:

: Yurichev, Dennis

: /. : : 1395. : 1266 .. :

: :978-600-8201-24-3 850000 :

: : Reverse engineering for beginners : : Reverse engineering

: 1365 - : TA168/5/ 9 9 1395 : 620/00420285

: 4473995

: : :

: : 95 :500 : : :85000 : 3-24-6529-600-978

* *

: 14 16 www.pendarepars.com

: 66572335 - :66926578 :09122452348 info@pendarepars.com

( ) :

" I was very happy to work with Iranian publisher PPendarePars, because of so smooth process. I would recommend them to other technical writers. I also obligor of MMohsen Mostafa Jokar, who was translator to PPersian language. Reverse engineering may be critical skill not in very near future, but right now, if we would keep focus on notorious attacks on nuclear facilities and other well-known organizations. As it seems, cyberwar is real and we are fighting right now. It's not possible to analyze malware, backdoors, vulnerabilities and so on without Reverse engineering knowledge. Reverse engineering is also may be applied to more peaceful activities like learning how things are done and how to hack and improve them. I personally started as curios hacker and I got to know a huge part of my knowledge in this way. I hope my humble introduction will help you to start learning it. Like any other skill, one should learn whole lifetime, so this book is only start of never ending journey. Hope, you'll like it!" -- Dennis Yurichev

.

.

.

.

. .

mohsen1365b@yahoo.com

95

.............................................................................................................................................. 2 ....................................................................................... 7 1 CPU ............................................................................ 9

.................................................................................................................................... 9 1-1 ISA ........................................................................................ 10

2 .......................................................................................... 11 1-2 x86 ......................................................................................................................................... 11 2-2 ARM ...................................................................................................................................... 11 3-2 MIPS ..................................................................................................................................... 12

3 ! ............................................................................................. 13 1-3 x86 ...................................................................................................................................... 13 2-3 x86-64 .............................................................................................................................. 18 3-3 GCC – ........................................................................................................ 20 4-3 ARM ................................................................................................................................... 22

thunk ............................................................................................ 28 5-3 MIPS ..................................................................................................................................... 31 6-3 ........................................................................................................................................ 38 7-3 .................................................................................................................................... 38

4 ........................................................................................ 39 1-4 .................................................................................................................................. 39

5 .................................................................................................... 41 1-5 ...................................................................................... 41 2-5 ..................................................................................... 42 3-5 ....................................................................................................................... 48 4-5 .......................................................................................................................... 48 5-5 .................................................................................................................................... 51

6 Printf() ......................................................................... 55 1-6 x86 ......................................................................................................................................... 55 2-6 ARM ...................................................................................................................................... 67 3-6 MIPS ..................................................................................................................................... 75 4-6 ................................................................................................................................. 83 5-6 .............................................................................................................................. 84

7 Scanf() .............................................................................................. 87 1-7 ............................................................................................................................ 87

MSVC ............................................................................................................................................. 88 2-7 .................................................................................................................... 98

................................................................................................................. 107 3-7 scanf() .............................................................................................. 109 4-7 ................................................................................................................................... 122

8 .......................................................... 123 1- 8x86 ........................................................................................................................................ 123 2-8 x64 ....................................................................................................................................... 126 3-8 ARM ..................................................................................................................................... 130 4-8 MIPS .................................................................................................................................... 134

9 .............................................................. 137 1-9 void ......................................... 137 2-9 ....................................................................... 138 3-9 ............................................................................................................... 139

10 ............................................................................................ 141 1-10 ...................................................................................... 141 2-10 ........................................................................................... 144 3-10 ..................................................................................................................................... 147

11 GOTO ..................................................................................... 149 1-11 ................................................................................................................................. 151 2-11 .................................................................................................................................... 151

12 .................................................................................... 153 1-12 ......................................................................................................................... 153

x86 + MSVC + OllyDbg .................................................................................................... 156 x86 + MSVC + Hiew ........................................................................................................... 159

2-12 ........................................................................................... 170 3-12 .......................................................................................................... 173 4-12 ................................................................................................ 177 5-12 ............................................................................................................................ 183 6-12 .................................................................................................................................... 185

13 SWITCH()/CASE/DEFAULT ............................................................................................... 187 1-13 case ......................................................................................................... 187

OllyDbg ...................................................................................................................................... 190 13-13 ARM :Keil 6/2013 ) Thumb( ......................................... 195 2-13 case ............................................................................................................ 199 3-13 case .................................................. 211 4-13 ............................................................................................................................... 217 5-13 .................................................................................................................................... 219

14 ................................................................................................................................................. 221 1-14 .................................................................................................................. 221 2-14 ................................................................................................ 233 3-14 ..................................................................................................................................... 237 4-14 ................................................................................................................................. 239

15 C ............................................................................................................. 245 1-15 strlen() ............................................................................................................................. 245

ARM64 ........................................................................................................................................ 253 2-15 ................................................................................................................................. 255

16 ....................................................................... 259 1-16 ..................................................................................................................................... 259 2-16 .................................................................................................................................... 265 3-16 ................................................................................................................................. 267

17 .......................................................................................................................... 269 1-17 IEEE 754 .......................................................................................................................... 269 2-17 x86 ...................................................................................................................................... 269 3-17 ARM, MIPS, x86/x64 SIMD ............................................................................... 269 4-17 C\C++ ................................................................................................................................ 270 5-17 ......................................................................................................................... 270 6-17 ................................................................. 281 7-17 ...................................................................................................... 285 8-17 .......................................................... 314 9-17 x64 ...................................................................................................................................... 314

10-17 .............................................................................................................................. 314 18 ................................................................................................................................................. 317

1-18 ......................................................................................................................... 317 2-18 .............................................................................................................................. 326 3-18 ............................................................................................ 333 4-18 ............................................................................................ 337 5-18 ................................................................................................ 338 6-18 ............................................................................................................... 347 7-18 ............................................................... 356 8-18 ............................................................................................................................ 361 9-18 ................................................................................................................................. 361

19 ...................................................................................................................... 379 1-19 .................................................................................................................... 379 2-19 ........................................................................................... 384 3-19 ................................................................................................................................... 392 4-19 : FPU .................................................................. 392 5-19 ......................................................................... 399

GCC 4.8.2 ...................................................................................................... 406 6-19 ..................................................................................................................................... 414 7-19 ................................................................................................................................. 416

20 ...................................................... 425 1-20 x86 ................................................................................................................................... 426 2-20 x64 .................................................................................................................................... 427

3-20 ARM32 ................................................................................................................... 428 4-20 MIPS ................................................................................................................................. 429 5-20 .................................................................................... 431

21 ................................................................................................................................................. 433 1-21 MSVC : SYSTEMTIME ...................................................................................... 433 2-21 malloc() ..................................................................... 437 3-21UNIX : struct tm .......................................................................................................... 440 4-21 Field packing ............................................................................................... 453

OllyDbg+ 1 ....................................................................... 457 5-21 ................................................................................................................. 461 6-21 ................................................................................................. 464

MSVC ........................................................................................................................................... 465 MSVC + OllyDbg ................................................................................................................... 467

GCC ............................................................................................................................................... 468 7-21 ............................................................................................................................... 473

22 .................................................................................................................................................... 479 1-22 ...................................................................... 479 1-1-22 x86 .............................................................................................................................. 481 2-22 .......................................................................................................... 485 3-22 ................................................................................................ 488

23 .................................................................................................................................... 489 1-23 MSVC ................................................................................................................................ 490 2-23 GCC .................................................................................................................................... 496

24 64 32 ...................................................................................................... 503 1-24 64 .......................................................................................................... 503 2-24 ......................................................................................... 504 3-24 ......................................................................................................................... 509 4-24 ...................................................................................................................... 513 5-24 32 64 ..................................................................................... 515

25 SIMD ............................................................................................................................................... 517 1-25 .............................................................................................................................. 518

Intel C++ .................................................................................................................................... 519 2-25 strlen() SIMD ................................................................................. 530

26 64 ................................................................................................................................................ 535 1-26 x86-64 .......................................................................................................................... 535 2-26 ARM ............................................................................................................................... 544 3-26 .................................................................................................................... 544

27 SIMD .......................................................................... 545 1-27 ......................................................................................................................... 545 2-27 ................................................................... 550 3-27 ...................................................................................................... 552

4-27 x64 SIMD .............................................................................. 554 5-27 ..................................... 555 6-27 ................................................................................................................................... 556

28 ARM ..................................................................................................................... 557 1-28 )# ( ............................................................................................ 557 2-28 .................................................................................................................. 557 3-28 ......................................................................................... 558 4-28 Relocs ARM64 ...................................................................................................... 560

29 MIPS ................................................................................................................ 563 1-29 ...................................................................................................... 563 2-29 MIPS .......................................................................................... 563

2 ............................................................................................................................................ 565 30 ......................................................................................................................... 567 31 ENDIANNESS ............................................................................................................................. 569

1-31 Big-endian ..................................................................................................................... 569 2-31 Little-endian ............................................................................................................. 569 3-31 ....................................................................................................................................... 569 4-31 Bi-endian .................................................................................................................. 570 5-31 ......................................................................................................................... 570

32 .................................................................................................................................................. 571 33 CPU .................................................................................................................................................. 573

1-33 ...................................................................................................................... 573 2-33 ....................................................................................................................... 573

34 ............................................................................................................................................ 575 1-34 ......................................................................................... 575

3 ............................................................................................................................. 577 35 ............................................................................................................................................. 579

1-35 ...................................................................................................... 579 2-35 ..................................................................................................................... 582

36 ..................................................................................................................................... 585 1-36 1 ................................................................................................................................... 585 2-36 2 .................................................................................................................................. 588 3-36 ................................................................................................................................. 591

37 CRC32 ................................................................................................................ 593 38 ......................................................................................................... 599

1-38 calc_network_address() ..................................................................................... 601 2-38 form_IP() ........................................................................................................................ 602 3-38 print_as_IP() ............................................................................................................. 604 4-38 form_netmask() set_bit() ............................................................................. 605 5-38 ................................................................................................................................... 606

39 : ............................................................................................................................. 607

1-39 ....................................................................................................................... 607 2-39 ........................................................................................................................ 608 3-39 Intel C++ 2011 ............................................................................................................ 610

40 DUFF’S ............................................................................................................................. 613 41 9 .......................................................................................................................................... 617

1-41 x86 ................................................................................................................................... 617 2-41 ARM ................................................................................................................................... 618 3-41 MIPS ............................................................................................................................... 620 4-41 ............................................................................................................. 621 5-41 ............................................................................................................. 623 6-41 1 .............................................................................................................................. 624

42 (ATOI()) ........................................................................................................ 627 1-42 ....................................................................................................................... 627 1-1-42 MSVC 2013 x64 ........................................................................ 628 2-42 ............................................................................................................. 631 3-42 .................................................................................................................................... 635

43 ............................................................................................................................ 637 1-43 ........................................................................................................... 638

44 C99 ........................................................................................................................... 649 45 ABS() ................................................................................................................... 653

1-45 GCC 4.9.1 x64 ................................................................................. 653 2-45 GCC 4.9 ARM64 ............................................................................. 654

46 VARIADIC ........................................................................................................................... 655 1-46 ................................................................................................. 655 2-46 vprintf() ................................................................................................................. 659

47 ........................................................................................................................................ 661 1-47 x64: MSVC 2013 ........................................................................... 662 2-47 x64: GCC 4.9.1 .............................................................................. 664 3-47 x64: GCC 4.9.1 ................................................................................ 666 4-47 ARM64: GCC (Linaro) 4.9 .................................................... 667 5-47 ARM64: GCC (Linaro) 4.9 ....................................................... 669 6-47 ARM :Keil 6/2013 ) ARM( .............................................. 670 7-47 ARM: Keil 6/2013 ) Thumb( ......................................... 670 8-47 MIPS ............................................................................................................................... 671

48 TOUPPER() ......................................................................................................................... 673 1-48 x64 ................................................................................................................................... 673 2-48 ARM ................................................................................................................................ 675 3-48 ............................................................................................................................... 676

49 DISASSEMBLE .............................................................................................. 677 1-49 disassemble )x86( ......................................................... 677 2-49 disassemble ................................ 678

50 ........................................................................................................................................... 683 1-50 ...................................................................................................................... 683 2-50 ........................................................................................................................... 684 3-50 / ...................................................................................................... 686 4-50 ................................................................................................ 686 5-50 .............................................................................................................................. 686

51 C++ ................................................................................................................................................... 687 1-51 ............................................................................................................................ 687

MSVC—x86 ............................................................................................................................. 688 MSVC—x86-64 ..................................................................................................................... 691

2-51 ostream ..................................................................................................................... 709 3-51 .................................................................................................................................... 710 4-51 STL .................................................................................................................................. 711

52 ....................................................................................................................... 757 53 16 ................................................................................................................................... 761

1-53 1 .................................................................................................................................. 761 2-53 2 ................................................................................................................................... 762 3-53 3 .................................................................................................................................. 763 4-53 4 .................................................................................................................................. 764 5-53 5 .................................................................................................................................. 767 6-53 6 .................................................................................................................................. 772

4 JAVA ................................................................................................................................................ 777 54 ...................................................................................................................................................... 779

1-54 ................................................................................................................................... 779 2-54 .................................................................................................................... 780 3-54 ........................................................................................................... 785 4-54 JVM ............................................................................................................... 788 5-54 ................................................................................................................ 789 6-54 beep() ............................................................................................................. 791 7-54 ............................................................... 792 8-54 .................................................................................................................. 793 9-54 ............................................................................................................. 796

10-54 Bitfields ................................................................................................................... 797 11-54 ................................................................................................................................ 799 12-54 switch() .................................................................................................................... 802 13-54 ................................................................................................................................ 803 14-54 .............................................................................................................................. 814 15-54 ............................................................................................................................... 817 16-54 .......................................................................................................................... 822 17-54 .................................................................................................................... 824 18-54 ............................................................................................................................... 830

5 / .................................................................................................. 831 55 ................................................................................................................... 833

1-55 Microsoft Visual C++ ..................................................................................... 833 1-1-55 ........................................................................................................................ 834 2-2-55 Cygwin .................................................................................................................... 834 3-2-55 MinGW ................................................................................................................... 834 3-55 Intel FORTRAN ...................................................................................................... 834 4-55 Watcom, OpenWatcom ................................................................................ 834 1-4-55 ........................................................................................................................ 834

55.5 Borland ....................................................................................................................... 834 1-5-55 Delphi ....................................................................................................................... 835 6-55 DLL ................................................................................................ 837

56 (WIN32) ..................................................................................................... 839 1-56 Windows API .................................................. 839 2-56 tracer : ........................................................... 840

57 ................................................................................................................................................. 843 1-57 ................................................................................................................... 843 1-1-57 C\C++ .................................................................................................................... 843 2-1-57 Borland Delphi .................................................................................................. 844 3-1-57 Unicode ................................................................................................................... 844

UTF-8 ........................................................................................................................................... 844 UTF-16LE ................................................................................................................................... 845

4-1-57 Base64 ....................................................................................................................... 847 2-57 / .................................................................................................... 848 3-57 ................................................................................................. 848

58 ASSERT() ...................................................................................................................... 849 59 ................................................................................................................................................. 851

1-59 ......................................................................................................................... 852 1-1-59 DHCP ......................................................................................................................... 852 2-59 .......................................................................................................... 853

60 ................................................................................................................. 855 61 .......................................................................................................................... 857

1-61 XOR .................................................................................................................. 857 2-61 ............................................................................................ 857

62 ............................................................................................ 859 63 ...................................................................................................................................... 861

1-63 ............................................................................................................................ 861 2-63 C++ ..................................................................................................................................... 861 3-63 ............................................................................................. 861 4-63 ” ” ........................................................................................ 862 1-4-63 ............................................................................................................. 863

2-4-63 Blink-comparator .............................................................................................. 863 6 ........................................................................................................................... 865 64 ) ( .......................................................................... 867

1- 64 cdecl ....................................................................................................................... 867 2-64 stdcall ............................................................................................................................ 867 1-2-64 ....................................................................................... 868 3-64 fastcall ............................................................................................................................ 869 1-3-64 GCC regparm ....................................................................................................... 870 2-3-64 Watcom/OpenWatcom ............................................................................... 870 4-4-64 thiscall ..................................................................................................................... 870 5-64 x86-64 ............................................................................................................................. 871 1-5-64 Windows x64 ..................................................................................................... 871

Windows x64: this ) C\C++( ........................................................................ 873 2-5-64 Linux x64 ................................................................................................................ 874 6-64 float double .......................................................................... 874 7-64 .................................................................................................................. 875 8-64 .................................................................................... 876

65 ..................................................................................................................... 879 1-65 .................................................................................... 879 1-1-65 Win32 ....................................................................................................................... 880 2-1-65 ............................................................................................................................. 885

66 (SYSCALL-S) .................................................................................................... 887 1-66 ................................................................................................................................. 887 2-66 .................................................................................................................................... 888

67 ............................................................................................................................................... 889 1-67 ........................................................................................................... 889 1-1-67 ............................................................................................................................. 892 2-67 LD_PRELOAD ................................................................................. 893

68 WINDOWS NT .......................................................................................................................... 897 1-68 CRT (win32) .......................................................................................................... 897 2-68 Win32 PE ................................................................................................................... 901 3-68 Windows SEH ................................................................................................... 911 4-68: Windows NT Critical ................................................................................. 939

7 .................................................................................................................................................... 943 69 DISASSEMBLER ...................................................................................................................... 945

1-69 IDA .............................................................................................................................. 945 70 .................................................................................................................................................. 947

1-70 OllyDbg ......................................................................................................................... 947 2-70 GDB ................................................................................................................................ 947 3-70 tracer ............................................................................................................................ 947

71 SYSTEM CALL ............................................................................................................... 949

1-71 strace / dtruss ......................................................................................................... 949 72 DECOMPILER ............................................................................................................................ 951 73 ...................................................................................................................................... 953 8 ................................................................ 955 74 TASK MANAGER (WINDOWS VISTA) ............................................ 957

1-74 LEA ............................................................................... 961 75 COLOR LINES ......................................................................................... 963 76 MINESWEEPER (WINDOWS XP) .................................................................................. 967

1-76 ............................................................................................................................. 973 77 DECOMPILE + Z3 SMT ............................................................................. 975

1-77 decompile ........................................................................................................ 975 2-77 Z3 SMT ...................................................................................... 980

78 ............................................................................................................................................... 987 1-78 1 :MacOS Classic PowerPC .................................................................. 987 2-78 2 :SCO OpenServer ........................................................................................ 996 3-78 3 :MS-DOS ....................................................................................................... 1010

79 “QR9 :” ........................................... 1019 80 SAP ................................................................................................................................................ 1059

1-80 SAP .......................................... 1059 2-80 SAP 6.0 ................................................................................. 1074

81 ORACLE RDBMS ................................................................................................................... 1081 1-81 V$VERSION Oracle RDBMS ......................................................... 1081 2-81 X$KSMLRU Oracle RDBMS ......................................................... 1091 3-81 V$TIMER Oracle RDBMS .............................................................. 1094

82 ............................................................................................ 1099 1-82 EICAR .................................................................................................... 1099

83 DEMOS ....................................................................................................................................... 1101 1-83 10 PRINT CHR$(205.5+RND(1)); : GOTO 10 ..................................... 1101 2-83 ............................................................................................................. 1105

9 .................................................................... 1117 84 XOR .................................................................................................................. 1119

1-84 XOR ............................... 1119 2-84 4 XOR ............................................................. 1121

85 MILLENIUM .................................................................... 1125 86 ORACLE RDBMS : .SYM ................................................................................. 1131 87 ORACLE RDBMS : .MSB .................................................................................. 1141

1-87 ................................................................................................................................ 1145 10 .................................................................................................................................... 1147 88 NPAD ........................................................................................................................................... 1149 89 .......................................................................................................... 1151

1-89 .................................................................................................................. 1151

2-89 x86 .......................................................................................................................... 1151 90 .................................................................................................................................. 1153 91 ............................................................................................................................ 1155 92 OPENMP ................................................................................................................................... 1157

1-92 MSVC ...................................................................................................................... 1159 2-92 GCC ........................................................................................................................... 1162

93 ITANIUM ................................................................................................................................... 1165 94 8086 .................................................................................................................... 1169 95 ........................................................................................... 1171

1-95 Profile-guided ..................................................................................... 1171 11 / ......................................................................................... 1173 96 ............................................................................................................................................. 1175

1-96 ............................................................................................................................ 1175 2-96 C\C++ ............................................................................................................................. 1175 3-96 x86 / x86-64 .......................................................................................................... 1175 4-96 ARM ............................................................................................................................. 1175 5-96 ........................................................................................................................ 1176

97 ............................................................................................................................................. 1177 1-97 ................................................................................................................................. 1177

98 ....................................................................................................................................... 1179 99 .............................................................................................................................................. 1181

A X86 ............................................................................................................................................. 1183 A-1 ........................................................................................................................... 1183 A-2 ....................................................................................................... 1183

A-2-1 RAX/EAX/AX/AL .................................................................................................. 1184 A-2-2 RBX/EBX/BX/BL .................................................................................... 1184 A-2-3 RCX/ECX/CX/CL ................................................................................................... 1184

R8/R8D/R8W/R8L A.2.7 ........................................................................................... 1185 R9/R9D/R9W/R9L A.2.8 ........................................................................................... 1186

R10/R10D/R10W/R10L A.2.9 ............................................................................... 1186 R11/R11D/R11W/R11L A.2.10 ............................................................................ 1186 R14/R14D/R14W/R14L A.2.13 ............................................................................ 1187

RIP/EIP/IP A.2.17 ............................................................................................................. 1188 A.2.19 ................................................................................................................... 1188

A.3 FPU ......................................................................................................................... 1190 A.3.1 .............................................................................................................. 1190 A.3.2 ................................................................................................................... 1191 A.3.3 ................................................................................................................... 1192

A.4 SIMD ............................................................................................................... 1193 A.4.1 MMX .......................................................................................................... 1193 A.4.2 SSE AVX ............................................................................................... 1193

A.5 ......................................................................................................... 1193 A.5.1 DR6 ............................................................................................................................. 1194 A.5.2 DR7 ............................................................................................................................. 1194

A.6 ............................................................................................................................... 1196 A.6.1 ........................................................................................................................ 1196 A.6.2 ........................................................................... 1197 A.6.3 ............................................................................ 1205 A.6.4 FPU ................................................................................................................ 1212 A.6.5 ASCII ........................................................... 1215

B ARM ........................................................................................................................................... 1217 B.1 ......................................................................................................................... 1217 B.2 .............................................................................................................................. 1217 B.3 32-bit ARM (AArch32) ..................................................................................... 1218 B.4 64-bit ARM (AArch64) ..................................................................................... 1220 B.5 ............................................................................................................................ 1221

C MIPS .......................................................................................................................................... 1223 C.1 ................................................................................................................................. 1223 C.2 ............................................................................................................................ 1224

D GCC ..................................................................................................... 1227 E MSVC ................................................................................................. 1229

F CHEATSHEET ......................................................................................................................... 1231 F.2 OllyDbg ....................................................................................................................... 1232 F.3 MSVC ........................................................................................................................... 1232 F.4 GCC ............................................................................................................................... 1233 F.5 GDB ............................................................................................................................... 1233

................................................................................ 1237 ....................................................................................................... 1243

:

.Ltext0: .section .rodata .LC0: 0000 546F206D .string "To my Papa and Mama" 79205061 70612061 6E64204D 616D6100 .text .globl main main: .LFB0: .cfi_startproc 0000 55 pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 0001 4889E5 movq %rsp, %rbp .cfi_def_cfa_register 6 0004 BF000000 movl $.LC0, %edi 00 0009 B8000000 movl $0, %eax 00 000e E8000000 call printf 00 0013 90 nop 0014 5D popq %rbp .cfi_def_cfa 7, 8 0015 C3 ret .cfi_endproc .LFE0: .Letext0:

2 /

» « :

1( : 2( 3D 3( )DBMS .(

. : x86/x64, ARM/ARM64, MIPS, Java/JVM.

: Oracle RDBMItanium LD_PRELOAD ELF 10

win32 x86-64 TLS 11 (PIC 12) C++ STLOpenMP .SEH

: http://challenges.re

(Dennis Yurichev) . dennis@yurichev.com dennis.yurichev

.

/ 3

: “herm1t” “Avid” . : “Beaver”

. : ) rtp #debian-arm

IRC ( . : . : . : “Lstar” “Logxen”

. “ ” .

: . github.com .

LATEX .

. (LaTeX) .

. :

Objective-C Visual Basic Windows NT NET Oracle RDBMS

.

4 /

beginners.re . . .

25 * anonymous, 2 * Oleg Vygovsky (50+100 UAH), Daniel Bilar ($50), James Truscott

($4.5), Luis Rocha ($63), Joris van de Vis ($127), Richard S Shultz ($20), Jang Minchang ($20), Shade Atlas (5 AUD), Yao Xiao ($10), Pawel Szczur (40 CHF), Justin Simms ($20),

Shawn the R0ck ($27), Ki Chan Ahn ($50), Triop AB (100 SEK), Ange Albertini (e10+50),

Sergey Lukianov (300 RUR),Ludvig Gislason (200 SEK), Gn Ahn ($50), Triop AB (100 SEK),

Ange Albertini (e10+50), Sergey Lukianov (), Philippe Teuwen ($4), Martin Haeberli ($10), Victor Cazacov (e5), Tobias Sturzenegger (10 CHF), Sonny Thai ($15), Bayna AlZaabi ($75),

Redfive B.V. (e25), Joona Oskari Heikkilzacov (e5), Tobias Sturzenegger (10 CHF), Sonny Thai ($15), Bayna AlZaabi ($exandre Borges ($25), Vladimir Dikovski (e50), Jiarui Hong

(100.00 SEK), Jim_Di (500 RUR), Tan Vincent ($30), Sri Harsha Kandrakota (10 AUD), Pillay Harish (10 SGD), Timur Valiev (230 RUR), Carlos Garcia Prado (e10), Salikov Alexander (500

RUR), Oliver Whitehouse (30 GBP), Katy Moe ($14), Maxim Dyakonov ($3), Sebastian Aguilera (e20), Hans-Martin Malikov Alexander (500 RUR), Ol NOK), Vitaly Osipov ($100),

Yuri Romanov (1000 RUR), Aliaksandr Autayeu (e10), Tudor Azoitei ($40), Z0vsky (e10).

: : .

. .

: / .

.

.

: PDF

/ 5

: Adobe Acrobat Reader Alt+Left Arrow . : ! : )( http://beginners.re/#lite .

: : .

: : ! .( )

Creative Commons . . :

https://github.com/dennis714/RE-for-beginners/blob/master/HACKING.md

: : https://github.com/dennis714/RE-for-beginners/blob/master/Translation.md .

: : reddit

) http://go.yurichev.com/17333 http://go.yurichev.com/17334 ( . netsec reddit :

http://go.yurichev.com/17335 :

: dennis@yurichev.com :

forum.yurichev.com

" ... ". Siege

Technologies, LLC. " ". Oracle RDBMS.

6 /

" ". : Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.

" ...". Vrije Modern Operating Systems (4th Edition).

" ". CISSP / ISSAP Verizon.

" ." SAP Netweaver . " ".

. " !

". .

" ) !( ". Oracle RDBMS.

2015 Acorn) ((www.acornpub.co.kr)

. (http://www.acornpub.co.kr/book/reversing-for-beginners) .

Byungho Min )(https://twitter.com/tais9. Andy Nechaevsky (https://www.facebook.com/andydinka). .

.

C C++

. . . C\C++

. C . .

) ( . C

. .

. . . .

(Source code) .

. .

) ( . ) (.

8 /

.

.

.

.

.

1

CPU

CPU .

)Instruction:( CPU . :

. CPU )ISA ( .

)Machine code :( CPU . . )Assembly language :(

. CPU (CPU register) : )GPR ( . x86 8 x86-64 16 ARM 16 .

. 32 ) 64 ( . !

. C/C++ Java Python CPU . CPU .

10 /

. .

1-1 ISA x86 ISA )opcode (

64 x64 ISA . x86 ISA 16 8086

. ARM )RISC ( .

ARM 4 . " ARM" . .

. ISA Thumb 2 .

" Thumb" . ARM Thumb . ARM

Thumb . ARM Thumb Thumb-2

ARMv7 .Thumb-2 2 4 . Thumb-2 ARM Thumb .

Thumb-2 ARM . iPod/iPhone/iPad

Thumb-2 ) Xcode .( 64 ARM . ISA 4 Thumb . 64 ISA

ARM : ARM Thumb ) Thumb-2 ( ARM64 . ISA ISA . ARM ISA . ISA RISC 32 PowerPC MIPS

Alpha AXP.

2

. :

1-2 : C\C++ int f() { return 123; };

!

1-2 x86 x86 GCC MSVC :

2-2 :GCC/MSVC ) ( f: mov eax, 123 ret

: 123 EAX RET .

2-2 ARM ARM :

3-2 : Keil 6/2013 ) ARM( f PROC MOV r0,#0x7b ; 123 BX lr ENDP

12 /

ARM R0 123 R0 . ARM ISA . BX LR - . MOV ISA x86 ARM .

.

3-2 MIPS MIPS : ) $0 $31 (

)$V0, $A0 .( GCC : 4-2 :GCC 4.4.5 ) (

j $31 li $2,123 # 0x7b

IDA (Interactive Disassembler and debugger) : 5-2 :GCC 4.4.5 )IDA(

jr $ra li $v0, 0x7B

$2 ) $V0 ( .LI " " MIPS MOV . )J JR ( -

$31 ) $RA ( . LR ARM . )LI ( )J JR (

RISC " " .delay slot . ISA RISC

. MIPS )brunch ( / .

.

1-3-2 / MIPS MIPS .

ISA .

3

! " C" :

#include int main () { printf("hello, world\n"); return 0; }

1-3 x86

1-1-3 MSVC MSVC 2010 :

C1 1.cpp /Fa1.asm ) /Fa .(

1-3 : MSVC 2010 CONST SEGMENT $SG3830 DB 'hello, world', 0AH, 00H CONST ENDS PUBLIC _main EXTRN _printf:PROC ;Function compile flags: /Odtp _TEXT SEGMENT _main PROC push ebp mov ebp, esp push OFFSET $SG3830 call _printf add esp, 4 xor eax, eax pop ebp ret 0 _main ENDP _TEXT ENDS

14 /

MSVC . AT&T )3-1-3( .

1.obj 1.exe . : CONST ) ( _TEXT ) .(

hello, world C\C++ const char[] . $SG3830 . :

#include const char $SG3830[]="hello, world\n;" int main () { printf($SG3830); return 0; }

. C\C++ . )1-1-57 ( C

. _TEXT : main() . main()

) (. printf() :CALL _printf. )

( PUSH . printf() main() ) (

. ) ESP( .ADD ESP, 4 4 ESP . 4 32

4 . x64 8 . ADD ESP, 4 POP .

) Intel C++ Compiler( POP ECX ADD ) Oracle RDBMS Intel C++

.( ECX .

3- ! /15

ADD ESP, x )1 POP 3 ADD ( Intel C++ POP ECX .

POP ADD Oracle RDBMS : 2-3: Oracle RDBMS 10.2 Linux ) app.o(

.text:0800029A push ebx

.text:0800029B call qksfroChild

.text:080002A0 pop ecx printf() C\C++ return 0 . return 0

main() . XOR EAX, EAX . XOR "OR " MOV EAX, 0 .

)2 XOR 5 MOV.( SUB EAX, EAX EAX EAX . RET . C/C++

.

2-1-3 GCC C\C++ GCC 4.4.1 : gcc 1.c -o 1

IDA disassembler main() . IDA MSVC .

3-3: IDA main proc near var_10 = dword ptr -10h push ebp mov ebp, esp

and esp, 0FFFFFFF0h sub esp, 10h mov eax, offset aHelloWorld ; "hello, world\n" mov [esp+10h+var_10], eax call _printf mov eax, 0 leave retn main endp

16 /

. hello, world ) ( EAX . AND ESP,

0FFFFFFF0h . ESP 16 . ) 4 16 CPU .(

SUB ESP, 10h 16 . 4 . 16 . ) ( PUSH

. Var_10 – printf() . . printf() .

MSVC GCC MOV EAX, 0 .

LEAVE MOV ESP, EBP POP EBP . (ESP) EBP .

)ESP EBP( ) MOV EBP, ESP AND ESP, 0FFFFFFF0h( .

3-1-3:GCC AT&T AT&T . UNIX . 4-3 : GCC 4.7.3

gcc -s 1_1.c :

5-3 : GCC 4.7.3 .file "1_1.c" .section .rodata .LC0: .string "hello, world\n" .text .globl main .type main, @function main:

3- ! /17

.LFB0: .cfi_startproc pushl %ebp .cfi_def_cfa_offset 8 .cfi_offset 5, -8 movl %esp, %ebp .cfi_def_cfa_register 5 andl $-16, %esp subl $16, %esp movl $.LC0, (%esp) call printf movl $0, %eax leave .cfi_restore 5 .cfi_def_cfa 4, 4 ret .cfi_endproc .LFE0: .size main, .-main .ident "GCC: (Ubuntu/Linaro 4.7.3-1ubuntu1) 4.7.3" .section .note.GNU-stack,"",@progbits

) .( ) string C

(null) .( : 6-3 : GCC 4.7.3

.LC0: .string "hello, world\n" main: pushl %ebp movl %esp, %ebp andl $-16, %esp subl $16, %esp movl $.LC0, (%esp) call printf movl $0, %eax leave ret

Intel AT&T : :

Intel >> < > < < AT&T >> < > < <

18 /

: (=) AT&T

) ( . AT&T : (%) ($) .

. AT&T : :

q – )64 .( L – )32 .( W – )16 .( B – )8 .(

: IDA : 0FFFFFFF0h $-16 . 16

0x10 . -0X10 0xFFFFFFF0 ) 32 ( . MOV XOR 0 .

MOV . ) .( “LOAD” “STORE” .

2-3 x86-64

1-2-3 MSVC—x86-64 MSVC 64-bit : 7-3 : MSVC 2012 x64

$SG2989 DB 'hello, world', 0AH, 00H main PROC sub rsp, 40 lea rcx, OFFSET FLAT:$SG2989 call printf xor eax, eax add rsp, 40 ret 0 main ENDP

3- ! /19

x86-64 64 R . ) / ( )fastcall 3-64.(

. 64 RCX RDX R8 R9 . . printf() RCX .

64 64 ) R ( . 32 E .

RAX/EAX/AX/AL x86-64 : 0th 1st 2nd 3rd 4th 5th 6th 7th ) (

x64RAX EAX

AX AL AH

main() C\C++ 32 EAX ) 32 ( RAX

. 40 . " " 1-2-8 .

2-2-3 GCC—x86-64 GCC 64 : 8-3 : GCC 4.4.6 x64

.string "hello, world\n" main: sub rsp, 8 mov edi, OFFSET FLAT:.LC0 ; "hello, world\n" xor eax, eax ; number of vector registers passed call printf xor eax, eax add rsp, 8 ret

20 /

Linux *BSD Mac OS X . RDI RSI RDX RCX R8 R9

. EDI ) 32 ( . 64 RDI

MOV 64 32 32 . MOV EAX, 011223344h

RAX . (.o) : 9-3 : GCC 4.4.6 x64

.text:00000000004004D0 main proc near .text:00000000004004D0 48 83 EC 08 sub rsp, 8 .text:00000000004004D4 BF E8 05 40 00 mov edi, offset format ; "hello, world\n" .text:00000000004004D9 31 C0 xor eax, eax .text:00000000004004DB E8 D8 FE FF FF call _printf .text:00000000004004E0 31 C0 xor eax, eax .text:00000000004004E2 48 83 C4 08 add rsp, 8 .text:00000000004004E6 C3 retn .text:00000000004004E6 main endp

EDI 0x4004D4 5 . 64 RDI 7 . GCC . 4 .

EAX printf() . EAX : "

".

3-3 GCC – C

C : . :

3- ! /21

#include int f1() { printf ("world\n"); } int f2() { printf ("hello world\n"); } int main() { f1;() f2;() }

C\C++ ) MSVC( GCC 4.8.1 :

10-3: + GCC 4.8.1 IDA f1 proc near s = dword ptr -1Ch sub esp, 1Ch

mov [esp+1Ch+s], offset s ; "world\n" call _puts add esp, 1Ch retn f1 endp f2 proc near s = dword ptr -1Ch sub esp, 1Ch

mov [esp+1Ch+s], offset aHello ; "hello " call _puts add esp, 1Ch retn f2 endp aHello db 'hello ' s db 'world',0xa,0

“hello world” puts() f2() "" .

22 /

puts() f1() “world” .puts() !

GCC .

4-3 ARM ARM :

(embedded) Keil 6/2013 . Apple Xcode 4.6.3 ) LLVM-GCC 4.2 .( GCC 4.9 (Linaro) ARM64

http://go.yurichev.com/17325 . 32 ARM ) Thumb Thumb-2(

32 64 ARM ARM64 .

1-4-3 Keil 6/2013 ) ARM( Keil :

Armcc.exe --arm --c90 -00 1.c armcc ARM

" " . IDA .

11-3: Keil 6/2013 ) ARM( IDA .text:00000000 main .text:00000000 10 40 2D E9 STMFD SP!, {R4,LR} .text:00000004 1E 0E 8F E2 ADR R0, aHelloWorld ; "hello, world" .text:00000008 15 19 00 EB BL __2printf .text:0000000C 00 00 A0 E3 MOV R0, #0 .text:00000010 10 80 BD E8 LDMFD SP!, {R4,PC} .text:000001EC 68 65 6C 6C+aHelloWorld DCB "hello, world",0 ; DATA XREF: main+4

3- ! /23

4 . ARM .Thumb

STMFD SP!, {R4,LR} PUSH x86 )R4LR( . armcc PUSH {r4,lr}

. PUSH Thumb IDA . SP ) (

. R4 LR ) ( SP .

) PUSH Thumb ( . x86 . STMFD PUSH ) (

SP . STMFD .

ADR R0, aHelloWorld PC ) ( hello,world . PC

" " . . PC . ADR

. )( . C ) PC( .

BL __2printf printf() . : BL (0xC) LR ) ( . PC printf() .

printf() . LR .

24 /

RISC “” ARM CISC x86 .

32 32 BL 24 . ARM 4 )32 ( . 4 2

) ( . 26 . PC ± 32M . (Current_PC ± 32M) MOV R0, #0 0 R0. C 0

R0 . LDMFD SP!, R4,PC STMFD R4 PC ) ( SP . POP

. STMFD R4 LR R4 PC LDMFD .

LR . printf() main() . PC

. main() C/C++ CRT

) C( . BX LR .

DCB )( ASCII DB x86 .

2-4-3 Keil 6/2013 ) Thumb( Keil Thumb :

Armcc.exe --thumb --c90 -00 1.c IDA :

12-3: Keil 6/2013 ) Thumb( + IDA .text:00000000 main