Reverse Engineering is no Rocket Science 1

Let me make one thing clear. You have to know how to develope Software in a language C/C++, C#, Java or anything like that, before you will fully understand this. If u know how to develope software or if you are just interested how Reverse Engineering works for personal interests go on.

What is Reverse Engineering?

If you create source code like this:


#include <stdio.h>

int main()

{

printf("TEST\n");

return 1;

}

The compiler u use will generate assembler instruction formed in an exe file or similar to execute it on your CPU. The CPU instructions are assembler instructions (in hex format instead of human readable called Opcode).

Reconstructing source code from an assembler listing is called reverse engineering. It is used in many ways.

Finding Exploits, developing Shellcodes, Hacking Consoles and understanding other software are just some scenarios where this is used.

How do I learn todo this process? Books?

As always start reading about some of your tools u will use. Basicly I recommend IDA (Interactive Debugger). It is by far the best Disassembler in this world. If you want to learn ppc reverse engineering you can read this series. You are free to link to this site.

What CPU do you show your examples?

Since the theory works on alot assembler languages (yeah there are different ones), I will still explain that I will show it on the example PPC 64-bit CPU like in the Cell Broadband Engine.

How do we simplify the understanding first?

In our C code we start using registers of the CPU as global variables defined like this:


register unsigned long long r3 __asm("r3");

How do I start?

I always start with translating every assembler instruction into C code right away, because I’m much familiar reading obfuscated C code instead of a wall of assembler code. I will cover examples and the first instruction conversions I find most in code… While converting the instructions to C you will notice some things right away, later. Then feel free to optimize the code right away. A simple example is this C code:


r3 = 0x12340000003DCBA9;

This simple assignement works in 4 steps:


lis %r3, 0x1234

rldicr  %r3, %r3, 32

oris %r3, %r3, 0x3D

ori %r3, %r3, 0xCBA9

Going Deeper

First I provide u the first direct translations to C code… The bottom format will be used the whole series

lis instruction (Load Immediate Shifted)

This instruction is used to load a value to the bits 16 – 31 (0 is the lowest bit, 63 is the highest bit).

Parameters

1. register, which will be set (The first register is always the destination register)

2. Value, which will be the value (The value only has a limited size. Because of the size limit setting all 64-bit on an register is that complicated…)

Our example


lis %r3, 0x1234

In C


r3 = 0x12340000;

Pretty simple heh? Next instructions…

rldicr (Rotate Left Double Word Immediate then Clear Right)

This instruction rotats bitwise to the left direction and fills the right bits with 0.

Simple Example

You got r3 = 2; (2 is in binary 10). If u rotate left with 2 bits the new value would be 8 (8 is in binary 1000).

Parameters

1. Register, like always the destination register

2. Register, the value which will be used for the rotation (src and destination don’t have to match, I will give an example later)

3. Value, the bits that get rotated/shifted

Other Example

r4 has the value 2. r5 should get the value 8. The following code should do the trick. r4 will stay with the value 2 and is not modified.


rldicr %r5, %r4, 2

Our Example


rldicr  %r3, %r3, 32

In C


r3 = r3 << 32;

Since source and destination register match the shorter way.


r3 <<= 32;

ori (OR Immediate)

A simple or operation on the lower bits 0-15.

Parameters

1. Register, like always the destination register

2. Register, the value which will be used for the or operation (src and destination don’t have to match)

3. Value which will be used for the or operation

Our Example


ori %r3, %r3, 0xCBA9

In C


r3 = r3 | 0xCBA9;

Since source and destination register match the shorter way.


r3 |= 0xCBA9;

Note: I showed ori before oris because understanding ori is easier and they are basicly the same.

oris (OR Immediate Shifted)

A simple or operation on the bits 16-31.

Parameters

1. Register, like always the destination register

2. Register, the value which will be used for the or operation (src and destination don’t have to match)

3. Value which will be used for the or operation (just add 4 “0000” to the hex value of an ori and an oris is like an ori, the C code will show it)

Our Example


oris %r3, %r3, 0x3D

In C


r3 = r3 | 0x3D0000;

Since source and destination register match the shorter way.


r3 |= 0x3D0000;

The Example:
The way we got it.


lis %r3, 0x1234

rldicr  %r3, %r3, 32

oris %r3, %r3, 0x3D

ori %r3, %r3, 0xCBA9

Now just copy the C translation and fill in the right values and registers u will got this.

In C

r3 = 0x12340000;
r3 <<= 32;
r3 |= 0x3D0000;
r3 |= 0xCBA9;

Simplify the code:

r3 = 0x12340000;
r3 <<= 32;

Since the left shift only adds 4 bytes of 0 bits to the right side of the value the result will be like this:

r3 = 0x1234000000000000;

Next part…

r3 = 0x1234000000000000;

r3 |= 0x3D0000;

Since u know we OR just with zeros u can simply put the value in there.

r3 = 0x12340000003D0000;

For the next OR it is the same.

r3 = 0x12340000003D0000;
r3 |= 0xCBA9;

Which will become…

r3 = 0x12340000003DCBA9;

Last word and the next part
First of all, all instructions can be simply replaced with one liners of C code or two liners. It’s just like that and understanding C code or similar is a normal programming language.
The big problem while reversing is to gather start information and this will come with experience.
Those for lines were a common example, but like in software engineering small examples are easy todo. The big picture is the troublesome. We need to start somewhere or am I wrong. The next part will be showing some stack operations. So if you want to prepare yourself a bit, learn what a stack is and how local function variables are stored in it. 😉

Stay tuned,

KDSBest

IMPORTANT: If u got any question I will always answer them on twitter (the fastest way to get intouch with me)… I am a nice guy don’t fear me ;). There are no dumb questions. I try to answer them all…

https://twitter.com/KDSBest

Leave a Reply

Your email address will not be published. Required fields are marked *