Introduction to Reverse Engineering

<h5><center>The Islamic University of Gaza<br>Engineering Faculty<br>Department of Computer Engineering</center></h5> <h1 style='border: none'><center>Introduction to Reverse Engineering </center></h1> <h6>Author: Mohammad Owda</h6> ---- ## Introduction In this lab, we are going to understand how most of the programs work, and how do they store data, and what is the meaning of having something executing in the client machine. Most of the developers think that if they exported the binary of their programs no one will be able to read it! But if you think about big companies like Microsoft even their closed source applications have cracks, even further there are people who wrote an operating system based on the reverse engineering of Microsoft Windows! (https://reactos.org/ take a look here). ---- ## Your CPU is yours! If you think about any program, it is just a collection of static data and code, if you execute this code in my CPU, I can pretend to be the CPU and at least read your code as machine code, and if you use your static data (You super secret key :P), I will read it directly from my machine RAM, so when you’re writing any program that runs under the client machine, don’t think that no one will see your static data and code (API links, keys, and other stuff will be readable). ---- ## Programs At the end of the execution cycle you could think about any code or program as a machine code that must be executed by the CPU, but If you want to reverse engineer a javascript code in a webpage, it doesn’t make any sense to reverse engineer the whole engine that runs the javascript code, so one of the basics points to start reverse engineer a program, is to understand its execution cycle. So in this part, we are going to talk about translators, so we will start with basics that you should know from your programming courses. * Compilers: A compiler is a program that translates a human-readable code to machine code. ![](https://i.imgur.com/3kq8Btu.png) * Interpreter: An interpreter is a program that reads the human-readable code and executes it directly on the machine. ![](https://i.imgur.com/PCeeiVV.png) * Hybrid: A Hybrid compiler-interpreter is something between both, it takes humanreadable code and then translate to some other intermediate code, then an interpreter reads this intermediate code and executes it on the machine. ![](https://i.imgur.com/BDQuMhl.png) Knowing about these approaches is one of the fundamentals things to start reverse engineering a program, you don’t want to debug the Java Runtime environment to crack a program writing in Java. ---- ## Securing Your Applications Well, sorry you can’t, it’s not magic, if you want your program to be executed on the client machine, the machine should understand it, so if the machine understand it, anyone can understand it. But to be honest, you can make the reverse engineer life harder by using an obfuscator, this will make the code harder to read, it will just make it harder, but at the end, the machine could read it, take a look at this [obfuscator](https://obfuscator.io/). But the point here is when every you write a program that should run on the client machine, you should assume that anyone can look at your code, so do a good validation on the serverside, also don’t waste your time on encrypting stuff with a key that is stored in your app! ---- ## Programs are not Just Code If you think about your code or any basic code, in that code you don’t just write instructions or code to get executed, you write a lot of literals (e.g. strings), and if you think more, there are images inside your program (any type of data is just bytes), so this is how Windows know your application icon. And furthermore, the executable file is not just a binary of machine code, it contains a lot of areas that are important for the OS to know how to run your program, for example in Android, there’s something called manifest.xml, this file contains a lot of information about your application (e.g. Icon, name of the app, and used libraries), and as security research you don’t need to memorize all these stuff, but you need to be aware that there is something like this, so in any time you want to know the meaning of a file or something you can look at the original documentation. ***Note:** You can open exe files using any archive manager (e.g. WinRAR)* ---- ## Exploring and Modifying the RAM. In this part, we are going to explore a running process memory and try to edit stuff in it, you can use any Hex editor (e.g. HxD), to take a look at the memory of a process (or even at the whole RAM), but using just a Hex editor will make your life harder. As you know from your OS course, the process memory is managed by the OS itself, so if the OS knows some information about your process memory we could know that too, so this will make the task much easier to explore and edit the process memory. You could use the opensource project x64dbg, to debug and explore the memory of any process you want, or if you want just to explore the memory you could use CheatEngine. x64dbg: https://x64dbg.com. CheatEngine: https://www.cheatengine.org/. ---- ## Modifying a program By now you should understand some concepts about programs and what we can do with the executable file of a program, and how to look at it to start reverse engineering it. And I want you to know that we can edit the memory of the program on the fly, and we can also edit the program itself forever by analyzing the executable file, so if you need to edit something forever you should focus on the files, but if you want to edit some data for just one run focus on the memory itself. ---- ## Lab Task In this task, you will be given an exe file, this file contains a small desktop key generator application , but the input for this key generator is a weirdly validated input field! at askes for a student ID, but dosen't accept numbers. And if i use characters it returns Invalid! ![](https://i.imgur.com/POMTiuX.png) your job is fixing the application and generate a key by entering your student ID. file: [google drive link](https://drive.google.com/file/d/1--a9_4B28u-pWzO1rLIHYJrZBK8q8r6x/view?usp=sharing) please send the keys to my Email: mohammad.owda.98@gmail.com **Bonus: Analyze my key😉.** ---- ##### This lab text is heavily adapted from **[Mohammed Nafiz ALMadhoun](https://www.facebook.com/moh97)** ❤