uninformed_v1a7.pdf
(
188 KB
)
Pobierz
Introduction to Reverse Engineering
Win32 Applications
trew
trew@exploit.us
Contents
1 Foreword
2 Introduction
3 Getting Started
3.1 Identifying Goals . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 Symbols and Debuggers . . . . . . . . . . . . . . . . . . . . . . .
3.3 Symbol Server . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Getting Familiar with WinDBG
4.1 WinDBG Windows . . . . . . . . . . . . . . . . . . . . . . . . . .
5 Locating the WinMine Playing Grid
5.1 Loaded Modules . . . . . . . . . . .
5.2 Loaded Symbols . . . . . . . . . . .
5.3 Memory Protection . . . . . . . . . .
5.4 Understanding Assemblies . . . . . .
5.5 Endianness . . . . . . . . . . . . . .
5.6 Conditions . . . . . . . . . . . . . . .
5.7 Stacks and Frames . . . . . . . . . .
6 Interpreting the Playing Grid
2
3
4
5
5
6
7
8
10
10
11
12
14
16
16
17
22
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7 Removing Mines
24
7.1 Virtual Mine Sweeper . . . . . . . . . . . . . . . . . . . . . . . . 24
8 Conclusion
9 References
28
29
1
Chapter 1
Foreword
Abstract:
During the course of this paper the reader will be (re)introduced
to many concepts and tools essential to understanding and controlling na-
tive Win32 applications through the eyes of Windows Debugger (WinDBG).
Throughout, WinMine will be utilized as a vehicle to deliver and demonstrate
the functionality provided by WinDBG and how this functionality can be har-
nessed to aid the reader in reverse engineering native Win32 applications. Top-
ics covered include an introductory look at IA-32 assembly, register significance,
memory protection, stack usage, various WinDBG commands, call stacks, en-
dianness, and portions of the Windows API. Knowledge gleaned will be used
to develop an application designed to reveal and/or remove bombs from the
WinMine playing grid.
Thanks:
The author would like to thank thief, skape, arachne, H D Moore,
h1kari, Peter, warlord, west, and everyone else that participated in the initial
release of the Uninformed Journal.
2
Chapter 2
Introduction
Games can often times be very frustrating. This frustration stems from the
inherent fact that games, by design, present many unknowns to the player. For
example, how many monsters are lurking behind door number three, and are
these eight clips of 90 50 caliber rounds going to be enough to kill this guy?
Ten lives and a broken keyboard later, acquiring the ability to not only level
the playing field, but get even, grows extremely attractive, at any cost. Some
people risk reputational and karma damage to acquire that edge – by cheating.
Many develop cheats for this very reason, to obtain an unfair advantage. Oth-
ers, however, have an entirely different motivation – the challenge it involves.
Motivations aside, the purpose of this document is to familiarize the reader
with basic methodologies and tools available that aid in the practice of reverse
engineering native Windows applications. Throughout, the reader will be in-
troduced to WinDBG, IA-32 assembler, and portions of the Windows API.
These concepts will be demonstrated by example, via a step by step naviga-
tion through the portions of WinMine that are pivotal in obtaining the coveted
unfair advantage.
3
Chapter 3
Getting Started
Although this document is designed to speak at an introductory level, it is
expected that the reader satisfies the following prerequisites:
1.
Understanding of hexadecimal number system
2.
The ability to develop basic C applications
3.
The ability to install and properly configure WinDBG
4.
Access to a computer running Windows XP with WinMine installed
1
The following are suggested materials to have available while reading this doc-
ument:
1.
IA-32 Instruction Set Reference A-M [7]
2.
IA-32 Instruction Set Reference N-Z [7]
3.
IA-32 Volume 1 - Basic Architecture [7]
4.
Microsoft Platform SDK [4]
5.
Debugger Quick Reference [8]
First, WinDBG and the Symbol Packages
2
need to be properly installed and
configured. WinDBG is part of The Debugging Tools Windows
3
package.
1
The
version of WinMine varies between Windows release.
2
http://msdl.microsoft.com/download/symbols/packages/windowsxp/
WindowsXP-KB835935-SP2-slp-Symbols.exe
3
http://msdl.microsoft.com/download/symbols/debuggers/dbg x86 6.4.7.2.exe
4
Plik z chomika:
jacekplacekjacek
Inne pliki z tego folderu:
gdb.pdf
(2532 KB)
Debugger.pdf
(2409 KB)
intro-to-windows-debugger-for-net-developers_20111130.pdf
(1762 KB)
WinDbg_A_to_Z_bw2.pdf
(577 KB)
skrypt-gdb.pdf
(557 KB)
Inne foldery tego chomika:
Arduino
Asembler
C++
DirectX
Gdi
Zgłoś jeśli
naruszono regulamin