
HREF="x499.htm#AEN514"
>Heap Overflows</A
></DT
><DT
>11.6. <A
HREF="x499.htm#AEN517"
>Attacking hard copy protection</A
></DT
></DL
></DD
><DT
>12. <A
HREF="x520.htm"
>TODO (Contribute!)</A
></DT
><DD
><DL
><DT
>12.1. <A
HREF="x520.htm#AEN523"
>Write assembly tutorial section</A
></DT
><DT
>12.2. <A
HREF="x520.htm#AEN547"
>Create Diagrams &amp; example outputs</A
></DT
><DT
>12.3. <A
HREF="x520.htm#AEN560"
>More detail</A
></DT
><DT
>12.4. <A
HREF="x520.htm#AEN564"
>Update disasm.pl</A
></DT
><DT
>12.5. <A
HREF="x520.htm#AEN569"
>Do this for windows</A
></DT
><DT
>12.6. <A
HREF="x520.htm#AEN572"
>Do this for protocols</A
></DT
><DT
>12.7. <A
HREF="x520.htm#AEN575"
>Do this for hardware</A
></DT
></DL
></DD
><DT
>13. <A
HREF="x578.htm"
>Extra Resources</A
></DT
><DD
><DL
><DT
>13.1. <A
HREF="x578.htm#AEN580"
>ELF Binary Specification</A
></DT
><DT
>13.2. <A
HREF="x578.htm#AEN596"
>Other Resources and amusements</A
></DT
></DL
></DD
></DL
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN11"/>1. Introdution</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN13"/>1.1. What is reverse engineering?</H2
><P
>&#13;         Reverse engineering as this document will discuss it is simply the
         act of figuring out what software that you have no source code
         for does.
        </P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN16"/>1.2. Why reverse engineer?</H2
><P
>&#13;         Answer: Because you can. Software that exists on your system that you
         do not have source code to is usually the most interesting kind of
         software. Sometimes you may be looking for security holes, sometimes
         you are curious how copy protection works, etc. I don't know about
         you, but to me, software that I don't have sourcecode to just pisses me
         off. So I figure: screw it, lets do some damage.
        </P
><P
>&#13;        Also, it makes you a better programmer. This book will teach you a
        large amount about how your computer works on a low level, and the
        better an understanding you have of that, the more efficient programs
        you can write in general. 
        </P
><P
>&#13;        If you don't know assembly language,
        at the end of this book you will literally know it inside-out. While
        most first courses and books on assembly language teach you how to use
        it as a programming language, you will get to see how to use C as an
        assembly language generation tool, and how to look at and think about
        assembly as a C program. This puts you at a tremendous advantage over
        your peers not only in terms of programming ability, but also in terms
        of your ability to figure out how the black box works. In short,
        learning this way will naturually make you a better reverse engineer. 

Plus, you will have the fine distinction of being able to answer the question
"Who taught you assembly language?" with "Why, my C compiler, of course!"

	</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN21"/>1.3. Legal issues</H2
><P
>&#13;         Pending... 
        </P
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x24.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>The Linux Compilation Process</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>